]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blame - html/cgi-bin/ovpnmain.cgi
projects / people / pmueller / ipfire-2.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
installer: Bind-mount /sys/firmware/efi/efivars into chroot
[people/pmueller/ipfire-2.x.git] / html / cgi-bin / ovpnmain.cgi
CommitLineData
6e13d0a5 1#!/usr/bin/perl
70df8302
MT		 2###############################################################################
3# #
4# IPFire.org - A linux based firewall #
49abe7af 5# Copyright (C) 2007-2014 IPFire Team <info@ipfire.org> #
70df8302
MT		 6# #
7# This program is free software: you can redistribute it and/or modify #
8# it under the terms of the GNU General Public License as published by #
9# the Free Software Foundation, either version 3 of the License, or #
10# (at your option) any later version. #
11# #
12# This program is distributed in the hope that it will be useful, #
13# but WITHOUT ANY WARRANTY; without even the implied warranty of #
14# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15# GNU General Public License for more details. #
16# #
17# You should have received a copy of the GNU General Public License #
18# along with this program. If not, see <http://www.gnu.org/licenses/>. #
19# #
20###############################################################################
54fd0535 21###
f527e53f 22# Based on IPFireCore 77
54fd0535 23###
6e13d0a5
MT		 24use CGI;
25use CGI qw/:standard/;
26use Net::DNS;
ce9abb66 27use Net::Ping;
54fd0535 28use Net::Telnet;
6e13d0a5
MT		 29use File::Copy;
30use File::Temp qw/ tempfile tempdir /;
31use strict;
32use Archive::Zip qw(:ERROR_CODES :CONSTANTS);
eff2dbf8 33use Sort::Naturally;
6e13d0a5 34require '/var/ipfire/general-functions.pl';
6e13d0a5
MT		 35require "${General::swroot}/lang.pl";
36require "${General::swroot}/header.pl";
37require "${General::swroot}/countries.pl";
e2e270e1 38require "${General::swroot}/location-functions.pl";
6e13d0a5
MT		 39
40# enable only the following on debugging purpose
8c877a82
AM		 41#use warnings;
42#use CGI::Carp 'fatalsToBrowser';
6e13d0a5 43#workaround to suppress a warning when a variable is used only once
8c877a82 44my @dummy = ( ${Header::colourgreen}, ${Header::colourblue} );
6e13d0a5
MT		 45undef (@dummy);
46
f2fdd0c1
CS		 47my %color = ();
48my %mainsettings = ();
49&General::readhash("${General::swroot}/main/settings", \%mainsettings);
8186b372 50&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
6e13d0a5
MT		 51
52###
53### Initialize variables
54###
e81be1e1
AM		 55my %ccdconfhash=();
56my %ccdroutehash=();
57my %ccdroute2hash=();
6e13d0a5
MT		 58my %netsettings=();
59my %cgiparams=();
60my %vpnsettings=();
61my %checked=();
62my %confighash=();
63my %cahash=();
64my %selected=();
65my $warnmessage = '';
66my $errormessage = '';
400c8afd
EK		 67my $cryptoerror = '';
68my $cryptowarning = '';
6e13d0a5 69my %settings=();
54fd0535 70my $routes_push_file = '';
df9b48b7
AM		 71my $confighost="${General::swroot}/fwhosts/customhosts";
72my $configgrp="${General::swroot}/fwhosts/customgroups";
73my $customnet="${General::swroot}/fwhosts/customnetworks";
74my $name;
99bfa85c 75my $col="";
ffbe77c8
EK		 76my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";
77my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";
78
6e13d0a5
MT		 79&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
80$cgiparams{'ENABLED'} = 'off';
81$cgiparams{'ENABLED_BLUE'} = 'off';
82$cgiparams{'ENABLED_ORANGE'} = 'off';
83$cgiparams{'EDIT_ADVANCED'} = 'off';
84$cgiparams{'NAT'} = 'off';
85$cgiparams{'COMPRESSION'} = 'off';
86$cgiparams{'ONLY_PROPOSED'} = 'off';
87$cgiparams{'ACTION'} = '';
88$cgiparams{'CA_NAME'} = '';
4c962356
EK		 89$cgiparams{'DH_NAME'} = 'dh1024.pem';
90$cgiparams{'DHLENGHT'} = '';
6e13d0a5
MT		 91$cgiparams{'DHCP_DOMAIN'} = '';
92$cgiparams{'DHCP_DNS'} = '';
93$cgiparams{'DHCP_WINS'} = '';
54fd0535 94$cgiparams{'ROUTES_PUSH'} = '';
6e13d0a5 95$cgiparams{'DCOMPLZO'} = 'off';
a79fa1d6 96$cgiparams{'MSSFIX'} = '';
8c877a82 97$cgiparams{'number'} = '';
4c962356 98$cgiparams{'DCIPHER'} = '';
49abe7af
EK		 99$cgiparams{'DAUTH'} = '';
100$cgiparams{'TLSAUTH'} = '';
54fd0535 101$routes_push_file = "${General::swroot}/ovpn/routes_push";
400c8afd
EK		 102# Perform crypto and configration test
103&pkiconfigcheck;
ffbe77c8
EK		 104
105# Add CCD files if not already presant
106unless (-e $routes_push_file) {
107 open(RPF, ">$routes_push_file");
108 close(RPF);
109}
110unless (-e "${General::swroot}/ovpn/ccd.conf") {
111 open(CCDC, ">${General::swroot}/ovpn/ccd.conf");
112 close (CCDC);
113}
114unless (-e "${General::swroot}/ovpn/ccdroute") {
115 open(CCDR, ">${General::swroot}/ovpn/ccdroute");
116 close (CCDR);
117}
118unless (-e "${General::swroot}/ovpn/ccdroute2") {
119 open(CCDRT, ">${General::swroot}/ovpn/ccdroute2");
120 close (CCDRT);
121}
122# Add additional configs if not already presant
123unless (-e "$local_serverconf") {
124 open(LSC, ">$local_serverconf");
125 close (LSC);
126}
127unless (-e "$local_clientconf") {
128 open(LCC, ">$local_clientconf");
129 close (LCC);
130}
ce9abb66 131
6e13d0a5
MT		 132&Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
133
134# prepare openvpn config file
135###
136### Useful functions
137###
c6c9630e
MT		 138sub haveOrangeNet
139{
13211b21
CS		 140 if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;}
141 if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
c6c9630e
MT		 142 return 0;
143}
144
145sub haveBlueNet
146{
13211b21 147 if ($netsettings{'CONFIG_TYPE'} == 3) {return 1;}
c6c9630e 148 if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
c6c9630e
MT		 149 return 0;
150}
151
152sub sizeformat{
153 my $bytesize = shift;
154 my $i = 0;
155
156 while(abs($bytesize) >= 1024){
157 $bytesize=$bytesize/1024;
158 $i++;
159 last if($i==6);
160 }
161
162 my @units = ("Bytes","KB","MB","GB","TB","PB","EB");
163 my $newsize=(int($bytesize*100 +0.5))/100;
164 return("$newsize $units[$i]");
165}
166
c6c9630e
MT		 167sub cleanssldatabase
168{
169 if (open(FILE, ">${General::swroot}/ovpn/certs/serial")) {
170 print FILE "01";
171 close FILE;
172 }
173 if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt")) {
174 print FILE "";
175 close FILE;
176 }
e6f7f8e7
EK		 177 if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt.attr")) {
178 print FILE "";
179 close FILE;
180 }
c6c9630e 181 unlink ("${General::swroot}/ovpn/certs/index.txt.old");
e6f7f8e7 182 unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old");
c6c9630e
MT		 183 unlink ("${General::swroot}/ovpn/certs/serial.old");
184 unlink ("${General::swroot}/ovpn/certs/01.pem");
185}
186
187sub newcleanssldatabase
188{
189 if (! -s "${General::swroot}/ovpn/certs/serial" ) {
190 open(FILE, ">${General::swroot}(ovpn/certs/serial");
191 print FILE "01";
192 close FILE;
193 }
194 if (! -s ">${General::swroot}/ovpn/certs/index.txt") {
2feacd98 195 &General::system("touch", "${General::swroot}/ovpn/certs/index.txt");
c6c9630e 196 }
e6f7f8e7 197 if (! -s ">${General::swroot}/ovpn/certs/index.txt.attr") {
2feacd98 198 &General::system("touch", "${General::swroot}/ovpn/certs/index.txt.attr");
e6f7f8e7 199 }
c6c9630e 200 unlink ("${General::swroot}/ovpn/certs/index.txt.old");
e6f7f8e7 201 unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old");
c6c9630e
MT		 202 unlink ("${General::swroot}/ovpn/certs/serial.old");
203}
204
205sub deletebackupcert
206{
207 if (open(FILE, "${General::swroot}/ovpn/certs/serial.old")) {
208 my $hexvalue = <FILE>;
209 chomp $hexvalue;
210 close FILE;
211 unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem");
212 }
213}
4c962356 214
400c8afd
EK		 215###
216### Check for PKI and configure problems
217###
218
219sub pkiconfigcheck
220{
221 # Warning if DH parameter is 1024 bit
222 if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
2feacd98 223 my @dhparameter = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}");
f5604080 224 my $dhbit;
2feacd98 225
f5604080 226 # Loop through the output and search for the DH bit lenght.
2feacd98 227 foreach my $line (@dhparameter) {
f5604080
SS		 228 if ($line =~ (/(\d+)/)) {
229 # Assign match to dhbit value.
230 $dhbit = $1;
231
232 last;
2feacd98 233 }
400c8afd 234 }
f5604080
SS		 235
236 # Check if the used key lenght is at least 2048 bit.
237 if ($dhbit < 2048) {
238 $cryptoerror = "$Lang::tr{'ovpn error dh'}";
239 goto CRYPTO_ERROR;
240 }
400c8afd
EK		 241 }
242
243 # Warning if md5 is in usage
244 if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
2feacd98
SS		 245 my @signature = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
246 if (grep(/md5WithRSAEncryption/, @signature) ) {
400c8afd
EK		 247 $cryptoerror = "$Lang::tr{'ovpn error md5'}";
248 goto CRYPTO_ERROR;
249 }
250 }
251
252 CRYPTO_ERROR:
253
254 # Warning if certificate is not compliant to RFC3280 TLS rules
255 if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
2feacd98
SS		 256 my @extendkeyusage = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
257 if ( ! grep(/TLS Web Server Authentication/, @extendkeyusage)) {
400c8afd
EK		 258 $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}";
259 goto CRYPTO_WARNING;
260 }
261 }
262
263 CRYPTO_WARNING:
264}
265
c6c9630e 266sub writeserverconf {
54fd0535
MT		 267 my %sovpnsettings = ();
268 my @temp = ();
c6c9630e 269 &General::readhash("${General::swroot}/ovpn/settings", \%sovpnsettings);
54fd0535
MT		 270 &read_routepushfile;
271
c6c9630e
MT		 272 open(CONF, ">${General::swroot}/ovpn/server.conf") or die "Unable to open ${General::swroot}/ovpn/server.conf: $!";
273 flock CONF, 2;
274 print CONF "#OpenVPN Server conf\n";
275 print CONF "\n";
276 print CONF "daemon openvpnserver\n";
277 print CONF "writepid /var/run/openvpn.pid\n";
afabe9f7 278 print CONF "#DAN prepare OpenVPN for listening on blue and orange\n";
c6c9630e 279 print CONF ";local $sovpnsettings{'VPN_IP'}\n";
79e7688b 280 print CONF "dev tun\n";
c6c9630e
MT		 281 print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
282 print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
a4fd2325 283 print CONF "script-security 3\n";
07675dc3 284 print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n";
6140e7e0 285 print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
c6c9630e 286 print CONF "tls-server\n";
4c962356
EK		 287 print CONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n";
288 print CONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n";
289 print CONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n";
49abe7af 290 print CONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n";
c6c9630e
MT		 291 my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'});
292 print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
8c877a82 293 #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
4c962356 294
d6989b4b 295 print CONF "tun-mtu $sovpnsettings{'DMTU'}\n";
2ee746be 296
54fd0535 297 if ($vpnsettings{'ROUTES_PUSH'} ne '') {
8c877a82
AM		 298 @temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'});
299 foreach (@temp)
300 {
301 @tempovpnsubnet = split("\/",&General::ipcidr2msk($_));
302 print CONF "push \"route " . $tempovpnsubnet[0]. " " . $tempovpnsubnet[1] . "\"\n";
303 }
54fd0535 304 }
8c877a82
AM		 305# a.marx ccd
306 my %ccdconfhash=();
307 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
308 foreach my $key (keys %ccdconfhash) {
309 my $a=$ccdconfhash{$key}[1];
310 my ($b,$c) = split (/\//, $a);
311 print CONF "route $b ".&General::cidrtosub($c)."\n";
312 }
313 my %ccdroutehash=();
314 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
315 foreach my $key (keys %ccdroutehash) {
316 foreach my $i ( 1 .. $#{$ccdroutehash{$key}}){
317 my ($a,$b)=split (/\//,$ccdroutehash{$key}[$i]);
318 print CONF "route $a $b\n";
319 }
320 }
321# ccd end
54fd0535 322
8c877a82 323 if ($sovpnsettings{CLIENT2CLIENT} eq 'on') {
c6c9630e
MT		 324 print CONF "client-to-client\n";
325 }
1de5c945 326 if ($sovpnsettings{MSSFIX} eq 'on') {
4c962356 327 print CONF "mssfix\n";
d6989b4b
MT		 328 } else {
329 print CONF "mssfix 0\n";
1de5c945
EK		 330 }
331 if ($sovpnsettings{FRAGMENT} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') {
4c962356 332 print CONF "fragment $sovpnsettings{'FRAGMENT'}\n";
a79fa1d6 333 }
2ee746be 334
c6c9630e
MT		 335 if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) {
336 print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n";
337 }
338 print CONF "status-version 1\n";
87fe47e9 339 print CONF "status /var/run/ovpnserver.log 30\n";
a4fd2325 340 print CONF "ncp-disable\n";
c6c9630e 341 print CONF "cipher $sovpnsettings{DCIPHER}\n";
49abe7af 342 print CONF "auth $sovpnsettings{'DAUTH'}\n";
942446b5
EK		 343 # Set TLSv2 as minimum
344 print CONF "tls-version-min 1.2\n";
86308adb 345
49abe7af 346 if ($sovpnsettings{'TLSAUTH'} eq 'on') {
4be45949 347 print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
49abe7af 348 }
c6c9630e
MT		 349 if ($sovpnsettings{DCOMPLZO} eq 'on') {
350 print CONF "comp-lzo\n";
351 }
352 if ($sovpnsettings{REDIRECT_GW_DEF1} eq 'on') {
353 print CONF "push \"redirect-gateway def1\"\n";
354 }
355 if ($sovpnsettings{DHCP_DOMAIN} ne '') {
356 print CONF "push \"dhcp-option DOMAIN $sovpnsettings{DHCP_DOMAIN}\"\n";
357 }
358
359 if ($sovpnsettings{DHCP_DNS} ne '') {
360 print CONF "push \"dhcp-option DNS $sovpnsettings{DHCP_DNS}\"\n";
361 }
362
363 if ($sovpnsettings{DHCP_WINS} ne '') {
364 print CONF "push \"dhcp-option WINS $sovpnsettings{DHCP_WINS}\"\n";
365 }
366
fa527476 367 if ($sovpnsettings{MAX_CLIENTS} eq '') {
c6c9630e 368 print CONF "max-clients 100\n";
a79fa1d6 369 }
fa527476 370 if ($sovpnsettings{MAX_CLIENTS} ne '') {
c6c9630e
MT		 371 print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n";
372 }
1d0a260a 373 print CONF "tls-verify /usr/lib/openvpn/verify\n";
c6c9630e
MT		 374 print CONF "crl-verify /var/ipfire/ovpn/crls/cacrl.pem\n";
375 print CONF "user nobody\n";
376 print CONF "group nobody\n";
377 print CONF "persist-key\n";
378 print CONF "persist-tun\n";
379 if ($sovpnsettings{LOG_VERB} ne '') {
380 print CONF "verb $sovpnsettings{LOG_VERB}\n";
381 } else {
382 print CONF "verb 3\n";
ffbe77c8 383 }
708f2b73
MT		 384
385 print CONF "# Log clients connecting/disconnecting\n";
386 print CONF "client-connect \"/usr/sbin/openvpn-metrics client-connect\"\n";
387 print CONF "client-disconnect \"/usr/sbin/openvpn-metrics client-disconnect\"\n";
388
ffbe77c8
EK		 389 # Print server.conf.local if entries exist to server.conf
390 if ( !-z $local_serverconf && $sovpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') {
391 open (LSC, "$local_serverconf");
392 print CONF "\n#---------------------------\n";
393 print CONF "# Start of custom directives\n";
394 print CONF "# from server.conf.local\n";
395 print CONF "#---------------------------\n\n";
396 while (<LSC>) {
397 print CONF $_;
398 }
399 print CONF "\n#-----------------------------\n";
400 print CONF "# End of custom directives\n";
401 print CONF "#-----------------------------\n";
402 close (LSC);
403 }
c6c9630e
MT		 404 print CONF "\n";
405
406 close(CONF);
407}
8c877a82 408
c6c9630e 409sub emptyserverlog{
87fe47e9 410 if (open(FILE, ">/var/run/ovpnserver.log")) {
c6c9630e
MT		 411 flock FILE, 2;
412 print FILE "";
413 close FILE;
414 }
415
416}
417
8c877a82
AM		 418sub delccdnet
419{
420 my %ccdconfhash = ();
421 my %ccdhash = ();
422 my $ccdnetname=$_[0];
423 if (-f "${General::swroot}/ovpn/ovpnconfig"){
424 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
425 foreach my $key (keys %ccdhash) {
426 if ($ccdhash{$key}[32] eq $ccdnetname) {
427 $errormessage=$Lang::tr{'ccd err hostinnet'};
428 return;
429 }
430 }
431 }
432 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
433 foreach my $key (keys %ccdconfhash) {
434 if ($ccdconfhash{$key}[0] eq $ccdnetname){
435 delete $ccdconfhash{$key};
436 }
437 }
438 &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
439
440 &writeserverconf;
441 return 0;
442}
443
444sub addccdnet
445{
446 my %ccdconfhash=();
447 my @ccdconf=();
448 my $ccdname=$_[0];
449 my $ccdnet=$_[1];
8c877a82
AM		 450 my $subcidr;
451 my @ip2=();
452 my $checkup;
453 my $ccdip;
454 my $baseaddress;
290007b3
AM		 455
456
457 #check name
458 if ($ccdname eq '')
459 {
460 $errormessage=$errormessage.$Lang::tr{'ccd err name'}."<br>";
461 return
462 }
463
464 if(!&General::validhostname($ccdname))
465 {
8c877a82
AM		 466 $errormessage=$Lang::tr{'ccd err invalidname'};
467 return;
468 }
290007b3
AM		 469
470 ($ccdip,$subcidr) = split (/\//,$ccdnet);
471 $subcidr=&General::iporsubtocidr($subcidr);
472 #check subnet
473 if ($subcidr > 30)
474 {
8c877a82
AM		 475 $errormessage=$Lang::tr{'ccd err invalidnet'};
476 return;
477 }
290007b3
AM		 478 #check ip
479 if (!&General::validipandmask($ccdnet)){
480 $errormessage=$Lang::tr{'ccd err invalidnet'};
481 return;
8c877a82 482 }
b6c60092 483
8c877a82
AM		 484 if (!$errormessage) {
485 my %ccdconfhash=();
486 $baseaddress=&General::getnetworkip($ccdip,$subcidr);
487 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
488 my $key = &General::findhasharraykey (\%ccdconfhash);
489 foreach my $i (0 .. 1) { $ccdconfhash{$key}[$i] = "";}
490 $ccdconfhash{$key}[0] = $ccdname;
491 $ccdconfhash{$key}[1] = $baseaddress."/".$subcidr;
492 &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
493 &writeserverconf;
494 $cgiparams{'ccdname'}='';
495 $cgiparams{'ccdsubnet'}='';
496 return 1;
497 }
498}
499
500sub modccdnet
501{
502
503 my $newname=$_[0];
504 my $oldname=$_[1];
505 my %ccdconfhash=();
506 my %ccdhash=();
7ad653cc
SS		 507
508 # Check if the new name is valid.
509 if(!&General::validhostname($newname)) {
510 $errormessage=$Lang::tr{'ccd err invalidname'};
511 return;
512 }
513
8c877a82
AM		 514 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
515 foreach my $key (keys %ccdconfhash) {
516 if ($ccdconfhash{$key}[0] eq $oldname) {
517 foreach my $key1 (keys %ccdconfhash) {
518 if ($ccdconfhash{$key1}[0] eq $newname){
519 $errormessage=$errormessage.$Lang::tr{'ccd err netadrexist'};
520 return;
521 }else{
522 $ccdconfhash{$key}[0]= $newname;
523 &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
524 last;
525 }
526 }
527 }
528 }
529
530 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
531 foreach my $key (keys %ccdhash) {
532 if ($ccdhash{$key}[32] eq $oldname) {
533 $ccdhash{$key}[32]=$newname;
534 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
535 last;
536 }
537 }
538
539 return 0;
540}
541sub ccdmaxclients
542{
543 my $ccdnetwork=$_[0];
544 my @octets=();
545 my @subnet=();
546 @octets=split("\/",$ccdnetwork);
547 @subnet= split /\./, &General::cidrtosub($octets[1]);
548 my ($a,$b,$c,$d,$e);
549 $a=256-$subnet[0];
550 $b=256-$subnet[1];
551 $c=256-$subnet[2];
552 $d=256-$subnet[3];
553 $e=($a*$b*$c*$d)/4;
554 return $e-1;
555}
556
557sub getccdadresses
558{
559 my $ipin=$_[0];
560 my ($ip1,$ip2,$ip3,$ip4)=split /\./, $ipin;
561 my $cidr=$_[1];
562 chomp($cidr);
563 my $count=$_[2];
564 my $hasip=$_[3];
565 chomp($hasip);
566 my @iprange=();
567 my %ccdhash=();
568 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
d9fe5693 569 $iprange[0]=$ip1.".".$ip2.".".$ip3.".".($ip4+2);
ac87f371 570 for (my $i=1;$i<=$count;$i++) {
8c877a82
AM		 571 my $tmpip=$iprange[$i-1];
572 my $stepper=$i*4;
573 $iprange[$i]= &General::getnextip($tmpip,4);
574 }
575 my $r=0;
576 foreach my $key (keys %ccdhash) {
577 $r=0;
578 foreach my $tmp (@iprange){
579 my ($net,$sub) = split (/\//,$ccdhash{$key}[33]);
580 if ($net eq $tmp) {
581 if ( $hasip ne $ccdhash{$key}[33] ){
582 splice (@iprange,$r,1);
583 }
584 }
585 $r++;
586 }
587 }
588 return @iprange;
589}
590
591sub fillselectbox
592{
593 my $boxname=$_[1];
594 my ($ccdip,$subcidr) = split("/",$_[0]);
595 my $tz=$_[2];
596 my @allccdips=&getccdadresses($ccdip,$subcidr,&ccdmaxclients($ccdip."/".$subcidr),$tz);
597 print"<select name='$boxname' STYLE='font-family : arial; font-size : 9pt; width:130px;' >";
598 foreach (@allccdips) {
599 my $ip=$_."/30";
600 chomp($ip);
601 print "<option value='$ip' ";
602 if ( $ip eq $cgiparams{$boxname} ){
603 print"selected";
604 }
605 print ">$ip</option>";
606 }
607 print "</select>";
608}
609
610sub hostsinnet
611{
612 my $name=$_[0];
613 my %ccdhash=();
614 my $i=0;
615 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
616 foreach my $key (keys %ccdhash) {
617 if ($ccdhash{$key}[32] eq $name){ $i++;}
618 }
619 return $i;
620}
621
622sub check_routes_push
623{
624 my $val=$_[0];
625 my ($ip,$cidr) = split (/\//, $val);
626 ##check for existing routes in routes_push
627 if (-e "${General::swroot}/ovpn/routes_push") {
628 open(FILE,"${General::swroot}/ovpn/routes_push");
629 while (<FILE>) {
630 $_=~s/\s*$//g;
631
632 my ($ip2,$cidr2) = split (/\//,"$_");
633 my $val2=$ip2."/".&General::iporsubtodec($cidr2);
634
635 if($val eq $val2){
636 return 0;
637 }
638 #subnetcheck
639 if (&General::IpInSubnet ($ip,$ip2,&General::iporsubtodec($cidr2))){
640 return 0;
641 }
642 };
643 close(FILE);
644 }
645 return 1;
646}
647
648sub check_ccdroute
649{
650 my %ccdroutehash=();
651 my $val=$_[0];
652 my ($ip,$cidr) = split (/\//, $val);
653 #check for existing routes in ccdroute
654 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
655 foreach my $key (keys %ccdroutehash) {
656 foreach my $i (1 .. $#{$ccdroutehash{$key}}) {
657 if (&General::iporsubtodec($val) eq $ccdroutehash{$key}[$i] && $ccdroutehash{$key}[0] ne $cgiparams{'NAME'}){
658 return 0;
659 }
660 my ($ip2,$cidr2) = split (/\//,$ccdroutehash{$key}[$i]);
661 #subnetcheck
662 if (&General::IpInSubnet ($ip,$ip2,$cidr2)&& $ccdroutehash{$key}[0] ne $cgiparams{'NAME'} ){
663 return 0;
664 }
665 }
666 }
667 return 1;
668}
669sub check_ccdconf
670{
671 my %ccdconfhash=();
672 my $val=$_[0];
673 my ($ip,$cidr) = split (/\//, $val);
674 #check for existing routes in ccdroute
675 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
676 foreach my $key (keys %ccdconfhash) {
677 if (&General::iporsubtocidr($val) eq $ccdconfhash{$key}[1]){
678 return 0;
679 }
680 my ($ip2,$cidr2) = split (/\//,$ccdconfhash{$key}[1]);
681 #subnetcheck
682 if (&General::IpInSubnet ($ip,$ip2,&General::cidrtosub($cidr2))){
683 return 0;
684 }
685
686 }
687 return 1;
688}
689
7c1d9faf
AH		 690###
691# m.a.d net2net
692###
693
694sub validdotmask
695{
696 my $ipdotmask = $_[0];
697 if (&General::validip($ipdotmask)) { return 0; }
698 if (!($ipdotmask =~ /^(.*?)\/(.*?)$/)) { }
699 my $mask = $2;
700 if (($mask =~ /\./ )) { return 0; }
701 return 1;
702}
54fd0535
MT		 703
704# -------------------------------------------------------------------
705
706sub write_routepushfile
707{
708 open(FILE, ">$routes_push_file");
709 flock(FILE, 2);
710 if ($vpnsettings{'ROUTES_PUSH'} ne '') {
711 print FILE $vpnsettings{'ROUTES_PUSH'};
712 }
713 close(FILE);
714}
715
716sub read_routepushfile
717{
718 if (-e "$routes_push_file") {
719 open(FILE,"$routes_push_file");
720 delete $vpnsettings{'ROUTES_PUSH'};
721 while (<FILE>) { $vpnsettings{'ROUTES_PUSH'} .= $_ };
722 close(FILE);
723 $cgiparams{'ROUTES_PUSH'} = $vpnsettings{'ROUTES_PUSH'};
8c877a82 724
54fd0535
MT		 725 }
726}
7c1d9faf 727
775b4494
AM		 728sub writecollectdconf {
729 my $vpncollectd;
730 my %ccdhash=();
731
732 open(COLLECTDVPN, ">${General::swroot}/ovpn/collectd.vpn") or die "Unable to open collectd.vpn: $!";
733 print COLLECTDVPN "Loadplugin openvpn\n";
734 print COLLECTDVPN "\n";
735 print COLLECTDVPN "<Plugin openvpn>\n";
736 print COLLECTDVPN "Statusfile \"/var/run/ovpnserver.log\"\n";
737
738 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash);
739 foreach my $key (keys %ccdhash) {
740 if ($ccdhash{$key}[0] eq 'on' && $ccdhash{$key}[3] eq 'net') {
741 print COLLECTDVPN "Statusfile \"/var/run/openvpn/$ccdhash{$key}[1]-n2n\"\n";
742 }
743 }
744
745 print COLLECTDVPN "</Plugin>\n";
746 close(COLLECTDVPN);
747
748 # Reload collectd afterwards
2feacd98 749 &General::system("/usr/local/bin/collectdctrl", "restart");
775b4494 750}
7c1d9faf 751
c6c9630e
MT		 752#hier die refresh page
753if ( -e "${General::swroot}/ovpn/gencanow") {
754 my $refresh = '';
755 $refresh = "<meta http-equiv='refresh' content='15;' />";
756 &Header::showhttpheaders();
757 &Header::openpage($Lang::tr{'OVPN'}, 1, $refresh);
758 &Header::openbigbox('100%', 'center');
759 &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:");
760 print "<tr>\n<td align='center'><img src='/images/clock.gif' alt='' /></td>\n";
761 print "<td colspan='2'><font color='red'>Please be patient this realy can take some time on older hardware...</font></td></tr>\n";
762 &Header::closebox();
763 &Header::closebigbox();
764 &Header::closepage();
765 exit (0);
766}
767##hier die refresh page
768
6e13d0a5
MT		 769
770###
771### OpenVPN Server Control
772###
773if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'} ||
774 $cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'} ||
775 $cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}) {
6e13d0a5
MT		 776 #start openvpn server
777 if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'}){
c6c9630e 778 &emptyserverlog();
2feacd98 779 &General::system("/usr/local/bin/openvpnctrl", "-s");
6e13d0a5
MT		 780 }
781 #stop openvpn server
782 if ($cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'}){
2feacd98 783 &General::system("/usr/local/bin/openvpnctrl", "-k");
c6c9630e 784 &emptyserverlog();
6e13d0a5
MT		 785 }
786# #restart openvpn server
8c877a82 787# if ($cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}){
6e13d0a5 788#workarund, till SIGHUP also works when running as nobody
8c877a82
AM		 789# system('/usr/local/bin/openvpnctrl', '-r');
790# &emptyserverlog();
791# }
6e13d0a5
MT		 792}
793
794###
795### Save Advanced options
796###
797
798if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
799 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
800 #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
801 #DAN this value has to leave.
802#new settings for daemon
803 $vpnsettings{'LOG_VERB'} = $cgiparams{'LOG_VERB'};
804 $vpnsettings{'KEEPALIVE_1'} = $cgiparams{'KEEPALIVE_1'};
805 $vpnsettings{'KEEPALIVE_2'} = $cgiparams{'KEEPALIVE_2'};
806 $vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'};
807 $vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'};
808 $vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'};
6a9d9ff4 809 $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
ffbe77c8 810 $vpnsettings{'ADDITIONAL_CONFIGS'} = $cgiparams{'ADDITIONAL_CONFIGS'};
6e13d0a5
MT		 811 $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'};
812 $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'};
813 $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
54fd0535
MT		 814 $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'};
815 my @temp=();
6e13d0a5 816
a79fa1d6
JPT		 817 if ($cgiparams{'FRAGMENT'} eq '') {
818 delete $vpnsettings{'FRAGMENT'};
819 } else {
820 if ($cgiparams{'FRAGMENT'} !~ /^[0-9]+$/) {
821 $errormessage = "Incorrect value, please insert only numbers.";
822 goto ADV_ERROR;
823 } else {
824 $vpnsettings{'FRAGMENT'} = $cgiparams{'FRAGMENT'};
825 }
826 }
49abe7af 827
a79fa1d6 828 if ($cgiparams{'MSSFIX'} ne 'on') {
1de5c945 829 delete $vpnsettings{'MSSFIX'};
a79fa1d6
JPT		 830 } else {
831 $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'};
832 }
2ee746be 833
6e13d0a5 834 if ($cgiparams{'DHCP_DOMAIN'} ne ''){
81da1b01 835 unless (&General::validdomainname($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) {
6e13d0a5
MT		 836 $errormessage = $Lang::tr{'invalid input for dhcp domain'};
837 goto ADV_ERROR;
838 }
839 }
840 if ($cgiparams{'DHCP_DNS'} ne ''){
841 unless (&General::validfqdn($cgiparams{'DHCP_DNS'}) || &General::validip($cgiparams{'DHCP_DNS'})) {
842 $errormessage = $Lang::tr{'invalid input for dhcp dns'};
843 goto ADV_ERROR;
844 }
845 }
846 if ($cgiparams{'DHCP_WINS'} ne ''){
847 unless (&General::validfqdn($cgiparams{'DHCP_WINS'}) || &General::validip($cgiparams{'DHCP_WINS'})) {
848 $errormessage = $Lang::tr{'invalid input for dhcp wins'};
54fd0535
MT		 849 goto ADV_ERROR;
850 }
851 }
852 if ($cgiparams{'ROUTES_PUSH'} ne ''){
853 @temp = split(/\n/,$cgiparams{'ROUTES_PUSH'});
854 undef $vpnsettings{'ROUTES_PUSH'};
8c877a82
AM		 855
856 foreach my $tmpip (@temp)
54fd0535
MT		 857 {
858 s/^\s+//g; s/\s+$//g;
8c877a82
AM		 859
860 if ($tmpip)
54fd0535 861 {
8c877a82
AM		 862 $tmpip=~s/\s*$//g;
863 unless (&General::validipandmask($tmpip)) {
864 $errormessage = "$tmpip ".$Lang::tr{'ovpn errmsg invalid ip or mask'};
865 goto ADV_ERROR;
54fd0535 866 }
8c877a82
AM		 867 my ($ip, $cidr) = split("\/",&General::ipcidr2msk($tmpip));
868
54fd0535
MT		 869 if ($ip eq $netsettings{'GREEN_NETADDRESS'} && $cidr eq $netsettings{'GREEN_NETMASK'}) {
870 $errormessage = $Lang::tr{'ovpn errmsg green already pushed'};
8c877a82
AM		 871 goto ADV_ERROR;
872 }
873# a.marx ccd
874 my %ccdroutehash=();
875 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
876 foreach my $key (keys %ccdroutehash) {
877 foreach my $i (1 .. $#{$ccdroutehash{$key}}) {
878 if ( $ip."/".$cidr eq $ccdroutehash{$key}[$i] ){
879 $errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ;
880 goto ADV_ERROR;
881 }
882 my ($ip2,$cidr2) = split(/\//,$ccdroutehash{$key}[$i]);
883 if (&General::IpInSubnet ($ip,$ip2,$cidr2)){
884 $errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ;
885 goto ADV_ERROR;
886 }
887 }
54fd0535 888 }
8c877a82
AM		 889
890# ccd end
891
892 $vpnsettings{'ROUTES_PUSH'} .= $tmpip."\n";
54fd0535 893 }
8c877a82
AM		 894 }
895 &write_routepushfile;
54fd0535 896 undef $vpnsettings{'ROUTES_PUSH'};
8e148dc3
NP		 897 }
898 else {
899 undef $vpnsettings{'ROUTES_PUSH'};
900 &write_routepushfile;
6e13d0a5 901 }
ba50f66d 902 if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 1024 )) {
6e13d0a5
MT		 903 $errormessage = $Lang::tr{'invalid input for max clients'};
904 goto ADV_ERROR;
905 }
906 if ($cgiparams{'KEEPALIVE_1'} ne '') {
907 if ($cgiparams{'KEEPALIVE_1'} !~ /^[0-9]+$/) {
908 $errormessage = $Lang::tr{'invalid input for keepalive 1'};
909 goto ADV_ERROR;
910 }
911 }
912 if ($cgiparams{'KEEPALIVE_2'} ne ''){
913 if ($cgiparams{'KEEPALIVE_2'} !~ /^[0-9]+$/) {
914 $errormessage = $Lang::tr{'invalid input for keepalive 2'};
915 goto ADV_ERROR;
916 }
917 }
918 if ($cgiparams{'KEEPALIVE_2'} < ($cgiparams{'KEEPALIVE_1'} * 2)){
919 $errormessage = $Lang::tr{'invalid input for keepalive 1:2'};
920 goto ADV_ERROR;
921 }
6e13d0a5 922 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
c6c9630e 923 &writeserverconf();#hier ok
6e13d0a5
MT		 924}
925
ce9abb66 926###
7c1d9faf 927# m.a.d net2net
ce9abb66
AH		 928###
929
930if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq 'net' && $cgiparams{'SIDE'} eq 'server')
931{
c6c9630e 932
ce9abb66
AH		 933my @remsubnet = split(/\//,$cgiparams{'REMOTE_SUBNET'});
934my @ovsubnettemp = split(/\./,$cgiparams{'OVPN_SUBNET'});
54fd0535 935my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
d96c89eb 936my $tunmtu = '';
531f0835
AH		 937
938unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
939unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}", 0770 or die "Unable to create dir $!";}
ce9abb66
AH		 940
941 open(SERVERCONF, ">${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Unable to open ${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf: $!";
942
943 flock SERVERCONF, 2;
7c1d9faf 944 print SERVERCONF "# IPFire n2n Open VPN Server Config by ummeegge und m.a.d\n";
ce9abb66 945 print SERVERCONF "\n";
b278daf3 946 print SERVERCONF "# User Security\n";
ce9abb66
AH		 947 print SERVERCONF "user nobody\n";
948 print SERVERCONF "group nobody\n";
949 print SERVERCONF "persist-tun\n";
950 print SERVERCONF "persist-key\n";
7c1d9faf 951 print SERVERCONF "script-security 2\n";
60f396d7 952 print SERVERCONF "# IP/DNS for remote Server Gateway\n";
c125d8a2
SS		 953
954 if ($cgiparams{'REMOTE'} ne '') {
ce9abb66 955 print SERVERCONF "remote $cgiparams{'REMOTE'}\n";
c125d8a2
SS		 956 }
957
b278daf3 958 print SERVERCONF "float\n";
60f396d7 959 print SERVERCONF "# IP adresses of the VPN Subnet\n";
ce9abb66 960 print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n";
60f396d7 961 print SERVERCONF "# Client Gateway Network\n";
54fd0535 962 print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n";
2913185a 963 print SERVERCONF "up \"/etc/init.d/static-routes start\"\n";
60f396d7 964 print SERVERCONF "# tun Device\n";
ce9abb66 965 print SERVERCONF "dev tun\n";
5795fc1b
AM		 966 print SERVERCONF "#Logfile for statistics\n";
967 print SERVERCONF "status-version 1\n";
87fe47e9 968 print SERVERCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
60f396d7 969 print SERVERCONF "# Port and Protokol\n";
ce9abb66 970 print SERVERCONF "port $cgiparams{'DEST_PORT'}\n";
5795fc1b 971
60f396d7
AH		 972 if ($cgiparams{'PROTOCOL'} eq 'tcp') {
973 print SERVERCONF "proto tcp-server\n";
974 print SERVERCONF "# Packet size\n";
d96c89eb 975 if ($cgiparams{'MTU'} eq '') {$tunmtu = '1400'} else {$tunmtu = $cgiparams{'MTU'}};
60f396d7 976 print SERVERCONF "tun-mtu $tunmtu\n";
d96c89eb 977 }
60f396d7
AH		 978
979 if ($cgiparams{'PROTOCOL'} eq 'udp') {
980 print SERVERCONF "proto udp\n";
981 print SERVERCONF "# Paketsize\n";
982 if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}};
983 print SERVERCONF "tun-mtu $tunmtu\n";
54fd0535 984 if ($cgiparams{'FRAGMENT'} ne '') {print SERVERCONF "fragment $cgiparams{'FRAGMENT'}\n";}
d6989b4b 985 if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; } else { print SERVERCONF "mssfix 0\n" };
d96c89eb 986 }
1647059d 987
60f396d7 988 print SERVERCONF "# Auth. Server\n";
ce9abb66
AH		 989 print SERVERCONF "tls-server\n";
990 print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n";
991 print SERVERCONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n";
992 print SERVERCONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n";
49abe7af 993 print SERVERCONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n";
b278daf3 994 print SERVERCONF "# Cipher\n";
4c962356 995 print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n";
52f61e49
EKD		 996
997 # If GCM cipher is used, do not use --auth
998 if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
999 ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
1000 ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
1001 print SERVERCONF unless "# HMAC algorithm\n";
1002 print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n";
49abe7af 1003 } else {
52f61e49
EKD		 1004 print SERVERCONF "# HMAC algorithm\n";
1005 print SERVERCONF "auth $cgiparams{'DAUTH'}\n";
49abe7af 1006 }
52f61e49 1007
942446b5
EK		 1008 # Set TLSv1.2 as minimum
1009 print SERVERCONF "tls-version-min 1.2\n";
1010
ce9abb66 1011 if ($cgiparams{'COMPLZO'} eq 'on') {
60f396d7 1012 print SERVERCONF "# Enable Compression\n";
66298ef2 1013 print SERVERCONF "comp-lzo\n";
b278daf3 1014 }
60f396d7 1015 print SERVERCONF "# Debug Level\n";
ce9abb66 1016 print SERVERCONF "verb 3\n";
b278daf3 1017 print SERVERCONF "# Tunnel check\n";
ce9abb66 1018 print SERVERCONF "keepalive 10 60\n";
60f396d7 1019 print SERVERCONF "# Start as daemon\n";
ce9abb66
AH		 1020 print SERVERCONF "daemon $cgiparams{'NAME'}n2n\n";
1021 print SERVERCONF "writepid /var/run/$cgiparams{'NAME'}n2n.pid\n";
60f396d7 1022 print SERVERCONF "# Activate Management Interface and Port\n";
54fd0535
MT		 1023 if ($cgiparams{'OVPN_MGMT'} eq '') {print SERVERCONF "management localhost $cgiparams{'DEST_PORT'}\n"}
1024 else {print SERVERCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"};
ce9abb66
AH		 1025 close(SERVERCONF);
1026
1027}
1028
1029###
7c1d9faf 1030# m.a.d net2net
ce9abb66 1031###
7c1d9faf 1032
ce9abb66
AH		 1033if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq 'net' && $cgiparams{'SIDE'} eq 'client')
1034{
4c962356 1035
ce9abb66 1036 my @ovsubnettemp = split(/\./,$cgiparams{'OVPN_SUBNET'});
54fd0535 1037 my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
ce9abb66 1038 my @remsubnet = split(/\//,$cgiparams{'REMOTE_SUBNET'});
d96c89eb 1039 my $tunmtu = '';
54fd0535 1040
531f0835
AH		 1041unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
1042unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}", 0770 or die "Unable to create dir $!";}
ce9abb66
AH		 1043
1044 open(CLIENTCONF, ">${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Unable to open ${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf: $!";
1045
1046 flock CLIENTCONF, 2;
7c1d9faf 1047 print CLIENTCONF "# IPFire rewritten n2n Open VPN Client Config by ummeegge und m.a.d\n";
ce9abb66 1048 print CLIENTCONF "#\n";
b278daf3 1049 print CLIENTCONF "# User Security\n";
ce9abb66
AH		 1050 print CLIENTCONF "user nobody\n";
1051 print CLIENTCONF "group nobody\n";
1052 print CLIENTCONF "persist-tun\n";
1053 print CLIENTCONF "persist-key\n";
7c1d9faf 1054 print CLIENTCONF "script-security 2\n";
60f396d7 1055 print CLIENTCONF "# IP/DNS for remote Server Gateway\n";
ce9abb66 1056 print CLIENTCONF "remote $cgiparams{'REMOTE'}\n";
b278daf3 1057 print CLIENTCONF "float\n";
60f396d7 1058 print CLIENTCONF "# IP adresses of the VPN Subnet\n";
ce9abb66 1059 print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n";
60f396d7 1060 print CLIENTCONF "# Server Gateway Network\n";
54fd0535 1061 print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n";
ebcecb4b 1062 print CLIENTCONF "up \"/etc/init.d/static-routes start\"\n";
60f396d7 1063 print CLIENTCONF "# tun Device\n";
ce9abb66 1064 print CLIENTCONF "dev tun\n";
35a21a25
AM		 1065 print CLIENTCONF "#Logfile for statistics\n";
1066 print CLIENTCONF "status-version 1\n";
1067 print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
60f396d7 1068 print CLIENTCONF "# Port and Protokol\n";
ce9abb66 1069 print CLIENTCONF "port $cgiparams{'DEST_PORT'}\n";
60f396d7
AH		 1070
1071 if ($cgiparams{'PROTOCOL'} eq 'tcp') {
1072 print CLIENTCONF "proto tcp-client\n";
1073 print CLIENTCONF "# Packet size\n";
d96c89eb 1074 if ($cgiparams{'MTU'} eq '') {$tunmtu = '1400'} else {$tunmtu = $cgiparams{'MTU'}};
60f396d7 1075 print CLIENTCONF "tun-mtu $tunmtu\n";
d96c89eb 1076 }
60f396d7
AH		 1077
1078 if ($cgiparams{'PROTOCOL'} eq 'udp') {
1079 print CLIENTCONF "proto udp\n";
1080 print CLIENTCONF "# Paketsize\n";
1081 if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}};
1082 print CLIENTCONF "tun-mtu $tunmtu\n";
54fd0535 1083 if ($cgiparams{'FRAGMENT'} ne '') {print CLIENTCONF "fragment $cgiparams{'FRAGMENT'}\n";}
d6989b4b 1084 if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; } else { print CLIENTCONF "mssfix 0\n" };
d96c89eb 1085 }
1647059d 1086
b66b02ab
EK		 1087 # Check host certificate if X509 is RFC3280 compliant.
1088 # If not, old --ns-cert-type directive will be used.
1089 # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
2feacd98
SS		 1090 my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
1091 if ( ! grep(/TLS Web Server Authentication/, @hostcert)) {
b66b02ab
EK		 1092 print CLIENTCONF "ns-cert-type server\n";
1093 } else {
1094 print CLIENTCONF "remote-cert-tls server\n";
1095 }
ce9abb66
AH		 1096 print CLIENTCONF "# Auth. Client\n";
1097 print CLIENTCONF "tls-client\n";
b278daf3 1098 print CLIENTCONF "# Cipher\n";
4c962356 1099 print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n";
ce9abb66 1100 print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n";
52f61e49
EKD		 1101
1102 # If GCM cipher is used, do not use --auth
1103 if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
1104 ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
1105 ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
1106 print CLIENTCONF unless "# HMAC algorithm\n";
1107 print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n";
49abe7af 1108 } else {
52f61e49
EKD		 1109 print CLIENTCONF "# HMAC algorithm\n";
1110 print CLIENTCONF "auth $cgiparams{'DAUTH'}\n";
49abe7af 1111 }
52f61e49 1112
942446b5
EK		 1113 # Set TLSv1.2 as minimum
1114 print CLIENTCONF "tls-version-min 1.2\n";
1115
ce9abb66 1116 if ($cgiparams{'COMPLZO'} eq 'on') {
60f396d7 1117 print CLIENTCONF "# Enable Compression\n";
66298ef2 1118 print CLIENTCONF "comp-lzo\n";
4c962356 1119 }
ce9abb66
AH		 1120 print CLIENTCONF "# Debug Level\n";
1121 print CLIENTCONF "verb 3\n";
b278daf3 1122 print CLIENTCONF "# Tunnel check\n";
ce9abb66 1123 print CLIENTCONF "keepalive 10 60\n";
60f396d7 1124 print CLIENTCONF "# Start as daemon\n";
ce9abb66
AH		 1125 print CLIENTCONF "daemon $cgiparams{'NAME'}n2n\n";
1126 print CLIENTCONF "writepid /var/run/$cgiparams{'NAME'}n2n.pid\n";
60f396d7 1127 print CLIENTCONF "# Activate Management Interface and Port\n";
54fd0535
MT		 1128 if ($cgiparams{'OVPN_MGMT'} eq '') {print CLIENTCONF "management localhost $cgiparams{'DEST_PORT'}\n"}
1129 else {print CLIENTCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"};
ce9abb66 1130 close(CLIENTCONF);
c6c9630e 1131
ce9abb66 1132}
400c8afd 1133
6e13d0a5
MT		 1134###
1135### Save main settings
1136###
ce9abb66 1137
6e13d0a5
MT		 1138if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
1139 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
6e13d0a5
MT		 1140 #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
1141 #DAN this value has to leave.
1142 if ($cgiparams{'ENABLED'} eq 'on'){
1143 unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})) {
1144 $errormessage = $Lang::tr{'invalid input for hostname'};
c6c9630e 1145 goto SETTINGS_ERROR;
6e13d0a5
MT		 1146 }
1147 }
f7fb5bc5 1148
6e13d0a5 1149 if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) {
c6c9630e 1150 $errormessage = $Lang::tr{'ovpn subnet is invalid'};
4c962356 1151 goto SETTINGS_ERROR;
c6c9630e
MT		 1152 }
1153 my @tmpovpnsubnet = split("\/",$cgiparams{'DOVPN_SUBNET'});
1154
1155 if (&General::IpInSubnet ( $netsettings{'RED_ADDRESS'},
1156 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1157 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire RED Network $netsettings{'RED_ADDRESS'}";
1158 goto SETTINGS_ERROR;
1159 }
1160
1161 if (&General::IpInSubnet ( $netsettings{'GREEN_ADDRESS'},
1162 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1163 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Green Network $netsettings{'GREEN_ADDRESS'}";
1164 goto SETTINGS_ERROR;
1165 }
1166
1167 if (&General::IpInSubnet ( $netsettings{'BLUE_ADDRESS'},
1168 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1169 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Blue Network $netsettings{'BLUE_ADDRESS'}";
1170 goto SETTINGS_ERROR;
1171 }
1172
1173 if (&General::IpInSubnet ( $netsettings{'ORANGE_ADDRESS'},
1174 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1175 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Orange Network $netsettings{'ORANGE_ADDRESS'}";
1176 goto SETTINGS_ERROR;
1177 }
1178 open(ALIASES, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
1179 while (<ALIASES>)
1180 {
1181 chomp($_);
1182 my @tempalias = split(/\,/,$_);
1183 if ($tempalias[1] eq 'on') {
1184 if (&General::IpInSubnet ($tempalias[0] ,
1185 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
1186 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire alias entry $tempalias[0]";
1187 }
1188 }
1189 }
1190 close(ALIASES);
6e13d0a5 1191 if ($errormessage ne ''){
c6c9630e 1192 goto SETTINGS_ERROR;
6e13d0a5
MT		 1193 }
1194 if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
1195 $errormessage = $Lang::tr{'invalid input'};
1196 goto SETTINGS_ERROR;
1197 }
1198 if ((length($cgiparams{'DMTU'})==0) || (($cgiparams{'DMTU'}) < 1000 )) {
1199 $errormessage = $Lang::tr{'invalid mtu input'};
1200 goto SETTINGS_ERROR;
1201 }
1202
1203 unless (&General::validport($cgiparams{'DDEST_PORT'})) {
c6c9630e
MT		 1204 $errormessage = $Lang::tr{'invalid port'};
1205 goto SETTINGS_ERROR;
6e13d0a5 1206 }
8c252e6a 1207
b21a6319
EK		 1208 # Create ta.key for tls-auth if not presant
1209 if ($cgiparams{'TLSAUTH'} eq 'on') {
1210 if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
2feacd98
SS		 1211 # This system call is safe, because all arguements are passed as an array.
1212 system("/usr/sbin/openvpn", "--genkey", "--secret", "${General::swroot}/ovpn/certs/ta.key");
b21a6319
EK		 1213 if ($?) {
1214 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1215 goto SETTINGS_ERROR;
1216 }
1217 }
1218 }
1219
6e13d0a5
MT		 1220 $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'};
1221 $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'};
1222 $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
1223 $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
1224#new settings for daemon
1225 $vpnsettings{'DOVPN_SUBNET'} = $cgiparams{'DOVPN_SUBNET'};
6e13d0a5
MT		 1226 $vpnsettings{'DPROTOCOL'} = $cgiparams{'DPROTOCOL'};
1227 $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
1228 $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
1229 $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
1230 $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
86308adb 1231 $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
0c4ffc69 1232 $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
3ffee04b
CS		 1233#wrtie enable
1234
2feacd98
SS		 1235 if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {
1236 &General::system("touch", "${General::swroot}/ovpn/enable_blue");
1237 } else {
274ca65b 1238 unlink("${General::swroot}/ovpn/enable_blue");
2feacd98
SS		 1239 }
1240
1241 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' ) {
1242 &General::system("touch", "${General::swroot}/ovpn/enable_orange");
1243 } else {
1244 unlink("${General::swroot}/ovpn/enable_orange");
1245 }
1246
1247 if ( $vpnsettings{'ENABLED'} eq 'on' ) {
1248 &General::system("touch", "${General::swroot}/ovpn/enable");
1249 } else {
1250 unlink("${General::swroot}/ovpn/enable");
1251 }
1252
6e13d0a5
MT		 1253#new settings for daemon
1254 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
c6c9630e 1255 &writeserverconf();#hier ok
6e13d0a5
MT		 1256SETTINGS_ERROR:
1257###
1258### Reset all step 2
1259###
4c962356 1260}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'} && $cgiparams{'AREUSURE'} eq 'yes') {
6e13d0a5
MT		 1261 my $file = '';
1262 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1263
1e499e90 1264 # Kill all N2N connections
2feacd98 1265 &General::system("/usr/local/bin/openvpnctrl", "-kn2n");
1e499e90 1266
6e13d0a5 1267 foreach my $key (keys %confighash) {
2f36a7b4
MT		 1268 my $name = $confighash{$cgiparams{'$key'}}[1];
1269
c6c9630e
MT		 1270 if ($confighash{$key}[4] eq 'cert') {
1271 delete $confighash{$cgiparams{'$key'}};
1272 }
2f36a7b4 1273
2feacd98 1274 &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$name");
6e13d0a5
MT		 1275 }
1276 while ($file = glob("${General::swroot}/ovpn/ca/*")) {
49abe7af 1277 unlink $file;
6e13d0a5
MT		 1278 }
1279 while ($file = glob("${General::swroot}/ovpn/certs/*")) {
49abe7af 1280 unlink $file;
6e13d0a5
MT		 1281 }
1282 while ($file = glob("${General::swroot}/ovpn/crls/*")) {
49abe7af 1283 unlink $file;
6e13d0a5 1284 }
4c962356 1285 &cleanssldatabase();
6e13d0a5
MT		 1286 if (open(FILE, ">${General::swroot}/ovpn/caconfig")) {
1287 print FILE "";
1288 close FILE;
1289 }
49abe7af
EK		 1290 if (open(FILE, ">${General::swroot}/ovpn/ccdroute")) {
1291 print FILE "";
1292 close FILE;
1293 }
1294 if (open(FILE, ">${General::swroot}/ovpn/ccdroute2")) {
1295 print FILE "";
1296 close FILE;
1297 }
1298 while ($file = glob("${General::swroot}/ovpn/ccd/*")) {
1299 unlink $file
1300 }
5795fc1b
AM		 1301 while ($file = glob("${General::swroot}/ovpn/ccd/*")) {
1302 unlink $file
1303 }
49abe7af
EK		 1304 if (open(FILE, ">${General::swroot}/ovpn/ovpn-leases.db")) {
1305 print FILE "";
1306 close FILE;
1307 }
1308 if (open(FILE, ">${General::swroot}/ovpn/ovpnconfig")) {
1309 print FILE "";
1310 close FILE;
1311 }
1312 while ($file = glob("${General::swroot}/ovpn/n2nconf/*")) {
2feacd98 1313 unlink($file);
49abe7af
EK		 1314 }
1315
2f36a7b4
MT		 1316 # Remove everything from the collectd configuration
1317 &writecollectdconf();
1318
c6c9630e 1319 #&writeserverconf();
6e13d0a5
MT		 1320###
1321### Reset all step 1
1322###
4c962356 1323}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) {
6e13d0a5 1324 &Header::showhttpheaders();
4c962356
EK		 1325 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
1326 &Header::openbigbox('100%', 'left', '', '');
1327 &Header::openbox('100%', 'left', $Lang::tr{'are you sure'});
1328 print <<END;
1329 <form method='post'>
1330 <table width='100%'>
1331 <tr>
1332 <td align='center'>
1333 <input type='hidden' name='AREUSURE' value='yes' />
49abe7af 1334 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:
4c962356
EK		 1335 $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}</td>
1336 </tr>
1337 <tr>
1338 <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' />
1339 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td>
1340 </tr>
1341 </table>
1342 </form>
6e13d0a5
MT		 1343END
1344 ;
1345 &Header::closebox();
1346 &Header::closebigbox();
1347 &Header::closepage();
1348 exit (0);
1349
4c962356
EK		 1350###
1351### Generate DH key step 2
1352###
1353} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'} && $cgiparams{'AREUSURE'} eq 'yes') {
49abe7af 1354 # Delete if old key exists
4c962356
EK		 1355 if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
1356 unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}";
1357 }
1358 # Create Diffie Hellmann Parameter
2feacd98
SS		 1359 # The system call is safe, because all arguments are passed as an array.
1360 system("/usr/bin/openssl", "dhparam", "-out", "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
4c962356
EK		 1361 if ($?) {
1362 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1363 unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
1364 }
1365
1366###
1367### Generate DH key step 1
1368###
1369} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'}) {
1370 &Header::showhttpheaders();
1371 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
1372 &Header::openbigbox('100%', 'LEFT', '', '');
1373 &Header::openbox('100%', 'LEFT', "$Lang::tr{'gen dh'}:");
1374 print <<END;
1375 <table width='100%'>
1376 <tr>
f527e53f 1377 <td width='20%'> </td> <td width='15%'></td> <td width='65%'></td>
49abe7af 1378 </tr>
4c962356
EK		 1379 <tr>
1380 <td class='base'>$Lang::tr{'ovpn dh'}:</td>
1381 <td align='center'>
1382 <form method='post'><input type='hidden' name='AREUSURE' value='yes' />
1383 <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
1384 <select name='DHLENGHT'>
4c962356
EK		 1385 <option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
1386 <option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
1387 <option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
1388 </select>
1389 </td>
1390 </tr>
1391 <tr><td colspan='4'><br></td></tr>
1392 </table>
1393 <table width='100%'>
1394 <tr>
49abe7af 1395 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}: </font></b>$Lang::tr{'dh key warn'}
4c962356 1396 </tr>
49abe7af
EK		 1397 <tr>
1398 <td class='base'>$Lang::tr{'dh key warn1'}</td>
1399 </tr>
1400 <tr><td colspan='2'><br></td></tr>
4c962356
EK		 1401 <tr>
1402 <td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td>
1403 </form>
1404 </tr>
1405 </table>
1406
1407END
1408 ;
1409 &Header::closebox();
1410 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1411 &Header::closebigbox();
1412 &Header::closepage();
1413 exit (0);
1414
1415###
1416### Upload DH key
1417###
1418} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) {
2ad1b18b 1419 unless (ref ($cgiparams{'FH'})) {
4c962356
EK		 1420 $errormessage = $Lang::tr{'there was no file upload'};
1421 goto UPLOADCA_ERROR;
1422 }
49abe7af 1423 # Move uploaded dh key to a temporary file
4c962356
EK		 1424 (my $fh, my $filename) = tempfile( );
1425 if (copy ($cgiparams{'FH'}, $fh) != 1) {
1426 $errormessage = $!;
49abe7af 1427 goto UPLOADCA_ERROR;
4c962356 1428 }
2feacd98
SS		 1429 my @temp = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$filename");
1430 if ( ! grep(/DH Parameters: \((2048|3072|4096) bit\)/, @temp)) {
4c962356
EK		 1431 $errormessage = $Lang::tr{'not a valid dh key'};
1432 unlink ($filename);
1433 goto UPLOADCA_ERROR;
1434 } else {
cc79d281
SS		 1435 # Delete if old key exists
1436 if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") {
1437 unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}";
4c962356 1438 }
cc79d281
SS		 1439
1440 unless(move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}")) {
49abe7af
EK		 1441 $errormessage = "$Lang::tr{'dh key move failed'}: $!";
1442 unlink ($filename);
1443 goto UPLOADCA_ERROR;
cc79d281 1444 }
4c962356 1445 }
6e13d0a5
MT		 1446###
1447### Upload CA Certificate
1448###
1449} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) {
1450 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1451
1452 if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) {
1453 $errormessage = $Lang::tr{'name must only contain characters'};
1454 goto UPLOADCA_ERROR;
1455 }
1456
1457 if (length($cgiparams{'CA_NAME'}) >60) {
1458 $errormessage = $Lang::tr{'name too long'};
1459 goto VPNCONF_ERROR;
1460 }
1461
1462 if ($cgiparams{'CA_NAME'} eq 'ca') {
1463 $errormessage = $Lang::tr{'name is invalid'};
4c962356 1464 goto UPLOADCA_ERROR;
6e13d0a5
MT		 1465 }
1466
1467 # Check if there is no other entry with this name
1468 foreach my $key (keys %cahash) {
c6c9630e
MT		 1469 if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) {
1470 $errormessage = $Lang::tr{'a ca certificate with this name already exists'};
1471 goto UPLOADCA_ERROR;
1472 }
6e13d0a5
MT		 1473 }
1474
2ad1b18b 1475 unless (ref ($cgiparams{'FH'})) {
c6c9630e
MT		 1476 $errormessage = $Lang::tr{'there was no file upload'};
1477 goto UPLOADCA_ERROR;
6e13d0a5
MT		 1478 }
1479 # Move uploaded ca to a temporary file
1480 (my $fh, my $filename) = tempfile( );
1481 if (copy ($cgiparams{'FH'}, $fh) != 1) {
c6c9630e
MT		 1482 $errormessage = $!;
1483 goto UPLOADCA_ERROR;
6e13d0a5 1484 }
2feacd98
SS		 1485 my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "$filename");
1486 if ( ! grep(/CA:TRUE/i, @temp )) {
c6c9630e
MT		 1487 $errormessage = $Lang::tr{'not a valid ca certificate'};
1488 unlink ($filename);
1489 goto UPLOADCA_ERROR;
6e13d0a5 1490 } else {
cc79d281 1491 unless(move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem")) {
c6c9630e
MT		 1492 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1493 unlink ($filename);
1494 goto UPLOADCA_ERROR;
1495 }
6e13d0a5
MT		 1496 }
1497
274ca65b 1498 my @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem");
2feacd98
SS		 1499 my $casubject;
1500
1501 foreach my $line (@casubject) {
1502 if ($line =~ /Subject: (.*)[\n]/) {
1503 $casubject = $1;
1504 $casubject =~ s+/Email+, E+;
1505 $casubject =~ s/ ST=/ S=/;
1506
1507 last;
1508 }
1509 }
1510
6e13d0a5
MT		 1511 $casubject = &Header::cleanhtml($casubject);
1512
1513 my $key = &General::findhasharraykey (\%cahash);
1514 $cahash{$key}[0] = $cgiparams{'CA_NAME'};
1515 $cahash{$key}[1] = $casubject;
1516 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
c6c9630e
MT		 1517# system('/usr/local/bin/ipsecctrl', 'R');
1518
6e13d0a5
MT		 1519 UPLOADCA_ERROR:
1520
1521###
1522### Display ca certificate
1523###
1524} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) {
c6c9630e
MT		 1525 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1526
1527 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") {
1528 &Header::showhttpheaders();
4c962356 1529 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
c6c9630e
MT		 1530 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
1531 &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:");
2feacd98 1532 my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
8c946d1c
MT		 1533 my $output = &Header::cleanhtml(join("", @output),"y");
1534 print "<pre>$output</pre>\n";
c6c9630e
MT		 1535 &Header::closebox();
1536 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1537 &Header::closebigbox();
1538 &Header::closepage();
1539 exit(0);
1540 } else {
1541 $errormessage = $Lang::tr{'invalid key'};
1542 }
1543
6e13d0a5
MT		 1544###
1545### Download ca certificate
1546###
1547} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca certificate'}) {
1548 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1549
1550 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1551 print "Content-Type: application/octet-stream\r\n";
1552 print "Content-Disposition: filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";
2feacd98
SS		 1553
1554 my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
1555 print "@tmp";
1556
6e13d0a5
MT		 1557 exit(0);
1558 } else {
1559 $errormessage = $Lang::tr{'invalid key'};
1560 }
1561
1562###
1563### Remove ca certificate (step 2)
1564###
1565} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} && $cgiparams{'AREUSURE'} eq 'yes') {
1566 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1567 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1568
1569 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1570 foreach my $key (keys %confighash) {
2feacd98
SS		 1571 my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
1572 if (grep(/: OK/, @test)) {
c6c9630e
MT		 1573 # Delete connection
1574# if ($vpnsettings{'ENABLED'} eq 'on' ||
1575# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1576# system('/usr/local/bin/ipsecctrl', 'D', $key);
1577# }
6e13d0a5
MT		 1578 unlink ("${General::swroot}/ovpn//certs/$confighash{$key}[1]cert.pem");
1579 unlink ("${General::swroot}/ovpn/certs/$confighash{$key}[1].p12");
1580 delete $confighash{$key};
1581 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
c6c9630e 1582# &writeipsecfiles();
6e13d0a5
MT		 1583 }
1584 }
1585 unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
1586 delete $cahash{$cgiparams{'KEY'}};
1587 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
c6c9630e 1588# system('/usr/local/bin/ipsecctrl', 'R');
6e13d0a5
MT		 1589 } else {
1590 $errormessage = $Lang::tr{'invalid key'};
1591 }
1592###
1593### Remove ca certificate (step 1)
1594###
1595} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) {
1596 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1597 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1598
1599 my $assignedcerts = 0;
1600 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
1601 foreach my $key (keys %confighash) {
2feacd98
SS		 1602 my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
1603 if (grep(/: OK/, @test)) {
6e13d0a5
MT		 1604 $assignedcerts++;
1605 }
1606 }
1607 if ($assignedcerts) {
1608 &Header::showhttpheaders();
4c962356 1609 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
6e13d0a5
MT		 1610 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
1611 &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'});
4c962356 1612 print <<END;
6e13d0a5
MT		 1613 <table><form method='post'><input type='hidden' name='AREUSURE' value='yes' />
1614 <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
1615 <tr><td align='center'>
1616 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: $assignedcerts
1617 $Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}
1618 <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
1619 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td></tr>
1620 </form></table>
1621END
1622 ;
1623 &Header::closebox();
1624 &Header::closebigbox();
1625 &Header::closepage();
1626 exit (0);
1627 } else {
1628 unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
1629 delete $cahash{$cgiparams{'KEY'}};
1630 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1631# system('/usr/local/bin/ipsecctrl', 'R');
1632 }
1633 } else {
1634 $errormessage = $Lang::tr{'invalid key'};
1635 }
1636
1637###
1638### Display root certificate
1639###
c6c9630e
MT		 1640}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||
1641 $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {
2feacd98 1642 my @output;
c6c9630e 1643 &Header::showhttpheaders();
4c962356 1644 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
c6c9630e
MT		 1645 &Header::openbigbox('100%', 'LEFT', '', '');
1646 if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
1647 &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:");
2feacd98 1648 @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/cacert.pem");
c6c9630e
MT		 1649 } else {
1650 &Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:");
2feacd98 1651 @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
c6c9630e 1652 }
8c946d1c
MT		 1653 my $output = &Header::cleanhtml(join("", @output), "y");
1654 print "<pre>$output</pre>\n";
c6c9630e
MT		 1655 &Header::closebox();
1656 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1657 &Header::closebigbox();
1658 &Header::closepage();
1659 exit(0);
1660
6e13d0a5
MT		 1661###
1662### Download root certificate
1663###
1664}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root certificate'}) {
1665 if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) {
1666 print "Content-Type: application/octet-stream\r\n";
1667 print "Content-Disposition: filename=cacert.pem\r\n\r\n";
2feacd98
SS		 1668
1669 my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/cacert.pem");
1670 print "@tmp";
1671
6e13d0a5
MT		 1672 exit(0);
1673 }
1674
1675###
1676### Download host certificate
1677###
1678}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host certificate'}) {
1679 if ( -f "${General::swroot}/ovpn/certs/servercert.pem" ) {
1680 print "Content-Type: application/octet-stream\r\n";
1681 print "Content-Disposition: filename=servercert.pem\r\n\r\n";
2feacd98
SS		 1682
1683 my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
1684 print "@tmp";
1685
6e13d0a5
MT		 1686 exit(0);
1687 }
f7fb5bc5 1688
fd5ccb2d
EK		 1689###
1690### Download tls-auth key
1691###
1692}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) {
1693 if ( -f "${General::swroot}/ovpn/certs/ta.key" ) {
1694 print "Content-Type: application/octet-stream\r\n";
1695 print "Content-Disposition: filename=ta.key\r\n\r\n";
2feacd98
SS		 1696
1697 open(FILE, "${General::swroot}/ovpn/certs/ta.key");
1698 my @tmp = <FILE>;
1699 close(FILE);
1700
1701 print "@tmp";
1702
fd5ccb2d
EK		 1703 exit(0);
1704 }
1705
6e13d0a5
MT		 1706###
1707### Form for generating a root certificate
1708###
1709}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
1710 $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
1711
1712 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1713 if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
1714 $errormessage = $Lang::tr{'valid root certificate already exists'};
1715 $cgiparams{'ACTION'} = '';
1716 goto ROOTCERT_ERROR;
1717 }
1718
1719 if (($cgiparams{'ROOTCERT_HOSTNAME'} eq '') && -e "${General::swroot}/red/active") {
1720 if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
1721 my $ipaddr = <IPADDR>;
1722 close IPADDR;
1723 chomp ($ipaddr);
1724 $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
1725 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
1726 $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
1727 }
1728 }
1729 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
2ad1b18b 1730 unless (ref ($cgiparams{'FH'})) {
6e13d0a5
MT		 1731 $errormessage = $Lang::tr{'there was no file upload'};
1732 goto ROOTCERT_ERROR;
1733 }
1734
1735 # Move uploaded certificate request to a temporary file
1736 (my $fh, my $filename) = tempfile( );
1737 if (copy ($cgiparams{'FH'}, $fh) != 1) {
1738 $errormessage = $!;
1739 goto ROOTCERT_ERROR;
1740 }
1741
1742 # Create a temporary dirctory
1743 my $tempdir = tempdir( CLEANUP => 1 );
1744
1745 # Extract the CA certificate from the file
1746 my $pid = open(OPENSSL, "|-");
1747 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1748 if ($pid) { # parent
1749 if ($cgiparams{'P12_PASS'} ne '') {
1750 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1751 }
1752 close (OPENSSL);
1753 if ($?) {
1754 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1755 unlink ($filename);
1756 goto ROOTCERT_ERROR;
1757 }
1758 } else { # child
1759 unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys',
1760 '-in', $filename,
1761 '-out', "$tempdir/cacert.pem")) {
1762 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1763 unlink ($filename);
1764 goto ROOTCERT_ERROR;
1765 }
1766 }
1767
1768 # Extract the Host certificate from the file
1769 $pid = open(OPENSSL, "|-");
1770 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1771 if ($pid) { # parent
1772 if ($cgiparams{'P12_PASS'} ne '') {
1773 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1774 }
1775 close (OPENSSL);
1776 if ($?) {
1777 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1778 unlink ($filename);
1779 goto ROOTCERT_ERROR;
1780 }
1781 } else { # child
1782 unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys',
1783 '-in', $filename,
1784 '-out', "$tempdir/hostcert.pem")) {
1785 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1786 unlink ($filename);
1787 goto ROOTCERT_ERROR;
1788 }
1789 }
1790
1791 # Extract the Host key from the file
1792 $pid = open(OPENSSL, "|-");
1793 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1794 if ($pid) { # parent
1795 if ($cgiparams{'P12_PASS'} ne '') {
1796 print OPENSSL "$cgiparams{'P12_PASS'}\n";
1797 }
1798 close (OPENSSL);
1799 if ($?) {
1800 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1801 unlink ($filename);
1802 goto ROOTCERT_ERROR;
1803 }
1804 } else { # child
1805 unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts',
1806 '-nodes',
1807 '-in', $filename,
1808 '-out', "$tempdir/serverkey.pem")) {
1809 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1810 unlink ($filename);
1811 goto ROOTCERT_ERROR;
1812 }
1813 }
1814
cc79d281 1815 unless(move("$tempdir/cacert.pem", "${General::swroot}/ovpn/ca/cacert.pem")) {
6e13d0a5
MT		 1816 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1817 unlink ($filename);
1818 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1819 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1820 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1821 goto ROOTCERT_ERROR;
1822 }
1823
cc79d281 1824 unless(move("$tempdir/hostcert.pem", "${General::swroot}/ovpn/certs/servercert.pem")) {
6e13d0a5
MT		 1825 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1826 unlink ($filename);
1827 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1828 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1829 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1830 goto ROOTCERT_ERROR;
1831 }
1832
cc79d281 1833 unless(move("$tempdir/serverkey.pem", "${General::swroot}/ovpn/certs/serverkey.pem")) {
6e13d0a5
MT		 1834 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1835 unlink ($filename);
1836 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1837 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1838 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1839 goto ROOTCERT_ERROR;
1840 }
1841
1842 goto ROOTCERT_SUCCESS;
1843
1844 } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') {
1845
1846 # Validate input since the form was submitted
1847 if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){
1848 $errormessage = $Lang::tr{'organization cant be empty'};
1849 goto ROOTCERT_ERROR;
1850 }
1851 if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) {
1852 $errormessage = $Lang::tr{'organization too long'};
1853 goto ROOTCERT_ERROR;
1854 }
1855 if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1856 $errormessage = $Lang::tr{'invalid input for organization'};
1857 goto ROOTCERT_ERROR;
1858 }
1859 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){
1860 $errormessage = $Lang::tr{'hostname cant be empty'};
1861 goto ROOTCERT_ERROR;
1862 }
1863 unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) {
1864 $errormessage = $Lang::tr{'invalid input for hostname'};
1865 goto ROOTCERT_ERROR;
1866 }
1867 if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) {
1868 $errormessage = $Lang::tr{'invalid input for e-mail address'};
1869 goto ROOTCERT_ERROR;
1870 }
1871 if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) {
1872 $errormessage = $Lang::tr{'e-mail address too long'};
1873 goto ROOTCERT_ERROR;
1874 }
1875 if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1876 $errormessage = $Lang::tr{'invalid input for department'};
1877 goto ROOTCERT_ERROR;
1878 }
1879 if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1880 $errormessage = $Lang::tr{'invalid input for city'};
1881 goto ROOTCERT_ERROR;
1882 }
1883 if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1884 $errormessage = $Lang::tr{'invalid input for state or province'};
1885 goto ROOTCERT_ERROR;
1886 }
1887 if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) {
1888 $errormessage = $Lang::tr{'invalid input for country'};
1889 goto ROOTCERT_ERROR;
1890 }
1891
1892 # Copy the cgisettings to vpnsettings and save the configfile
1893 $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'};
1894 $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'};
1895 $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'};
1896 $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'};
1897 $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'};
1898 $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'};
1899 $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'};
1900 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
1901
1902 # Replace empty strings with a .
1903 (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./;
1904 (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./;
1905 (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./;
1906
1907 # refresh
c6c9630e 1908 #system ('/bin/touch', "${General::swroot}/ovpn/gencanow");
6e13d0a5
MT		 1909
1910 # Create the CA certificate
1911 my $pid = open(OPENSSL, "|-");
1912 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1913 if ($pid) { # parent
1914 print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1915 print OPENSSL "$state\n";
1916 print OPENSSL "$city\n";
1917 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1918 print OPENSSL "$ou\n";
1919 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n";
1920 print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
1921 close (OPENSSL);
1922 if ($?) {
1923 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1924 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1925 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1926 goto ROOTCERT_ERROR;
1927 }
1928 } else { # child
badd8c1c 1929 unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes',
49abe7af 1930 '-days', '999999', '-newkey', 'rsa:4096', '-sha512',
6e13d0a5
MT		 1931 '-keyout', "${General::swroot}/ovpn/ca/cakey.pem",
1932 '-out', "${General::swroot}/ovpn/ca/cacert.pem",
1933 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
1934 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1935 goto ROOTCERT_ERROR;
1936 }
1937 }
1938
1939 # Create the Host certificate request
1940 $pid = open(OPENSSL, "|-");
1941 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1942 if ($pid) { # parent
1943 print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1944 print OPENSSL "$state\n";
1945 print OPENSSL "$city\n";
1946 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1947 print OPENSSL "$ou\n";
1948 print OPENSSL "$cgiparams{'ROOTCERT_HOSTNAME'}\n";
1949 print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
1950 print OPENSSL ".\n";
1951 print OPENSSL ".\n";
1952 close (OPENSSL);
1953 if ($?) {
1954 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1955 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1956 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1957 goto ROOTCERT_ERROR;
1958 }
1959 } else { # child
badd8c1c 1960 unless (exec ('/usr/bin/openssl', 'req', '-nodes',
4c962356 1961 '-newkey', 'rsa:2048',
6e13d0a5
MT		 1962 '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
1963 '-out', "${General::swroot}/ovpn/certs/serverreq.pem",
1964 '-extensions', 'server',
1965 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) {
1966 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1967 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1968 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1969 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1970 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1971 goto ROOTCERT_ERROR;
1972 }
1973 }
1974
1975 # Sign the host certificate request
2feacd98 1976 # This system call is safe, because all argeuments are passed as an array.
6e13d0a5
MT		 1977 system('/usr/bin/openssl', 'ca', '-days', '999999',
1978 '-batch', '-notext',
1979 '-in', "${General::swroot}/ovpn/certs/serverreq.pem",
1980 '-out', "${General::swroot}/ovpn/certs/servercert.pem",
1981 '-extensions', 'server',
1982 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf");
1983 if ($?) {
1984 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1985 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1986 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1987 unlink ("${General::swroot}/ovpn/serverkey.pem");
1988 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1989 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
c6c9630e 1990 &newcleanssldatabase();
6e13d0a5
MT		 1991 goto ROOTCERT_ERROR;
1992 } else {
1993 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
c6c9630e 1994 &deletebackupcert();
6e13d0a5
MT		 1995 }
1996
1997 # Create an empty CRL
2feacd98 1998 # System call is safe, because all arguments are passed as array.
6e13d0a5
MT		 1999 system('/usr/bin/openssl', 'ca', '-gencrl',
2000 '-out', "${General::swroot}/ovpn/crls/cacrl.pem",
2001 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
2002 if ($?) {
2003 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2004 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
2005 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
2006 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
2007 unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
c6c9630e 2008 &cleanssldatabase();
6e13d0a5 2009 goto ROOTCERT_ERROR;
c6c9630e
MT		 2010# } else {
2011# &cleanssldatabase();
6e13d0a5 2012 }
ae04d0a3 2013 # Create ta.key for tls-auth
2feacd98 2014 # This system call is safe, because all arguments are passed as an array.
ae04d0a3
EK		 2015 system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
2016 if ($?) {
2017 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2018 &cleanssldatabase();
2019 goto ROOTCERT_ERROR;
2020 }
6e13d0a5 2021 # Create Diffie Hellmann Parameter
2feacd98 2022 # The system call is safe, because all arguments are passed as an array.
badd8c1c 2023 system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}");
6e13d0a5
MT		 2024 if ($?) {
2025 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2026 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
2027 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
2028 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
2029 unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
2030 unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
c6c9630e 2031 &cleanssldatabase();
6e13d0a5 2032 goto ROOTCERT_ERROR;
c6c9630e
MT		 2033# } else {
2034# &cleanssldatabase();
4be45949 2035 }
6e13d0a5
MT		 2036 goto ROOTCERT_SUCCESS;
2037 }
2038 ROOTCERT_ERROR:
2039 if ($cgiparams{'ACTION'} ne '') {
2040 &Header::showhttpheaders();
4c962356 2041 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
6e13d0a5
MT		 2042 &Header::openbigbox('100%', 'LEFT', '', '');
2043 if ($errormessage) {
2044 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
2045 print "<class name='base'>$errormessage";
2046 print "&nbsp;</class>";
2047 &Header::closebox();
2048 }
2049 &Header::openbox('100%', 'LEFT', "$Lang::tr{'generate root/host certificates'}:");
49abe7af 2050 print <<END;
6e13d0a5
MT		 2051 <form method='post' enctype='multipart/form-data'>
2052 <table width='100%' border='0' cellspacing='1' cellpadding='0'>
e3edceeb 2053 <tr><td width='30%' class='base'>$Lang::tr{'organization name'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
6e13d0a5
MT		 2054 <td width='35%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td>
2055 <td width='35%' colspan='2'>&nbsp;</td></tr>
e3edceeb 2056 <tr><td class='base'>$Lang::tr{'ipfires hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
6e13d0a5
MT		 2057 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td>
2058 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 2059 <tr><td class='base'>$Lang::tr{'your e-mail'}:</td>
6e13d0a5
MT		 2060 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td>
2061 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 2062 <tr><td class='base'>$Lang::tr{'your department'}:</td>
6e13d0a5
MT		 2063 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td>
2064 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 2065 <tr><td class='base'>$Lang::tr{'city'}:</td>
6e13d0a5
MT		 2066 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td>
2067 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 2068 <tr><td class='base'>$Lang::tr{'state or province'}:</td>
6e13d0a5
MT		 2069 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td>
2070 <td colspan='2'>&nbsp;</td></tr>
2071 <tr><td class='base'>$Lang::tr{'country'}:</td>
2072 <td class='base'><select name='ROOTCERT_COUNTRY'>
2073
2074END
2075 ;
2076 foreach my $country (sort keys %{Countries::countries}) {
2077 print "<option value='$Countries::countries{$country}'";
2078 if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) {
2079 print " selected='selected'";
2080 }
2081 print ">$country</option>";
2082 }
49abe7af 2083 print <<END;
6e13d0a5 2084 </select></td>
4c962356
EK		 2085 <tr><td class='base'>$Lang::tr{'ovpn dh'}:</td>
2086 <td class='base'><select name='DHLENGHT'>
4c962356
EK		 2087 <option value='2048' $selected{'DHLENGHT'}{'2048'}>2048 $Lang::tr{'bit'}</option>
2088 <option value='3072' $selected{'DHLENGHT'}{'3072'}>3072 $Lang::tr{'bit'}</option>
2089 <option value='4096' $selected{'DHLENGHT'}{'4096'}>4096 $Lang::tr{'bit'}</option>
2090 </select>
2091 </td>
2092 </tr>
2093
6e13d0a5
MT		 2094 <tr><td>&nbsp;</td>
2095 <td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td>
2096 <td>&nbsp;</td><td>&nbsp;</td></tr>
2097 <tr><td class='base' colspan='4' align='left'>
e3edceeb 2098 <img src='/blob.gif' valign='top' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr>
49abe7af
EK		 2099 <tr><td colspan='2'><br></td></tr>
2100 <table width='100%'>
2101 <tr>
2102 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}: </font></b>$Lang::tr{'ovpn generating the root and host certificates'}
2103 <td class='base'>$Lang::tr{'dh key warn'}</td>
4c962356 2104 </tr>
49abe7af
EK		 2105 <tr>
2106 <td class='base'>$Lang::tr{'dh key warn1'}</td>
4c962356 2107 </tr>
49abe7af
EK		 2108 <tr><td colspan='2'><br></td></tr>
2109 <tr>
2110 </table>
4c962356 2111
49abe7af 2112 <table width='100%'>
4c962356 2113 <tr><td colspan='4'><hr></td></tr>
e3edceeb 2114 <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
6e13d0a5
MT		 2115 <td nowrap='nowrap'><input type='file' name='FH' size='32'></td>
2116 <td colspan='2'>&nbsp;</td></tr>
e3edceeb 2117 <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
6e13d0a5
MT		 2118 <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td>
2119 <td colspan='2'>&nbsp;</td></tr>
2120 <tr><td>&nbsp;</td>
2121 <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td>
2122 <td colspan='2'>&nbsp;</td></tr>
2123 <tr><td class='base' colspan='4' align='left'>
e3edceeb 2124 <img src='/blob.gif' valign='top' alt='*' >&nbsp;$Lang::tr{'required field'}</td>
4c962356 2125 </tr>
6e13d0a5
MT		 2126 </form></table>
2127END
2128 ;
2129 &Header::closebox();
4c962356 2130 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
6e13d0a5
MT		 2131 &Header::closebigbox();
2132 &Header::closepage();
2133 exit(0)
2134 }
2135
2136 ROOTCERT_SUCCESS:
2feacd98 2137 &General::system("chmod", "600", "${General::swroot}/ovpn/certs/serverkey.pem");
c6c9630e
MT		 2138# if ($vpnsettings{'ENABLED'} eq 'on' ||
2139# $vpnsettings{'ENABLE_BLUE'} eq 'on') {
2140# system('/usr/local/bin/ipsecctrl', 'S');
2141# }
6e13d0a5
MT		 2142
2143###
2144### Enable/Disable connection
2145###
ce9abb66
AH		 2146
2147###
7c1d9faf 2148# m.a.d net2net
ce9abb66
AH		 2149###
2150
6e13d0a5 2151}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
c6c9630e
MT		 2152
2153 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
6e13d0a5 2154 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2feacd98
SS		 2155 my $n2nactive = '';
2156 my @ps = &General::system_output("/bin/ps", "ax");
2157
2158 if(grep(/$confighash{$cgiparams{'KEY'}}[1]/, @ps)) {
2159 $n2nactive = "1";
2160 }
ce9abb66 2161
6e13d0a5 2162 if ($confighash{$cgiparams{'KEY'}}) {
8c877a82
AM		 2163 if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
2164 $confighash{$cgiparams{'KEY'}}[0] = 'on';
2165 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
ce9abb66 2166
8c877a82 2167 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
2feacd98 2168 &General::system("/usr/local/bin/openvpnctrl", "-sn2n", "$confighash{$cgiparams{'KEY'}}[1]");
775b4494 2169 &writecollectdconf();
8c877a82
AM		 2170 }
2171 } else {
ce9abb66 2172
8c877a82
AM		 2173 $confighash{$cgiparams{'KEY'}}[0] = 'off';
2174 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
ce9abb66 2175
8c877a82 2176 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
775b4494 2177 if ($n2nactive ne '') {
2feacd98 2178 &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]");
775b4494
AM		 2179 &writecollectdconf();
2180 }
8c877a82 2181 }
775b4494 2182 }
ce9abb66 2183 }
6e13d0a5
MT		 2184
2185###
2186### Download OpenVPN client package
2187###
ce9abb66
AH		 2188
2189
6e13d0a5
MT		 2190} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'dl client arch'}) {
2191 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
2192 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2193 my $file = '';
2194 my $clientovpn = '';
2195 my @fileholder;
2196 my $tempdir = tempdir( CLEANUP => 1 );
2197 my $zippath = "$tempdir/";
ce9abb66
AH		 2198
2199###
7c1d9faf
AH		 2200# m.a.d net2net
2201###
ce9abb66
AH		 2202
2203if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
2204
2205 my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-Client.zip";
2206 my $zippathname = "$zippath$zipname";
2207 $clientovpn = "$confighash{$cgiparams{'KEY'}}[1].conf";
2208 my @ovsubnettemp = split(/\./,$confighash{$cgiparams{'KEY'}}[27]);
54fd0535 2209 my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]";
ce9abb66 2210 my $tunmtu = '';
7c1d9faf 2211 my @remsubnet = split(/\//,$confighash{$cgiparams{'KEY'}}[8]);
54fd0535 2212 my $n2nfragment = '';
ce9abb66
AH		 2213
2214 open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!";
2215 flock CLIENTCONF, 2;
2216
2217 my $zip = Archive::Zip->new();
7c1d9faf 2218 print CLIENTCONF "# IPFire n2n Open VPN Client Config by ummeegge und m.a.d\n";
ce9abb66 2219 print CLIENTCONF "# \n";
b278daf3 2220 print CLIENTCONF "# User Security\n";
ce9abb66
AH		 2221 print CLIENTCONF "user nobody\n";
2222 print CLIENTCONF "group nobody\n";
2223 print CLIENTCONF "persist-tun\n";
2224 print CLIENTCONF "persist-key\n";
7c1d9faf 2225 print CLIENTCONF "script-security 2\n";
60f396d7 2226 print CLIENTCONF "# IP/DNS for remote Server Gateway\n";
531f0835 2227 print CLIENTCONF "remote $vpnsettings{'VPN_IP'}\n";
b278daf3 2228 print CLIENTCONF "float\n";
60f396d7 2229 print CLIENTCONF "# IP adresses of the VPN Subnet\n";
ce9abb66 2230 print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n";
b278daf3 2231 print CLIENTCONF "# Server Gateway Network\n";
7c1d9faf 2232 print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n";
b278daf3 2233 print CLIENTCONF "# tun Device\n";
79e7688b 2234 print CLIENTCONF "dev tun\n";
35a21a25
AM		 2235 print CLIENTCONF "#Logfile for statistics\n";
2236 print CLIENTCONF "status-version 1\n";
2237 print CLIENTCONF "status /var/run/openvpn/$cgiparams{'NAME'}-n2n 10\n";
60f396d7 2238 print CLIENTCONF "# Port and Protokoll\n";
ce9abb66 2239 print CLIENTCONF "port $confighash{$cgiparams{'KEY'}}[29]\n";
60f396d7
AH		 2240
2241 if ($confighash{$cgiparams{'KEY'}}[28] eq 'tcp') {
2242 print CLIENTCONF "proto tcp-client\n";
2243 print CLIENTCONF "# Packet size\n";
d96c89eb 2244 if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1400'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]};
60f396d7 2245 print CLIENTCONF "tun-mtu $tunmtu\n";
d96c89eb 2246 }
60f396d7
AH		 2247
2248 if ($confighash{$cgiparams{'KEY'}}[28] eq 'udp') {
2249 print CLIENTCONF "proto udp\n";
2250 print CLIENTCONF "# Paketsize\n";
2251 if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1500'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]};
2252 print CLIENTCONF "tun-mtu $tunmtu\n";
54fd0535 2253 if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment $confighash{$cgiparams{'KEY'}}[24]\n";}
d6989b4b 2254 if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";} else { print CLIENTCONF "mssfix 0\n"; }
d96c89eb 2255 }
b66b02ab
EK		 2256 # Check host certificate if X509 is RFC3280 compliant.
2257 # If not, old --ns-cert-type directive will be used.
2258 # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
2feacd98
SS		 2259 my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
2260 if (! grep(/TLS Web Server Authentication/, @hostcert)) {
b66b02ab
EK		 2261 print CLIENTCONF "ns-cert-type server\n";
2262 } else {
2263 print CLIENTCONF "remote-cert-tls server\n";
2264 }
ce9abb66
AH		 2265 print CLIENTCONF "# Auth. Client\n";
2266 print CLIENTCONF "tls-client\n";
49abe7af 2267 print CLIENTCONF "# Cipher\n";
4c962356 2268 print CLIENTCONF "cipher $confighash{$cgiparams{'KEY'}}[40]\n";
ce9abb66
AH		 2269 if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") {
2270 print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n";
2271 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
49abe7af 2272 }
52f61e49
EKD		 2273
2274 # If GCM cipher is used, do not use --auth
2275 if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
2276 ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
2277 ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
2278 print CLIENTCONF unless "# HMAC algorithm\n";
2279 print CLIENTCONF unless "auth $confighash{$cgiparams{'KEY'}}[39]\n";
49abe7af 2280 } else {
52f61e49
EKD		 2281 print CLIENTCONF "# HMAC algorithm\n";
2282 print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n";
49abe7af 2283 }
52f61e49 2284
4c962356 2285 if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') {
b278daf3 2286 print CLIENTCONF "# Enable Compression\n";
66298ef2 2287 print CLIENTCONF "comp-lzo\n";
b278daf3 2288 }
ce9abb66
AH		 2289 print CLIENTCONF "# Debug Level\n";
2290 print CLIENTCONF "verb 3\n";
b278daf3 2291 print CLIENTCONF "# Tunnel check\n";
ce9abb66 2292 print CLIENTCONF "keepalive 10 60\n";
b278daf3 2293 print CLIENTCONF "# Start as daemon\n";
ce9abb66
AH		 2294 print CLIENTCONF "daemon $confighash{$cgiparams{'KEY'}}[1]n2n\n";
2295 print CLIENTCONF "writepid /var/run/$confighash{$cgiparams{'KEY'}}[1]n2n.pid\n";
b278daf3 2296 print CLIENTCONF "# Activate Management Interface and Port\n";
54fd0535
MT		 2297 if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"}
2298 else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"};
ce9abb66 2299 print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n";
531f0835 2300
ce9abb66
AH		 2301
2302 close(CLIENTCONF);
2303
2304 $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n";
2305 my $status = $zip->writeToFileNamed($zippathname);
2306
2307 open(DLFILE, "<$zippathname") or die "Unable to open $zippathname: $!";
2308 @fileholder = <DLFILE>;
2309 print "Content-Type:application/x-download\n";
2310 print "Content-Disposition:attachment;filename=$zipname\n\n";
2311 print @fileholder;
2312 exit (0);
2313}
2314else
2315{
2316 my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.zip";
2317 my $zippathname = "$zippath$zipname";
2318 $clientovpn = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.ovpn";
2319
2320###
7c1d9faf 2321# m.a.d net2net
ce9abb66
AH		 2322###
2323
c6c9630e 2324 open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!";
6e13d0a5
MT		 2325 flock CLIENTCONF, 2;
2326
2327 my $zip = Archive::Zip->new();
2328
8c877a82 2329 print CLIENTCONF "#OpenVPN Client conf\r\n";
6e13d0a5
MT		 2330 print CLIENTCONF "tls-client\r\n";
2331 print CLIENTCONF "client\r\n";
4f6e3ae3 2332 print CLIENTCONF "nobind\r\n";
79e7688b 2333 print CLIENTCONF "dev tun\r\n";
c6c9630e 2334 print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
d6989b4b 2335 print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n";
2ee746be 2336
6e13d0a5
MT		 2337 if ( $vpnsettings{'ENABLED'} eq 'on'){
2338 print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n";
c6c9630e
MT		 2339 if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){
2340 print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Blue interface\r\n";
2341 print CLIENTCONF ";remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2342 }
2343 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
2344 print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n";
2345 print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2346 }
2347 } elsif ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){
2348 print CLIENTCONF "remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2349 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
2350 print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n";
2351 print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
2352 }
2353 } elsif ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
2354 print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
6e13d0a5
MT		 2355 }
2356
71af643c
MT		 2357 my $file_crt = new File::Temp( UNLINK => 1 );
2358 my $file_key = new File::Temp( UNLINK => 1 );
b22d8aaf 2359 my $include_certs = 0;
71af643c 2360
6e13d0a5 2361 if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") {
71af643c 2362 if ($cgiparams{'MODE'} eq 'insecure') {
b22d8aaf
MT		 2363 $include_certs = 1;
2364
71af643c 2365 # Add the CA
b22d8aaf 2366 print CLIENTCONF ";ca cacert.pem\r\n";
71af643c
MT		 2367 $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
2368
2369 # Extract the certificate
2feacd98 2370 # This system call is safe, because all arguments are passed as an array.
71af643c
MT		 2371 system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
2372 '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:');
2373 if ($?) {
2374 die "openssl error: $?";
2375 }
2376
2377 $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die;
b22d8aaf 2378 print CLIENTCONF ";cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n";
71af643c
MT		 2379
2380 # Extract the key
2feacd98 2381 # This system call is safe, because all arguments are passed as an array.
71af643c
MT		 2382 system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
2383 '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:');
2384 if ($?) {
2385 die "openssl error: $?";
2386 }
2387
2388 $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die;
b22d8aaf 2389 print CLIENTCONF ";key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
71af643c
MT		 2390 } else {
2391 print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
2392 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
2393 }
6e13d0a5 2394 } else {
c6c9630e
MT		 2395 print CLIENTCONF "ca cacert.pem\r\n";
2396 print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n";
2397 print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
2398 $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
2399 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
6e13d0a5
MT		 2400 }
2401 print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
49abe7af 2402 print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
86308adb 2403
49abe7af 2404 if ($vpnsettings{'TLSAUTH'} eq 'on') {
b22d8aaf
MT		 2405 if ($cgiparams{'MODE'} eq 'insecure') {
2406 print CLIENTCONF ";";
2407 }
4be45949
EK		 2408 print CLIENTCONF "tls-auth ta.key\r\n";
2409 $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n";
49abe7af 2410 }
6e13d0a5
MT		 2411 if ($vpnsettings{DCOMPLZO} eq 'on') {
2412 print CLIENTCONF "comp-lzo\r\n";
2413 }
2414 print CLIENTCONF "verb 3\r\n";
b66b02ab
EK		 2415 # Check host certificate if X509 is RFC3280 compliant.
2416 # If not, old --ns-cert-type directive will be used.
2417 # If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
2feacd98
SS		 2418 my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
2419 if (! grep(/TLS Web Server Authentication/, @hostcert)) {
b66b02ab
EK		 2420 print CLIENTCONF "ns-cert-type server\r\n";
2421 } else {
2422 print CLIENTCONF "remote-cert-tls server\r\n";
2423 }
964700d4 2424 print CLIENTCONF "verify-x509-name $vpnsettings{ROOTCERT_HOSTNAME} name\r\n";
a79fa1d6
JPT		 2425 if ($vpnsettings{MSSFIX} eq 'on') {
2426 print CLIENTCONF "mssfix\r\n";
d6989b4b
MT		 2427 } else {
2428 print CLIENTCONF "mssfix 0\r\n";
a79fa1d6 2429 }
74225cce 2430 if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) {
a79fa1d6
JPT		 2431 print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n";
2432 }
1647059d 2433
b22d8aaf
MT		 2434 if ($include_certs) {
2435 print CLIENTCONF "\r\n";
2436
2437 # CA
2438 open(FILE, "<${General::swroot}/ovpn/ca/cacert.pem");
2439 print CLIENTCONF "<ca>\r\n";
2440 while (<FILE>) {
2441 chomp($_);
2442 print CLIENTCONF "$_\r\n";
2443 }
2444 print CLIENTCONF "</ca>\r\n\r\n";
2445 close(FILE);
2446
2447 # Cert
2448 open(FILE, "<$file_crt");
2449 print CLIENTCONF "<cert>\r\n";
2450 while (<FILE>) {
2451 chomp($_);
2452 print CLIENTCONF "$_\r\n";
2453 }
2454 print CLIENTCONF "</cert>\r\n\r\n";
2455 close(FILE);
2456
2457 # Key
2458 open(FILE, "<$file_key");
2459 print CLIENTCONF "<key>\r\n";
2460 while (<FILE>) {
2461 chomp($_);
2462 print CLIENTCONF "$_\r\n";
2463 }
2464 print CLIENTCONF "</key>\r\n\r\n";
2465 close(FILE);
2466
2467 # TLS auth
2468 if ($vpnsettings{'TLSAUTH'} eq 'on') {
2469 open(FILE, "<${General::swroot}/ovpn/certs/ta.key");
2470 print CLIENTCONF "<tls-auth>\r\n";
2471 while (<FILE>) {
2472 chomp($_);
2473 print CLIENTCONF "$_\r\n";
2474 }
2475 print CLIENTCONF "</tls-auth>\r\n\r\n";
2476 close(FILE);
2477 }
2478 }
2479
ffbe77c8
EK		 2480 # Print client.conf.local if entries exist to client.ovpn
2481 if (!-z $local_clientconf && $vpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') {
2482 open (LCC, "$local_clientconf");
2483 print CLIENTCONF "\n#---------------------------\n";
2484 print CLIENTCONF "# Start of custom directives\n";
2485 print CLIENTCONF "# from client.conf.local\n";
2486 print CLIENTCONF "#---------------------------\n\n";
2487 while (<LCC>) {
2488 print CLIENTCONF $_;
2489 }
2490 print CLIENTCONF "\n#---------------------------\n";
2491 print CLIENTCONF "# End of custom directives\n";
2492 print CLIENTCONF "#---------------------------\n\n";
2493 close (LCC);
2494 }
6e13d0a5 2495 close(CLIENTCONF);
ce9abb66 2496
6e13d0a5
MT		 2497 $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n";
2498 my $status = $zip->writeToFileNamed($zippathname);
2499
2500 open(DLFILE, "<$zippathname") or die "Unable to open $zippathname: $!";
2501 @fileholder = <DLFILE>;
2502 print "Content-Type:application/x-download\n";
2503 print "Content-Disposition:attachment;filename=$zipname\n\n";
2504 print @fileholder;
2505 exit (0);
ce9abb66
AH		 2506 }
2507
2508
2509
6e13d0a5
MT		 2510###
2511### Remove connection
2512###
ce9abb66
AH		 2513
2514
6e13d0a5 2515} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
323be7c4
AM		 2516 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
2517 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
c6c9630e 2518
323be7c4 2519 if ($confighash{$cgiparams{'KEY'}}) {
fde9c9dd 2520 # Revoke certificate if certificate was deleted and rewrite the CRL
274ca65b 2521 &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
2feacd98 2522 &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
ce9abb66
AH		 2523
2524###
7c1d9faf 2525# m.a.d net2net
ce9abb66 2526###
7c1d9faf 2527
323be7c4 2528 if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') {
1e499e90 2529 # Stop the N2N connection before it is removed
2feacd98 2530 &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]");
1e499e90 2531
323be7c4
AM		 2532 my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf");
2533 my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
2534 unlink ($certfile);
2535 unlink ($conffile);
8e6a8fd5 2536
323be7c4
AM		 2537 if (-e "${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") {
2538 rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!";
2539 }
323be7c4 2540 }
ce9abb66 2541
323be7c4
AM		 2542 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
2543 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
8c877a82
AM		 2544
2545# A.Marx CCD delete ccd files and routes
2546
323be7c4
AM		 2547 if (-f "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]")
2548 {
2549 unlink "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]";
8c877a82 2550 }
e81be1e1 2551
323be7c4
AM		 2552 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
2553 foreach my $key (keys %ccdroutehash) {
2554 if ($ccdroutehash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){
2555 delete $ccdroutehash{$key};
2556 }
8c877a82 2557 }
323be7c4 2558 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
8c877a82 2559
323be7c4
AM		 2560 &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
2561 foreach my $key (keys %ccdroute2hash) {
2562 if ($ccdroute2hash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){
2563 delete $ccdroute2hash{$key};
2564 }
2565 }
2566 &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
2567 &writeserverconf;
8c877a82 2568
323be7c4
AM		 2569# CCD end
2570 # Update collectd configuration and delete all RRD files of the removed connection
2571 &writecollectdconf();
2feacd98 2572 &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]");
8c877a82 2573
323be7c4 2574 delete $confighash{$cgiparams{'KEY'}};
2feacd98 2575 &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
323be7c4
AM		 2576 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2577
2578 } else {
2579 $errormessage = $Lang::tr{'invalid key'};
2580 }
b2e75449 2581 &General::firewall_reload();
ce9abb66 2582
6e13d0a5
MT		 2583###
2584### Download PKCS12 file
2585###
2586} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) {
2587 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2588
2589 print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";
2590 print "Content-Type: application/octet-stream\r\n\r\n";
2feacd98
SS		 2591
2592 open(FILE, "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
2593 my @tmp = <FILE>;
2594 close(FILE);
2595
2596 print "@tmp";
6e13d0a5
MT		 2597 exit (0);
2598
2599###
2600### Display certificate
2601###
2602} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) {
2603 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2604
2605 if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
c6c9630e 2606 &Header::showhttpheaders();
4c962356 2607 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
c6c9630e
MT		 2608 &Header::openbigbox('100%', 'LEFT', '', '');
2609 &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:");
2feacd98 2610 my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
8c946d1c
MT		 2611 my $output = &Header::cleanhtml(join("", @output), "y");
2612 print "<pre>$output</pre>\n";
c6c9630e
MT		 2613 &Header::closebox();
2614 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2615 &Header::closebigbox();
2616 &Header::closepage();
2617 exit(0);
6e13d0a5 2618 }
4c962356
EK		 2619
2620###
2621### Display Diffie-Hellman key
2622###
2623} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show dh'}) {
2624
2625 if (! -e "${General::swroot}/ovpn/ca/dh1024.pem") {
49abe7af 2626 $errormessage = $Lang::tr{'not present'};
4c962356
EK		 2627 } else {
2628 &Header::showhttpheaders();
2629 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2630 &Header::openbigbox('100%', 'LEFT', '', '');
2631 &Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:");
2feacd98 2632 my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem");
8c946d1c
MT		 2633 my $output = &Header::cleanhtml(join("", @output) ,"y");
2634 print "<pre>$output</pre>\n";
4c962356
EK		 2635 &Header::closebox();
2636 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2637 &Header::closebigbox();
2638 &Header::closepage();
2639 exit(0);
2640 }
2641
fd5ccb2d
EK		 2642###
2643### Display tls-auth key
2644###
2645} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-auth key'}) {
2646
2647 if (! -e "${General::swroot}/ovpn/certs/ta.key") {
2648 $errormessage = $Lang::tr{'not present'};
2649 } else {
2650 &Header::showhttpheaders();
2651 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2652 &Header::openbigbox('100%', 'LEFT', '', '');
2653 &Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}:");
2feacd98
SS		 2654
2655 open(FILE, "${General::swroot}/ovpn/certs/ta.key");
2656 my @output = <FILE>;
2657 close(FILE);
2658
8c946d1c
MT		 2659 my $output = &Header::cleanhtml(join("", @output),"y");
2660 print "<pre>$output</pre>\n";
fd5ccb2d
EK		 2661 &Header::closebox();
2662 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2663 &Header::closebigbox();
2664 &Header::closepage();
2665 exit(0);
2666 }
2667
6e13d0a5
MT		 2668###
2669### Display Certificate Revoke List
2670###
2671} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show crl'}) {
c6c9630e
MT		 2672# &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2673
49abe7af
EK		 2674 if (! -e "${General::swroot}/ovpn/crls/cacrl.pem") {
2675 $errormessage = $Lang::tr{'not present'};
2676 } else {
b2e75449
MT		 2677 &Header::showhttpheaders();
2678 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
2679 &Header::openbigbox('100%', 'LEFT', '', '');
2680 &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:");
2feacd98 2681 my @output = &General::system_output("/usr/bin/openssl", "crl", "-text", "-noout", "-in", "${General::swroot}/ovpn/crls/cacrl.pem");
8c946d1c
MT		 2682 my $output = &Header::cleanhtml(join("", @output), "y");
2683 print "<pre>$output</pre>\n";
b2e75449
MT		 2684 &Header::closebox();
2685 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
2686 &Header::closebigbox();
2687 &Header::closepage();
2688 exit(0);
6e13d0a5
MT		 2689 }
2690
2691###
2692### Advanced Server Settings
2693###
2694
2695} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'advanced server'}) {
2696 %cgiparams = ();
2697 %cahash = ();
2698 %confighash = ();
8c877a82 2699 my $disabled;
6e13d0a5 2700 &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
54fd0535 2701 read_routepushfile;
8c877a82
AM		 2702
2703
c6c9630e
MT		 2704# if ($cgiparams{'CLIENT2CLIENT'} eq '') {
2705# $cgiparams{'CLIENT2CLIENT'} = 'on';
2706# }
6e13d0a5
MT		 2707ADV_ERROR:
2708 if ($cgiparams{'MAX_CLIENTS'} eq '') {
4c962356 2709 $cgiparams{'MAX_CLIENTS'} = '100';
6e13d0a5 2710 }
6e13d0a5 2711 if ($cgiparams{'KEEPALIVE_1'} eq '') {
4c962356 2712 $cgiparams{'KEEPALIVE_1'} = '10';
6e13d0a5
MT		 2713 }
2714 if ($cgiparams{'KEEPALIVE_2'} eq '') {
4c962356 2715 $cgiparams{'KEEPALIVE_2'} = '60';
6e13d0a5
MT		 2716 }
2717 if ($cgiparams{'LOG_VERB'} eq '') {
4c962356 2718 $cgiparams{'LOG_VERB'} = '3';
ae9f6139 2719 }
f527e53f 2720 if ($cgiparams{'TLSAUTH'} eq '') {
754066e6 2721 $cgiparams{'TLSAUTH'} = 'off';
f527e53f 2722 }
6e13d0a5
MT		 2723 $checked{'CLIENT2CLIENT'}{'off'} = '';
2724 $checked{'CLIENT2CLIENT'}{'on'} = '';
2725 $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED';
2726 $checked{'REDIRECT_GW_DEF1'}{'off'} = '';
2727 $checked{'REDIRECT_GW_DEF1'}{'on'} = '';
2728 $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED';
13389777
EK		 2729 $checked{'DCOMPLZO'}{'off'} = '';
2730 $checked{'DCOMPLZO'}{'on'} = '';
2731 $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
ffbe77c8
EK		 2732 $checked{'ADDITIONAL_CONFIGS'}{'off'} = '';
2733 $checked{'ADDITIONAL_CONFIGS'}{'on'} = '';
2734 $checked{'ADDITIONAL_CONFIGS'}{$cgiparams{'ADDITIONAL_CONFIGS'}} = 'CHECKED';
a79fa1d6
JPT		 2735 $checked{'MSSFIX'}{'off'} = '';
2736 $checked{'MSSFIX'}{'on'} = '';
2737 $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
49abe7af 2738 $selected{'LOG_VERB'}{'0'} = '';
6e13d0a5
MT		 2739 $selected{'LOG_VERB'}{'1'} = '';
2740 $selected{'LOG_VERB'}{'2'} = '';
2741 $selected{'LOG_VERB'}{'3'} = '';
2742 $selected{'LOG_VERB'}{'4'} = '';
2743 $selected{'LOG_VERB'}{'5'} = '';
2744 $selected{'LOG_VERB'}{'6'} = '';
2745 $selected{'LOG_VERB'}{'7'} = '';
2746 $selected{'LOG_VERB'}{'8'} = '';
2747 $selected{'LOG_VERB'}{'9'} = '';
2748 $selected{'LOG_VERB'}{'10'} = '';
2749 $selected{'LOG_VERB'}{'11'} = '';
6e13d0a5 2750 $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED';
f527e53f 2751
6e13d0a5
MT		 2752 &Header::showhttpheaders();
2753 &Header::openpage($Lang::tr{'status ovpn'}, 1, '');
2754 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
2755 if ($errormessage) {
c6c9630e
MT		 2756 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
2757 print "<class name='base'>$errormessage\n";
2758 print "&nbsp;</class>\n";
2759 &Header::closebox();
6e13d0a5
MT		 2760 }
2761 &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'});
4c962356 2762 print <<END;
b376fae4 2763 <form method='post' enctype='multipart/form-data'>
b2e75449 2764<table width='100%' border=0>
4c962356
EK		 2765 <tr>
2766 <td colspan='4'><b>$Lang::tr{'dhcp-options'}</b></td>
6e13d0a5
MT		 2767 </tr>
2768 <tr>
4c962356 2769 <td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
6e13d0a5
MT		 2770 </tr>
2771 <tr>
4c962356 2772 <td class='base'>Domain</td>
8c877a82 2773 <td><input type='TEXT' name='DHCP_DOMAIN' value='$cgiparams{'DHCP_DOMAIN'}' size='30' /></td>
6e13d0a5
MT		 2774 </tr>
2775 <tr>
4c962356
EK		 2776 <td class='base'>DNS</td>
2777 <td><input type='TEXT' name='DHCP_DNS' value='$cgiparams{'DHCP_DNS'}' size='30' /></td>
6e13d0a5
MT		 2778 </tr>
2779 <tr>
4c962356
EK		 2780 <td class='base'>WINS</td>
2781 <td><input type='TEXT' name='DHCP_WINS' value='$cgiparams{'DHCP_WINS'}' size='30' /></td>
2782 </tr>
54fd0535 2783 <tr>
4c962356 2784 <td colspan='4'><b>$Lang::tr{'ovpn routes push options'}</b></td>
54fd0535
MT		 2785 </tr>
2786 <tr>
4c962356
EK		 2787 <td class='base'>$Lang::tr{'ovpn routes push'}</td>
2788 <td colspan='2'>
2789 <textarea name='ROUTES_PUSH' cols='26' rows='6' wrap='off'>
54fd0535
MT		 2790END
2791;
2792
2793if ($cgiparams{'ROUTES_PUSH'} ne '')
2794{
2795 print $cgiparams{'ROUTES_PUSH'};
2796}
2797
8c877a82 2798print <<END;
54fd0535
MT		 2799</textarea></td>
2800</tr>
6e13d0a5
MT		 2801 </tr>
2802</table>
2803<hr size='1'>
4c962356 2804<table width='100%'>
ffbe77c8 2805 <tr>
4c962356 2806 <td class'base'><b>$Lang::tr{'misc-options'}</b></td>
ffbe77c8
EK		 2807 </tr>
2808
2809 <tr>
d2de0a00 2810 <td width='20%'></td> <td width='15%'> </td><td width='35%'> </td><td width='20%'></td><td width='35%'></td>
ffbe77c8
EK		 2811 </tr>
2812
2813 <tr>
4c962356
EK		 2814 <td class='base'>Client-To-Client</td>
2815 <td><input type='checkbox' name='CLIENT2CLIENT' $checked{'CLIENT2CLIENT'}{'on'} /></td>
ffbe77c8
EK		 2816 </tr>
2817
2818 <tr>
4c962356
EK		 2819 <td class='base'>Redirect-Gateway def1</td>
2820 <td><input type='checkbox' name='REDIRECT_GW_DEF1' $checked{'REDIRECT_GW_DEF1'}{'on'} /></td>
ffbe77c8
EK		 2821 </tr>
2822
13389777
EK		 2823 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
2824 <td><input type='checkbox' name='DCOMPLZO' $checked{'DCOMPLZO'}{'on'} /></td>
2825 <td>$Lang::tr{'openvpn default'}: off <font color='red'>($Lang::tr{'attention'} exploitable via Voracle)</font></td>
2826 </tr>
2827
4c962356 2828 <tr>
ffbe77c8
EK		 2829 <td class='base'>$Lang::tr{'ovpn add conf'}</td>
2830 <td><input type='checkbox' name='ADDITIONAL_CONFIGS' $checked{'ADDITIONAL_CONFIGS'}{'on'} /></td>
2831 <td>$Lang::tr{'openvpn default'}: off</td>
2832 </tr>
2833
2834 <tr>
2835 <td class='base'>mssfix</td>
2836 <td><input type='checkbox' name='MSSFIX' $checked{'MSSFIX'}{'on'} /></td>
2837 <td>$Lang::tr{'openvpn default'}: off</td>
2838 </tr>
2839
4c962356 2840 <tr>
ffbe77c8
EK		 2841 <td class='base'>fragment <br></td>
2842 <td><input type='TEXT' name='FRAGMENT' value='$cgiparams{'FRAGMENT'}' size='10' /></td>
2843 </tr>
2844
2845
2846 <tr>
2847 <td class='base'>Max-Clients</td>
2848 <td><input type='text' name='MAX_CLIENTS' value='$cgiparams{'MAX_CLIENTS'}' size='10' /></td>
2849 </tr>
2850 <tr>
2851 <td class='base'>Keepalive <br />
2852 (ping/ping-restart)</td>
2853 <td><input type='TEXT' name='KEEPALIVE_1' value='$cgiparams{'KEEPALIVE_1'}' size='10' /></td>
2854 <td><input type='TEXT' name='KEEPALIVE_2' value='$cgiparams{'KEEPALIVE_2'}' size='10' /></td>
2855 </tr>
a79fa1d6
JPT		 2856</table>
2857
a79fa1d6 2858<hr size='1'>
4c962356 2859<table width='100%'>
a79fa1d6 2860 <tr>
49abe7af 2861 <td class'base'><b>$Lang::tr{'log-options'}</b></td>
a79fa1d6
JPT		 2862 </tr>
2863 <tr>
49abe7af 2864 <td width='20%'></td> <td width='30%'> </td><td width='25%'> </td><td width='25%'></td>
4c962356
EK		 2865 </tr>
2866
2867 <tr><td class='base'>VERB</td>
2868 <td><select name='LOG_VERB'>
49abe7af
EK		 2869 <option value='0' $selected{'LOG_VERB'}{'0'}>0</option>
2870 <option value='1' $selected{'LOG_VERB'}{'1'}>1</option>
2871 <option value='2' $selected{'LOG_VERB'}{'2'}>2</option>
2872 <option value='3' $selected{'LOG_VERB'}{'3'}>3</option>
2873 <option value='4' $selected{'LOG_VERB'}{'4'}>4</option>
2874 <option value='5' $selected{'LOG_VERB'}{'5'}>5</option>
2875 <option value='6' $selected{'LOG_VERB'}{'6'}>6</option>
2876 <option value='7' $selected{'LOG_VERB'}{'7'}>7</option>
2877 <option value='8' $selected{'LOG_VERB'}{'8'}>8</option>
2878 <option value='9' $selected{'LOG_VERB'}{'9'}>9</option>
2879 <option value='10' $selected{'LOG_VERB'}{'10'}>10</option>
2880 <option value='11' $selected{'LOG_VERB'}{'11'}>11</option>
2881 </td></select>
2882 </table>
4c962356 2883
6e13d0a5 2884<hr size='1'>
8c877a82
AM		 2885END
2886
2887if ( -e "/var/run/openvpn.pid"){
2888print" <br><b><font color='#990000'>$Lang::tr{'attention'}:</b></font><br>
2889 $Lang::tr{'server restart'}<br><br>
2890 <hr>";
49abe7af 2891 print<<END;
52d08bcb
AM		 2892<table width='100%'>
2893<tr>
2894 <td>&nbsp;</td>
2895 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-adv-options'}' disabled='disabled' /></td>
2896 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
2897 <td>&nbsp;</td>
2898</tr>
2899</table>
2900</form>
2901END
2902;
2903
2904
2905}else{
8c877a82 2906
49abe7af 2907 print<<END;
6e13d0a5
MT		 2908<table width='100%'>
2909<tr>
2910 <td>&nbsp;</td>
2911 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-adv-options'}' /></td>
2912 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
2913 <td>&nbsp;</td>
2914</tr>
2915</table>
2916</form>
2917END
2918;
52d08bcb 2919}
6e13d0a5 2920 &Header::closebox();
c6c9630e 2921# print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
6e13d0a5
MT		 2922 &Header::closebigbox();
2923 &Header::closepage();
2924 exit(0);
2925
8c877a82
AM		 2926
2927# A.Marx CCD Add,delete or edit CCD net
2928
2929} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ccd net'} ||
2930 $cgiparams{'ACTION'} eq $Lang::tr{'ccd add'} ||
2931 $cgiparams{'ACTION'} eq "kill" ||
2932 $cgiparams{'ACTION'} eq "edit" ||
2933 $cgiparams{'ACTION'} eq 'editsave'){
2934 &Header::showhttpheaders();
2935 &Header::openpage($Lang::tr{'ccd net'}, 1, '');
2936 &Header::openbigbox('100%', 'LEFT', '', '');
2937
2938 if ($cgiparams{'ACTION'} eq "kill"){
2939 &delccdnet($cgiparams{'net'});
2940 }
2941
2942 if ($cgiparams{'ACTION'} eq 'editsave'){
2943 my ($a,$b) =split (/\|/,$cgiparams{'ccdname'});
2944 if ( $a ne $b){ &modccdnet($a,$b);}
5068ac38
AM		 2945 $cgiparams{'ccdname'}='';
2946 $cgiparams{'ccdsubnet'}='';
8c877a82
AM		 2947 }
2948
2949 if ($cgiparams{'ACTION'} eq $Lang::tr{'ccd add'}) {
e2429e8d 2950 &addccdnet($cgiparams{'ccdname'},$cgiparams{'ccdsubnet'});
8c877a82
AM		 2951 }
2952 if ($errormessage) {
2953 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
2954 print "<class name='base'>$errormessage";
2955 print "&nbsp;</class>";
2956 &Header::closebox();
2957 }
2958if ($cgiparams{'ACTION'} eq "edit"){
2959
2960 &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd modify'});
2961
49abe7af 2962 print <<END;
631b67b7 2963 <table width='100%' border='0'>
8c877a82
AM		 2964 <tr><form method='post'>
2965 <td width='10%' nowrap='nowrap'>$Lang::tr{'ccd name'}:</td><td><input type='TEXT' name='ccdname' value='$cgiparams{'ccdname'}' /></td>
a9fb14d0 2966 <td width='8%'>$Lang::tr{'ccd subnet'}:</td><td><input type='TEXT' name='ccdsubnet' value='$cgiparams{'ccdsubnet'}' readonly='readonly' /></td></tr>
8c877a82
AM		 2967 <tr><td colspan='4' align='right'><hr><input type='submit' value='$Lang::tr{'save'}' /><input type='hidden' name='ACTION' value='editsave'/>
2968 <input type='hidden' name='ccdname' value='$cgiparams{'ccdname'}'/><input type='submit' value='$Lang::tr{'cancel'}' />
2969 </td></tr>
2970 </table></form>
2971END
2972;
2973 &Header::closebox();
2974
2975 &Header::openbox('100%', 'LEFT',$Lang::tr{'ccd net'} );
49abe7af 2976 print <<END;
8c877a82
AM		 2977 <table width='100%' border='0' cellpadding='0' cellspacing='1'>
2978 <tr>
2979 <td class='boldbase' align='center'><b>$Lang::tr{'ccd name'}</td><td class='boldbase' align='center'><b>$Lang::tr{'network'}</td><td class='boldbase' width='15%' align='center'><b>$Lang::tr{'ccd used'}</td><td width='3%'></td><td width='3%'></td></tr>
2980END
2981;
2982}
2983else{
2984 if (! -e "/var/run/openvpn.pid"){
2985 &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd add'});
49abe7af 2986 print <<END;
8c877a82
AM		 2987 <table width='100%' border='0'>
2988 <tr><form method='post'>
2989 <td colspan='4'>$Lang::tr{'ccd hint'}<br><br></td></tr>
2990 <tr>
2991 <td width='10%' nowrap='nwrap'>$Lang::tr{'ccd name'}:</td><td><input type='TEXT' name='ccdname' value='$cgiparams{'ccdname'}' /></td>
2992 <td width='8%'>$Lang::tr{'ccd subnet'}:</td><td><input type='TEXT' name='ccdsubnet' value='$cgiparams{'ccdsubnet'}' /></td></tr>
2993 <tr><td colspan=4><hr /></td></tr><tr>
2994 <td colspan='4' align='right'><input type='hidden' name='ACTION' value='$Lang::tr{'ccd add'}' /><input type='submit' value='$Lang::tr{'add'}' /><input type='hidden' name='DOVPN_SUBNET' value='$cgiparams{'DOVPN_SUBNET'}'/></td></tr>
2995 </table></form>
2996END
2997
2998 &Header::closebox();
2999}
3000 &Header::openbox('100%', 'LEFT',$Lang::tr{'ccd net'} );
5068ac38
AM		 3001 if ( -e "/var/run/openvpn.pid"){
3002 print "<b>$Lang::tr{'attention'}:</b><br>";
3003 print "$Lang::tr{'ccd noaddnet'}<br><hr>";
3004 }
3005
4c962356 3006 print <<END;
99bfa85c 3007 <table width='100%' cellpadding='0' cellspacing='1'>
8c877a82
AM		 3008 <tr>
3009 <td class='boldbase' align='center' nowrap='nowrap' width='20%'><b>$Lang::tr{'ccd name'}</td><td class='boldbase' align='center' width='8%'><b>$Lang::tr{'network'}</td><td class='boldbase' width='8%' align='center' nowrap='nowrap'><b>$Lang::tr{'ccd used'}</td><td width='1%' align='center'></td><td width='1%' align='center'></td></tr>
3010END
3011;
3012}
3013 my %ccdconfhash=();
3014 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
3015 my @ccdconf=();
3016 my $count=0;
df9b48b7 3017 foreach my $key (sort { uc($ccdconfhash{$a}[0]) cmp uc($ccdconfhash{$b}[0]) } keys %ccdconfhash) {
8c877a82
AM		 3018 @ccdconf=($ccdconfhash{$key}[0],$ccdconfhash{$key}[1]);
3019 $count++;
3020 my $ccdhosts = &hostsinnet($ccdconf[0]);
3021 if ($count % 2){ print" <tr bgcolor='$color{'color22'}'>";}
3022 else{ print" <tr bgcolor='$color{'color20'}'>";}
3023 print"<td>$ccdconf[0]</td><td align='center'>$ccdconf[1]</td><td align='center'>$ccdhosts/".(&ccdmaxclients($ccdconf[1])+1)."</td><td>";
4c962356 3024 print <<END;
8c877a82 3025 <form method='post' />
1638682b 3026 <input type='image' src='/images/edit.gif' align='middle' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
8c877a82
AM		 3027 <input type='hidden' name='ACTION' value='edit'/>
3028 <input type='hidden' name='ccdname' value='$ccdconf[0]' />
3029 <input type='hidden' name='ccdsubnet' value='$ccdconf[1]' />
3030 </form></td>
3031 <form method='post' />
3032 <td><input type='hidden' name='ACTION' value='kill'/>
3033 <input type='hidden' name='number' value='$count' />
3034 <input type='hidden' name='net' value='$ccdconf[0]' />
1638682b 3035 <input type='image' src='/images/delete.gif' align='middle' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' /></form></td></tr>
8c877a82
AM		 3036END
3037;
3038 }
3039 print "</table></form>";
3040 &Header::closebox();
3041 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
3042 &Header::closebigbox();
3043 &Header::closepage();
3044 exit(0);
3045
3046#END CCD
3047
6e13d0a5
MT		 3048###
3049### Openvpn Connections Statistics
3050###
3051} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ovpn con stat'}) {
3052 &Header::showhttpheaders();
3053 &Header::openpage($Lang::tr{'ovpn con stat'}, 1, '');
3054 &Header::openbigbox('100%', 'LEFT', '', '');
3055 &Header::openbox('100%', 'LEFT', $Lang::tr{'ovpn con stat'});
3056
3057#
3058# <td><b>$Lang::tr{'protocol'}</b></td>
3059# protocol temp removed
4c962356 3060 print <<END;
99bfa85c 3061 <table width='100%' cellpadding='2' cellspacing='0' class='tbl'>
6e13d0a5 3062 <tr>
99bfa85c
AM		 3063 <th><b>$Lang::tr{'common name'}</b></th>
3064 <th><b>$Lang::tr{'real address'}</b></th>
d8ef6a95 3065 <th><b>$Lang::tr{'country'}</b></th>
99bfa85c
AM		 3066 <th><b>$Lang::tr{'virtual address'}</b></th>
3067 <th><b>$Lang::tr{'loged in at'}</b></th>
3068 <th><b>$Lang::tr{'bytes sent'}</b></th>
3069 <th><b>$Lang::tr{'bytes received'}</b></th>
3070 <th><b>$Lang::tr{'last activity'}</b></th>
6e13d0a5
MT		 3071 </tr>
3072END
3073;
87fe47e9 3074 my $filename = "/var/run/ovpnserver.log";
6e13d0a5
MT		 3075 open(FILE, $filename) or die 'Unable to open config file.';
3076 my @current = <FILE>;
3077 close(FILE);
3078 my @users =();
3079 my $status;
3080 my $uid = 0;
3081 my $cn;
3082 my @match = ();
3083 my $proto = "udp";
3084 my $address;
3085 my %userlookup = ();
3086 foreach my $line (@current)
3087 {
3088 chomp($line);
3089 if ( $line =~ /^Updated,(.+)/){
3090 @match = split( /^Updated,(.+)/, $line);
3091 $status = $match[1];
3092 }
c6c9630e 3093#gian
6e13d0a5
MT		 3094 if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) {
3095 @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line);
3096 if ($match[1] ne "Common Name") {
3097 $cn = $match[1];
3098 $userlookup{$match[2]} = $uid;
3099 $users[$uid]{'CommonName'} = $match[1];
3100 $users[$uid]{'RealAddress'} = $match[2];
c6c9630e
MT		 3101 $users[$uid]{'BytesReceived'} = &sizeformat($match[3]);
3102 $users[$uid]{'BytesSent'} = &sizeformat($match[4]);
6e13d0a5
MT		 3103 $users[$uid]{'Since'} = $match[5];
3104 $users[$uid]{'Proto'} = $proto;
d8ef6a95
PM		 3105
3106 # get country code for "RealAddress"...
07e42be9 3107 my $ccode = &Location::Functions::lookup_country_code((split ':', $users[$uid]{'RealAddress'})[0]);
e2e270e1 3108 my $flag_icon = &Location::Functions::get_flag_icon($ccode);
d8ef6a95 3109 $users[$uid]{'Country'} = "<a href='country.cgi#$ccode'><img src='$flag_icon' border='0' align='absmiddle' alt='$ccode' title='$ccode' /></a>";
6e13d0a5
MT		 3110 $uid++;
3111 }
3112 }
3113 if ( $line =~ /^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/) {
3114 @match = split(m/^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/, $line);
3115 if ($match[1] ne "Virtual Address") {
3116 $address = $match[3];
3117 #find the uid in the lookup table
3118 $uid = $userlookup{$address};
3119 $users[$uid]{'VirtualAddress'} = $match[1];
3120 $users[$uid]{'LastRef'} = $match[4];
3121 }
3122 }
3123 }
3124 my $user2 = @users;
3125 if ($user2 >= 1){
99bfa85c 3126 for (my $idx = 1; $idx <= $user2; $idx++){
6e13d0a5 3127 if ($idx % 2) {
99bfa85c
AM		 3128 print "<tr>";
3129 $col="bgcolor='$color{'color22'}'";
3130 } else {
3131 print "<tr>";
3132 $col="bgcolor='$color{'color20'}'";
6e13d0a5 3133 }
99bfa85c
AM		 3134 print "<td align='left' $col>$users[$idx-1]{'CommonName'}</td>";
3135 print "<td align='left' $col>$users[$idx-1]{'RealAddress'}</td>";
d8ef6a95
PM		 3136 print "<td align='center' $col>$users[$idx-1]{'Country'}</td>";
3137 print "<td align='center' $col>$users[$idx-1]{'VirtualAddress'}</td>";
99bfa85c
AM		 3138 print "<td align='left' $col>$users[$idx-1]{'Since'}</td>";
3139 print "<td align='left' $col>$users[$idx-1]{'BytesSent'}</td>";
3140 print "<td align='left' $col>$users[$idx-1]{'BytesReceived'}</td>";
3141 print "<td align='left' $col>$users[$idx-1]{'LastRef'}</td>";
3142 }
3143 }
6e13d0a5
MT		 3144
3145 print "</table>";
49abe7af 3146 print <<END;
6e13d0a5
MT		 3147 <table width='100%' border='0' cellpadding='2' cellspacing='0'>
3148 <tr><td></td></tr>
3149 <tr><td></td></tr>
3150 <tr><td></td></tr>
3151 <tr><td></td></tr>
3152 <tr><td align='center' >$Lang::tr{'the statistics were last updated at'} <b>$status</b></td></tr>
3153 </table>
3154END
3155;
3156 &Header::closebox();
3157 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
3158 &Header::closebigbox();
3159 &Header::closepage();
3160 exit(0);
3161
3162###
3163### Download Certificate
3164###
3165} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) {
3166 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
c6c9630e 3167
6e13d0a5 3168 if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
c6c9630e
MT		 3169 print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n";
3170 print "Content-Type: application/octet-stream\r\n\r\n";
2feacd98
SS		 3171
3172 open(FILE, "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
3173 my @tmp = <FILE>;
3174 close(FILE);
3175
3176 print "@tmp";
c6c9630e
MT		 3177 exit (0);
3178 }
3179
3180###
3181### Enable/Disable connection
3182###
ce9abb66 3183
c6c9630e
MT		 3184} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
3185
3186 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3187 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3188
3189 if ($confighash{$cgiparams{'KEY'}}) {
ce9abb66 3190 if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
c6c9630e
MT		 3191 $confighash{$cgiparams{'KEY'}}[0] = 'on';
3192 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3193 #&writeserverconf();
3194# if ($vpnsettings{'ENABLED'} eq 'on' ||
3195# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
3196# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
3197# }
3198 } else {
3199 $confighash{$cgiparams{'KEY'}}[0] = 'off';
3200# if ($vpnsettings{'ENABLED'} eq 'on' ||
3201# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
3202# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
3203# }
3204 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3205 #&writeserverconf();
3206 }
3207 } else {
3208 $errormessage = $Lang::tr{'invalid key'};
6e13d0a5
MT		 3209 }
3210
3211###
3212### Restart connection
3213###
3214} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) {
3215 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3216 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3217
3218 if ($confighash{$cgiparams{'KEY'}}) {
c6c9630e
MT		 3219# if ($vpnsettings{'ENABLED'} eq 'on' ||
3220# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
3221# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
3222# }
6e13d0a5 3223 } else {
c6c9630e 3224 $errormessage = $Lang::tr{'invalid key'};
6e13d0a5
MT		 3225 }
3226
ce9abb66 3227###
7c1d9faf 3228# m.a.d net2net
ce9abb66
AH		 3229###
3230
3231} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') {
3232 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3233 &Header::showhttpheaders();
4c962356 3234 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
ce9abb66
AH		 3235 &Header::openbigbox('100%', 'LEFT', '', '');
3236 &Header::openbox('100%', 'LEFT', $Lang::tr{'connection type'});
b278daf3
AH		 3237
3238if ( -s "${General::swroot}/ovpn/settings") {
3239
49abe7af 3240 print <<END;
ce9abb66 3241 <b>$Lang::tr{'connection type'}:</b><br />
8c877a82 3242 <table border='0' width='100%'><form method='post' ENCTYPE="multipart/form-data">
ce9abb66
AH		 3243 <tr><td><input type='radio' name='TYPE' value='host' checked /></td>
3244 <td class='base'>$Lang::tr{'host to net vpn'}</td></tr>
3245 <tr><td><input type='radio' name='TYPE' value='net' /></td>
3246 <td class='base'>$Lang::tr{'net to net vpn'}</td></tr>
3247 <tr><td><input type='radio' name='TYPE' value='net2net' /></td>
3248 <td class='base'>$Lang::tr{'net to net vpn'} (Upload Client Package)</td></tr>
3249 <tr><td>&nbsp;</td><td class='base'><input type='file' name='FH' size='30'></td></tr>
e3edceeb 3250 <tr><td>&nbsp;</td><td>Import Connection Name</td></tr>
040b8b0c 3251 <tr><td>&nbsp;</td><td class='base'><input type='text' name='n2nname' size='30'>$Lang::tr{'openvpn default'}: Client Packagename</td></tr>
54fd0535 3252 <tr><td colspan='3'><hr /></td></tr>
8c877a82 3253 <tr><td align='right' colspan='3'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
ce9abb66
AH		 3254 </form></table>
3255END
3256 ;
8c877a82 3257
ce9abb66 3258
b278daf3 3259} else {
49abe7af 3260 print <<END;
b278daf3 3261 <b>$Lang::tr{'connection type'}:</b><br />
8c877a82 3262 <table border='0' width='100%'><form method='post' ENCTYPE="multipart/form-data">
b278daf3 3263 <tr><td><input type='radio' name='TYPE' value='host' checked /></td> <td class='base'>$Lang::tr{'host to net vpn'}</td></tr>
8c877a82 3264 <tr><td align='right' colspan'3'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
b278daf3
AH		 3265 </form></table>
3266END
3267 ;
3268
3269}
3270
ce9abb66 3271 &Header::closebox();
4c962356 3272 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
ce9abb66
AH		 3273 &Header::closebigbox();
3274 &Header::closepage();
3275 exit (0);
3276
3277###
7c1d9faf 3278# m.a.d net2net
ce9abb66
AH		 3279###
3280
3281} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'TYPE'} eq 'net2net')){
3282
3283 my @firen2nconf;
3284 my @confdetails;
3285 my $uplconffilename ='';
54fd0535 3286 my $uplconffilename2 ='';
ce9abb66 3287 my $uplp12name = '';
54fd0535 3288 my $uplp12name2 = '';
ce9abb66
AH		 3289 my @rem_subnet;
3290 my @rem_subnet2;
3291 my @tmposupnet3;
3292 my $key;
54fd0535 3293 my @n2nname;
ce9abb66
AH		 3294
3295 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3296
2ad1b18b
MT		 3297 # Check if a file is uploaded
3298 unless (ref ($cgiparams{'FH'})) {
ce9abb66
AH		 3299 $errormessage = $Lang::tr{'there was no file upload'};
3300 goto N2N_ERROR;
3301 }
3302
3303# Move uploaded IPfire n2n package to temporary file
3304
3305 (my $fh, my $filename) = tempfile( );
3306 if (copy ($cgiparams{'FH'}, $fh) != 1) {
3307 $errormessage = $!;
3308 goto N2N_ERROR;
3309 }
3310
3311 my $zip = Archive::Zip->new();
3312 my $zipName = $filename;
3313 my $status = $zip->read( $zipName );
3314 if ($status != AZ_OK) {
3315 $errormessage = "Read of $zipName failed\n";
3316 goto N2N_ERROR;
3317 }
3318
3319 my $tempdir = tempdir( CLEANUP => 1 );
3320 my @files = $zip->memberNames();
3321 for(@files) {
3322 $zip->extractMemberWithoutPaths($_,"$tempdir/$_");
3323 }
3324 my $countfiles = @files;
3325
3326# Check if we have not more then 2 files
3327
3328 if ( $countfiles == 2){
3329 foreach (@files){
3330 if ( $_ =~ /.conf$/){
3331 $uplconffilename = $_;
3332 }
3333 if ( $_ =~ /.p12$/){
3334 $uplp12name = $_;
3335 }
3336 }
3337 if (($uplconffilename eq '') || ($uplp12name eq '')){
3338 $errormessage = "Either no *.conf or no *.p12 file found\n";
3339 goto N2N_ERROR;
3340 }
3341
3342 open(FILE, "$tempdir/$uplconffilename") or die 'Unable to open*.conf file';
3343 @firen2nconf = <FILE>;
3344 close (FILE);
3345 chomp(@firen2nconf);
ce9abb66
AH		 3346 } else {
3347
3348 $errormessage = "Filecount does not match only 2 files are allowed\n";
3349 goto N2N_ERROR;
3350 }
3351
7c1d9faf
AH		 3352###
3353# m.a.d net2net
ce9abb66 3354###
54fd0535
MT		 3355
3356 if ($cgiparams{'n2nname'} ne ''){
3357
3358 $uplconffilename2 = "$cgiparams{'n2nname'}.conf";
3359 $uplp12name2 = "$cgiparams{'n2nname'}.p12";
3360 $n2nname[0] = $cgiparams{'n2nname'};
3361 my @n2nname2 = split(/\./,$uplconffilename);
3362 $n2nname2[0] =~ s/\n|\r//g;
3363 my $input1 = "${General::swroot}/ovpn/certs/$uplp12name";
3364 my $output1 = "${General::swroot}/ovpn/certs/$uplp12name2";
3365 my $input2 = "$n2nname2[0]n2n";
3366 my $output2 = "$n2nname[0]n2n";
3367 my $filename = "$tempdir/$uplconffilename";
3368 open(FILE, "< $filename") or die 'Unable to open config file.';
3369 my @current = <FILE>;
3370 close(FILE);
3371 foreach (@current) {s/$input1/$output1/g;}
3372 foreach (@current) {s/$input2/$output2/g;}
3373 open (OUT, "> $filename") || die 'Unable to open config file.';
3374 print OUT @current;
3375 close OUT;
ce9abb66 3376
54fd0535
MT		 3377 }else{
3378 $uplconffilename2 = $uplconffilename;
3379 $uplp12name2 = $uplp12name;
3380 @n2nname = split(/\./,$uplconffilename);
ce9abb66 3381 $n2nname[0] =~ s/\n|\r//g;
54fd0535 3382 }
7c1d9faf
AH		 3383 unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";}
3384 unless(-d "${General::swroot}/ovpn/n2nconf/$n2nname[0]"){mkdir "${General::swroot}/ovpn/n2nconf/$n2nname[0]", 0770 or die "Unable to create dir $!";}
ce9abb66 3385
7dfcaef0
AM		 3386 #Add collectd settings to configfile
3387 open(FILE, ">> $tempdir/$uplconffilename") or die 'Unable to open config file.';
3388 print FILE "# Logfile\n";
3389 print FILE "status-version 1\n";
3390 print FILE "status /var/run/openvpn/$n2nname[0]-n2n 10\n";
3391 close FILE;
3392
cc79d281 3393 unless(move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2")) {
ce9abb66
AH		 3394 $errormessage = "*.conf move failed: $!";
3395 unlink ($filename);
3396 goto N2N_ERROR;
3397 }
3398
cc79d281 3399 unless(move("$tempdir/$uplp12name", "${General::swroot}/ovpn/certs/$uplp12name2")) {
ce9abb66
AH		 3400 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
3401 unlink ($filename);
3402 goto N2N_ERROR;
cc79d281
SS		 3403 }
3404
3405 chmod 0600, "${General::swroot}/ovpn/certs/$uplp12name";
ce9abb66
AH		 3406
3407my $complzoactive;
d96c89eb 3408my $mssfixactive;
4c962356 3409my $authactive;
d96c89eb 3410my $n2nfragment;
60f396d7 3411my @n2nproto2 = split(/ /, (grep { /^proto/ } @firen2nconf)[0]);
54fd0535 3412my @n2nproto = split(/-/, $n2nproto2[1]);
ce9abb66
AH		 3413my @n2nport = split(/ /, (grep { /^port/ } @firen2nconf)[0]);
3414my @n2ntunmtu = split(/ /, (grep { /^tun-mtu/ } @firen2nconf)[0]);
3415my @n2ncomplzo = grep { /^comp-lzo/ } @firen2nconf;
3416if ($n2ncomplzo[0] =~ /comp-lzo/){$complzoactive = "on";} else {$complzoactive = "off";}
d96c89eb
AH		 3417my @n2nmssfix = grep { /^mssfix/ } @firen2nconf;
3418if ($n2nmssfix[0] =~ /mssfix/){$mssfixactive = "on";} else {$mssfixactive = "off";}
54fd0535 3419#my @n2nmssfix = split(/ /, (grep { /^mssfix/ } @firen2nconf)[0]);
d96c89eb 3420my @n2nfragment = split(/ /, (grep { /^fragment/ } @firen2nconf)[0]);
ce9abb66
AH		 3421my @n2nremote = split(/ /, (grep { /^remote/ } @firen2nconf)[0]);
3422my @n2novpnsuball = split(/ /, (grep { /^ifconfig/ } @firen2nconf)[0]);
3423my @n2novpnsub = split(/\./,$n2novpnsuball[1]);
3424my @n2nremsub = split(/ /, (grep { /^route/ } @firen2nconf)[0]);
54fd0535 3425my @n2nmgmt = split(/ /, (grep { /^management/ } @firen2nconf)[0]);
ce9abb66 3426my @n2nlocalsub = split(/ /, (grep { /^# remsub/ } @firen2nconf)[0]);
4c962356 3427my @n2ncipher = split(/ /, (grep { /^cipher/ } @firen2nconf)[0]);
f527e53f 3428my @n2nauth = split(/ /, (grep { /^auth/ } @firen2nconf)[0]);;
60f396d7 3429
ce9abb66
AH		 3430###
3431# m.a.d delete CR and LF from arrays for this chomp doesnt work
3432###
3433
ce9abb66 3434$n2nremote[1] =~ s/\n|\r//g;
ce9abb66
AH		 3435$n2novpnsub[0] =~ s/\n|\r//g;
3436$n2novpnsub[1] =~ s/\n|\r//g;
3437$n2novpnsub[2] =~ s/\n|\r//g;
60f396d7 3438$n2nproto[0] =~ s/\n|\r//g;
ce9abb66
AH		 3439$n2nport[1] =~ s/\n|\r//g;
3440$n2ntunmtu[1] =~ s/\n|\r//g;
3441$n2nremsub[1] =~ s/\n|\r//g;
b278daf3 3442$n2nremsub[2] =~ s/\n|\r//g;
ce9abb66 3443$n2nlocalsub[2] =~ s/\n|\r//g;
d96c89eb 3444$n2nfragment[1] =~ s/\n|\r//g;
54fd0535 3445$n2nmgmt[2] =~ s/\n|\r//g;
4c962356
EK		 3446$n2ncipher[1] =~ s/\n|\r//g;
3447$n2nauth[1] =~ s/\n|\r//g;
ce9abb66 3448chomp ($complzoactive);
d96c89eb 3449chomp ($mssfixactive);
ce9abb66
AH		 3450
3451###
7c1d9faf 3452# m.a.d net2net
ce9abb66
AH		 3453###
3454
3455###
3456# Check if there is no other entry with this name
3457###
3458
3459 foreach my $dkey (keys %confighash) {
3460 if ($confighash{$dkey}[1] eq $n2nname[0]) {
3461 $errormessage = $Lang::tr{'a connection with this name already exists'};
b278daf3
AH		 3462 unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
3463 unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
3464 rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
ce9abb66
AH		 3465 goto N2N_ERROR;
3466 }
3467 }
3468
d96c89eb
AH		 3469###
3470# Check if OpenVPN Subnet is valid
3471###
3472
3473foreach my $dkey (keys %confighash) {
3474 if ($confighash{$dkey}[27] eq "$n2novpnsub[0].$n2novpnsub[1].$n2novpnsub[2].0/255.255.255.0") {
3475 $errormessage = 'The OpenVPN Subnet is already in use';
b278daf3
AH		 3476 unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
3477 unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
3478 rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
d96c89eb
AH		 3479 goto N2N_ERROR;
3480 }
3481 }
3482
3483###
4c962356 3484# Check if Dest Port is vaild
d96c89eb
AH		 3485###
3486
3487foreach my $dkey (keys %confighash) {
3488 if ($confighash{$dkey}[29] eq $n2nport[1] ) {
3489 $errormessage = 'The OpenVPN Port is already in use';
b278daf3
AH		 3490 unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!";
3491 unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!";
3492 rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!";
d96c89eb
AH		 3493 goto N2N_ERROR;
3494 }
3495 }
3496
3497
3498
ce9abb66
AH		 3499 $key = &General::findhasharraykey (\%confighash);
3500
49abe7af 3501 foreach my $i (0 .. 42) { $confighash{$key}[$i] = "";}
350f2980 3502
ce9abb66
AH		 3503 $confighash{$key}[0] = 'off';
3504 $confighash{$key}[1] = $n2nname[0];
350f2980 3505 $confighash{$key}[2] = $n2nname[0];
ce9abb66
AH		 3506 $confighash{$key}[3] = 'net';
3507 $confighash{$key}[4] = 'cert';
3508 $confighash{$key}[6] = 'client';
3509 $confighash{$key}[8] = $n2nlocalsub[2];
350f2980
SS		 3510 $confighash{$key}[10] = $n2nremote[1];
3511 $confighash{$key}[11] = "$n2nremsub[1]/$n2nremsub[2]";
54fd0535 3512 $confighash{$key}[22] = $n2nmgmt[2];
350f2980 3513 $confighash{$key}[23] = $mssfixactive;
d96c89eb 3514 $confighash{$key}[24] = $n2nfragment[1];
350f2980 3515 $confighash{$key}[25] = 'IPFire n2n Client';
ce9abb66 3516 $confighash{$key}[26] = 'red';
350f2980
SS		 3517 $confighash{$key}[27] = "$n2novpnsub[0].$n2novpnsub[1].$n2novpnsub[2].0/255.255.255.0";
3518 $confighash{$key}[28] = $n2nproto[0];
3519 $confighash{$key}[29] = $n2nport[1];
3520 $confighash{$key}[30] = $complzoactive;
3521 $confighash{$key}[31] = $n2ntunmtu[1];
4c962356
EK		 3522 $confighash{$key}[39] = $n2nauth[1];
3523 $confighash{$key}[40] = $n2ncipher[1];
49abe7af 3524 $confighash{$key}[41] = 'disabled';
ce9abb66
AH		 3525
3526 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
d96c89eb 3527
ce9abb66
AH		 3528 N2N_ERROR:
3529
3530 &Header::showhttpheaders();
3531 &Header::openpage('Validate imported configuration', 1, '');
3532 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
3533 if ($errormessage) {
3534 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
3535 print "<class name='base'>$errormessage";
3536 print "&nbsp;</class>";
3537 &Header::closebox();
3538
3539 } else
3540 {
3541 &Header::openbox('100%', 'LEFT', 'import ipfire net2net config');
3542 }
3543 if ($errormessage eq ''){
49abe7af 3544 print <<END;
ce9abb66
AH		 3545 <!-- ipfire net2net config gui -->
3546 <table width='100%'>
3547 <tr><td width='25%'>&nbsp;</td><td width='25%'>&nbsp;</td></tr>
3548 <tr><td class='boldbase'>$Lang::tr{'name'}:</td><td><b>$n2nname[0]</b></td></tr>
3549 <tr><td>&nbsp;</td><td>&nbsp;</td></tr>
3550 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'Act as'}</td><td><b>$confighash{$key}[6]</b></td></tr>
3551 <tr><td class='boldbase' nowrap='nowrap'>Remote Host </td><td><b>$confighash{$key}[10]</b></td></tr>
3552 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td><td><b>$confighash{$key}[8]</b></td></tr>
4c962356 3553 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}:</td><td><b>$confighash{$key}[11]</b></td></tr>
ce9abb66
AH		 3554 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn subnet'}</td><td><b>$confighash{$key}[27]</b></td></tr>
3555 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td><td><b>$confighash{$key}[28]</b></td></tr>
3556 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'destination port'}:</td><td><b>$confighash{$key}[29]</b></td></tr>
3557 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td><td><b>$confighash{$key}[30]</b></td></tr>
4c962356
EK		 3558 <tr><td class='boldbase' nowrap='nowrap'>MSSFIX:</td><td><b>$confighash{$key}[23]</b></td></tr>
3559 <tr><td class='boldbase' nowrap='nowrap'>Fragment:</td><td><b>$confighash{$key}[24]</b></td></tr>
ce9abb66 3560 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}</td><td><b>$confighash{$key}[31]</b></td></tr>
54fd0535 3561 <tr><td class='boldbase' nowrap='nowrap'>Management Port </td><td><b>$confighash{$key}[22]</b></td></tr>
0c4ffc69 3562 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn tls auth'}:</td><td><b>$confighash{$key}[39]</b></td></tr>
4c962356 3563 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td><td><b>$confighash{$key}[40]</b></td></tr>
ce9abb66
AH		 3564 <tr><td>&nbsp;</td><td>&nbsp;</td></tr>
3565 </table>
3566END
3567;
3568 &Header::closebox();
3569 }
3570
3571 if ($errormessage) {
3572 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
3573 } else {
3574 print "<div align='center'><form method='post' ENCTYPE='multipart/form-data'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' />";
3575 print "<input type='hidden' name='TYPE' value='net2netakn' />";
3576 print "<input type='hidden' name='KEY' value='$key' />";
3577 print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
3578 }
3579 &Header::closebigbox();
3580 &Header::closepage();
4c962356 3581 exit(0);
ce9abb66
AH		 3582
3583
3584##
3585### Accept IPFire n2n Package Settings
3586###
3587
3588 } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'TYPE'} eq 'net2netakn')){
3589
3590###
3591### Discard and Rollback IPFire n2n Package Settings
3592###
3593
3594 } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'cancel'}) && ($cgiparams{'TYPE'} eq 'net2netakn')){
3595
3596 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3597
3598if ($confighash{$cgiparams{'KEY'}}) {
3599
3600 my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf");
3601 my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
3602 unlink ($certfile) or die "Removing $certfile fail: $!";
3603 unlink ($conffile) or die "Removing $conffile fail: $!";
3604 rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!";
3605 delete $confighash{$cgiparams{'KEY'}};
3606 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3607
3608 } else {
3609 $errormessage = $Lang::tr{'invalid key'};
3610 }
3611
3612
3613###
7c1d9faf 3614# m.a.d net2net
ce9abb66
AH		 3615###
3616
3617
3618###
3619### Adding a new connection
3620###
6e13d0a5
MT		 3621} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) ||
3622 ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) ||
3623 ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) {
8c877a82 3624
6e13d0a5
MT		 3625 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
3626 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
3627 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
3628
3629 if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
8c877a82
AM		 3630 if (! $confighash{$cgiparams{'KEY'}}[0]) {
3631 $errormessage = $Lang::tr{'invalid key'};
3632 goto VPNCONF_END;
3633 }
4c962356
EK		 3634 $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0];
3635 $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1];
3636 $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3];
3637 $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4];
3638 $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5];
3639 $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6];
3640 $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8];
3641 $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];
8c877a82 3642 $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11];
4c962356
EK		 3643 $cgiparams{'OVPN_MGMT'} = $confighash{$cgiparams{'KEY'}}[22];
3644 $cgiparams{'MSSFIX'} = $confighash{$cgiparams{'KEY'}}[23];
3645 $cgiparams{'FRAGMENT'} = $confighash{$cgiparams{'KEY'}}[24];
3646 $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];
3647 $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26];
3648 $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[27];
3649 $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[28];
3650 $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[29];
3651 $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[30];
3652 $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[31];
3653 $cgiparams{'CHECK1'} = $confighash{$cgiparams{'KEY'}}[32];
df9b48b7 3654 $name=$cgiparams{'CHECK1'} ;
4c962356
EK		 3655 $cgiparams{$name} = $confighash{$cgiparams{'KEY'}}[33];
3656 $cgiparams{'RG'} = $confighash{$cgiparams{'KEY'}}[34];
3657 $cgiparams{'CCD_DNS1'} = $confighash{$cgiparams{'KEY'}}[35];
3658 $cgiparams{'CCD_DNS2'} = $confighash{$cgiparams{'KEY'}}[36];
3659 $cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37];
4c962356
EK		 3660 $cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39];
3661 $cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40];
49abe7af 3662 $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41];
8c877a82 3663 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
c6c9630e 3664 $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
18837a6a 3665
8c877a82 3666#A.Marx CCD check iroute field and convert it to decimal
52d08bcb 3667if ($cgiparams{'TYPE'} eq 'host') {
8c877a82
AM		 3668 my @temp=();
3669 my %ccdroutehash=();
3670 my $keypoint=0;
5068ac38
AM		 3671 my $ip;
3672 my $cidr;
8c877a82
AM		 3673 if ($cgiparams{'IR'} ne ''){
3674 @temp = split("\n",$cgiparams{'IR'});
3675 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3676 #find key to use
3677 foreach my $key (keys %ccdroutehash) {
3678 if ($ccdroutehash{$key}[0] eq $cgiparams{'NAME'}) {
3679 $keypoint=$key;
3680 delete $ccdroutehash{$key};
3681 }else{
3682 $keypoint = &General::findhasharraykey (\%ccdroutehash);
3683 }
3684 }
3685 $ccdroutehash{$keypoint}[0]=$cgiparams{'NAME'};
3686 my $i=1;
3687 my $val=0;
3688 foreach $val (@temp){
3689 chomp($val);
3690 $val=~s/\s*$//g;
5068ac38 3691 #check if iroute exists in ccdroute or if new iroute is part of an existing one
8c877a82
AM		 3692 foreach my $key (keys %ccdroutehash) {
3693 foreach my $oldiroute ( 1 .. $#{$ccdroutehash{$key}}){
5068ac38
AM		 3694 if ($ccdroutehash{$key}[$oldiroute] eq "$val") {
3695 $errormessage=$errormessage.$Lang::tr{'ccd err irouteexist'};
3696 goto VPNCONF_ERROR;
3697 }
3698 my ($ip1,$cidr1) = split (/\//, $val);
82c809c7 3699 $ip1 = &General::getnetworkip($ip1,&General::iporsubtocidr($cidr1));
5068ac38
AM		 3700 my ($ip2,$cidr2) = split (/\//, $ccdroutehash{$key}[$oldiroute]);
3701 if (&General::IpInSubnet ($ip1,$ip2,$cidr2)){
3702 $errormessage=$errormessage.$Lang::tr{'ccd err irouteexist'};
3703 goto VPNCONF_ERROR;
3704 }
3705
8c877a82
AM		 3706 }
3707 }
5068ac38
AM		 3708 if (!&General::validipandmask($val)){
3709 $errormessage=$errormessage."Route ".$Lang::tr{'ccd invalid'}." ($val)";
3710 goto VPNCONF_ERROR;
3711 }else{
3712 ($ip,$cidr) = split(/\//,$val);
3713 $ip=&General::getnetworkip($ip,&General::iporsubtocidr($cidr));
3714 $cidr=&General::iporsubtodec($cidr);
3715 $ccdroutehash{$keypoint}[$i] = $ip."/".$cidr;
3716
3717 }
8c877a82
AM		 3718
3719 #check for existing network IP's
52d08bcb
AM		 3720 if (&General::IpInSubnet ($ip,$netsettings{GREEN_NETADDRESS},$netsettings{GREEN_NETMASK}) && $netsettings{GREEN_NETADDRESS} ne '0.0.0.0')
3721 {
3722 $errormessage=$Lang::tr{'ccd err green'};
3723 goto VPNCONF_ERROR;
3724 }elsif(&General::IpInSubnet ($ip,$netsettings{RED_NETADDRESS},$netsettings{RED_NETMASK}) && $netsettings{RED_NETADDRESS} ne '0.0.0.0')
3725 {
3726 $errormessage=$Lang::tr{'ccd err red'};
3727 goto VPNCONF_ERROR;
3728 }elsif(&General::IpInSubnet ($ip,$netsettings{BLUE_NETADDRESS},$netsettings{BLUE_NETMASK}) && $netsettings{BLUE_NETADDRESS} ne '0.0.0.0' && $netsettings{BLUE_NETADDRESS} gt '')
3729 {
3730 $errormessage=$Lang::tr{'ccd err blue'};
3731 goto VPNCONF_ERROR;
3732 }elsif(&General::IpInSubnet ($ip,$netsettings{ORANGE_NETADDRESS},$netsettings{ORANGE_NETMASK}) && $netsettings{ORANGE_NETADDRESS} ne '0.0.0.0' && $netsettings{ORANGE_NETADDRESS} gt '' )
3733 {
3734 $errormessage=$Lang::tr{'ccd err orange'};
8c877a82
AM		 3735 goto VPNCONF_ERROR;
3736 }
52d08bcb 3737
8c877a82
AM		 3738 if (&General::validipandmask($val)){
3739 $ccdroutehash{$keypoint}[$i] = $ip."/".$cidr;
3740 }else{
3741 $errormessage=$errormessage."Route ".$Lang::tr{'ccd invalid'}." ($ip/$cidr)";
3742 goto VPNCONF_ERROR;
3743 }
3744 $i++;
3745 }
3746 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3747 &writeserverconf;
3748 }else{
3749 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3750 foreach my $key (keys %ccdroutehash) {
3751 if ($ccdroutehash{$key}[0] eq $cgiparams{'NAME'}) {
3752 delete $ccdroutehash{$key};
3753 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3754 &writeserverconf;
3755 }
3756 }
3757 }
3758 undef @temp;
3759 #check route field and convert it to decimal
8c877a82
AM		 3760 my $val=0;
3761 my $i=1;
8c877a82 3762 &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
52d08bcb
AM		 3763 #find key to use
3764 foreach my $key (keys %ccdroute2hash) {
3765 if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}) {
3766 $keypoint=$key;
3767 delete $ccdroute2hash{$key};
3768 }else{
3769 $keypoint = &General::findhasharraykey (\%ccdroute2hash);
3770 &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
3771 &writeserverconf;
8c877a82 3772 }
52d08bcb
AM		 3773 }
3774 $ccdroute2hash{$keypoint}[0]=$cgiparams{'NAME'};
3775 if ($cgiparams{'IFROUTE'} eq ''){$cgiparams{'IFROUTE'} = $Lang::tr{'ccd none'};}
3776 @temp = split(/\|/,$cgiparams{'IFROUTE'});
3777 my %ownnet=();
3778 &General::readhash("${General::swroot}/ethernet/settings", \%ownnet);
3779 foreach $val (@temp){
3780 chomp($val);
3781 $val=~s/\s*$//g;
3782 if ($val eq $Lang::tr{'green'})
3783 {
3784 $val=$ownnet{GREEN_NETADDRESS}."/".$ownnet{GREEN_NETMASK};
3785 }
3786 if ($val eq $Lang::tr{'blue'})
3787 {
3788 $val=$ownnet{BLUE_NETADDRESS}."/".$ownnet{BLUE_NETMASK};
3789 }
3790 if ($val eq $Lang::tr{'orange'})
3791 {
3792 $val=$ownnet{ORANGE_NETADDRESS}."/".$ownnet{ORANGE_NETMASK};
3793 }
3794 my ($ip,$cidr) = split (/\//, $val);
3795
3796 if ($val ne $Lang::tr{'ccd none'})
3797 {
8c877a82
AM		 3798 if (! &check_routes_push($val)){$errormessage=$errormessage."Route $val ".$Lang::tr{'ccd err routeovpn2'}." ($val)";goto VPNCONF_ERROR;}
3799 if (! &check_ccdroute($val)){$errormessage=$errormessage."<br>Route $val ".$Lang::tr{'ccd err inuse'}." ($val)" ;goto VPNCONF_ERROR;}
3800 if (! &check_ccdconf($val)){$errormessage=$errormessage."<br>Route $val ".$Lang::tr{'ccd err routeovpn'}." ($val)";goto VPNCONF_ERROR;}
3801 if (&General::validipandmask($val)){
3802 $val=$ip."/".&General::iporsubtodec($cidr);
3803 $ccdroute2hash{$keypoint}[$i] = $val;
3804 }else{
3805 $errormessage=$errormessage."Route ".$Lang::tr{'ccd invalid'}." ($val)";
3806 goto VPNCONF_ERROR;
3807 }
52d08bcb
AM		 3808 }else{
3809 $ccdroute2hash{$keypoint}[$i]='';
3810 }
3811 $i++;
3812 }
3813 &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
3814
8c877a82
AM		 3815 #check dns1 ip
3816 if ($cgiparams{'CCD_DNS1'} ne '' && ! &General::validip($cgiparams{'CCD_DNS1'})) {
3817 $errormessage=$errormessage."<br>".$Lang::tr{'invalid input for dhcp dns'}." 1";
3818 goto VPNCONF_ERROR;
3819 }
3820 #check dns2 ip
3821 if ($cgiparams{'CCD_DNS2'} ne '' && ! &General::validip($cgiparams{'CCD_DNS2'})) {
3822 $errormessage=$errormessage."<br>".$Lang::tr{'invalid input for dhcp dns'}." 2";
3823 goto VPNCONF_ERROR;
3824 }
3825 #check wins ip
3826 if ($cgiparams{'CCD_WINS'} ne '' && ! &General::validip($cgiparams{'CCD_WINS'})) {
3827 $errormessage=$errormessage."<br>".$Lang::tr{'invalid input for dhcp wins'};
3828 goto VPNCONF_ERROR;
3829 }
52d08bcb 3830}
8c877a82
AM		 3831
3832#CCD End
52d08bcb 3833
8c877a82 3834
73735ad9
EK		 3835 if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
3836 $errormessage = $Lang::tr{'connection type is invalid'};
3837 if ($cgiparams{'TYPE'} eq 'net') {
3838 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3839 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3840 goto VPNCONF_ERROR;
3841 }
3842 goto VPNCONF_ERROR;
c6c9630e
MT		 3843 }
3844
c6c9630e 3845 if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {
73735ad9
EK		 3846 $errormessage = $Lang::tr{'name must only contain characters'};
3847 if ($cgiparams{'TYPE'} eq 'net') {
3848 goto VPNCONF_ERROR;
3849 }
3850 goto VPNCONF_ERROR;
3851 }
c6c9630e
MT		 3852
3853 if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {
73735ad9
EK		 3854 $errormessage = $Lang::tr{'name is invalid'};
3855 if ($cgiparams{'TYPE'} eq 'net') {
3856 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3857 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3858 goto VPNCONF_ERROR;
3859 }
3860 goto VPNCONF_ERROR;
c6c9630e
MT		 3861 }
3862
3863 if (length($cgiparams{'NAME'}) >60) {
73735ad9
EK		 3864 $errormessage = $Lang::tr{'name too long'};
3865 if ($cgiparams{'TYPE'} eq 'net') {
3866 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3867 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3868 goto VPNCONF_ERROR;
3869 }
3870 goto VPNCONF_ERROR;
c6c9630e
MT		 3871 }
3872
d96c89eb 3873###
7c1d9faf 3874# m.a.d net2net
d96c89eb
AH		 3875###
3876
7c1d9faf 3877if ($cgiparams{'TYPE'} eq 'net') {
ab4cf06c 3878 if ($cgiparams{'DEST_PORT'} eq $vpnsettings{'DDEST_PORT'}) {
cd0c0a0d 3879 $errormessage = $Lang::tr{'openvpn destination port used'};
b278daf3
AH		 3880 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3881 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3882 goto VPNCONF_ERROR;
d96c89eb 3883 }
ab4cf06c
AM		 3884 #Bugfix 10357
3885 foreach my $key (sort keys %confighash){
3886 if ( ($confighash{$key}[22] eq $cgiparams{'DEST_PORT'} && $cgiparams{'NAME'} ne $confighash{$key}[1]) || ($confighash{$key}[29] eq $cgiparams{'DEST_PORT'} && $cgiparams{'NAME'} ne $confighash{$key}[1])){
54fd0535
MT		 3887 $errormessage = $Lang::tr{'openvpn destination port used'};
3888 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3889 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
ab4cf06c
AM		 3890 goto VPNCONF_ERROR;
3891 }
3892 }
3893 if ($cgiparams{'DEST_PORT'} eq '') {
3894 $errormessage = $Lang::tr{'invalid port'};
3895 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3896 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
54fd0535
MT		 3897 goto VPNCONF_ERROR;
3898 }
d96c89eb 3899
f48074ba
SS		 3900 # Check if the input for the transfer net is valid.
3901 if (!&General::validipandmask($cgiparams{'OVPN_SUBNET'})){
3902 $errormessage = $Lang::tr{'ccd err invalidnet'};
3903 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3904 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3905 goto VPNCONF_ERROR;
3906 }
3907
d96c89eb 3908 if ($cgiparams{'OVPN_SUBNET'} eq $vpnsettings{'DOVPN_SUBNET'}) {
cd0c0a0d 3909 $errormessage = $Lang::tr{'openvpn subnet is used'};
b278daf3
AH		 3910 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3911 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
d96c89eb
AH		 3912 goto VPNCONF_ERROR;
3913 }
3914
3915 if (($cgiparams{'PROTOCOL'} eq 'tcp') && ($cgiparams{'MSSFIX'} eq 'on')) {
cd0c0a0d 3916 $errormessage = $Lang::tr{'openvpn mssfix allowed with udp'};
b278daf3
AH		 3917 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3918 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
d96c89eb
AH		 3919 goto VPNCONF_ERROR;
3920 }
3921
3922 if (($cgiparams{'PROTOCOL'} eq 'tcp') && ($cgiparams{'FRAGMENT'} ne '')) {
cd0c0a0d 3923 $errormessage = $Lang::tr{'openvpn fragment allowed with udp'};
b278daf3
AH		 3924 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3925 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
d96c89eb
AH		 3926 goto VPNCONF_ERROR;
3927 }
d96c89eb 3928
7c1d9faf 3929 if ( &validdotmask ($cgiparams{'LOCAL_SUBNET'})) {
cd0c0a0d 3930 $errormessage = $Lang::tr{'openvpn prefix local subnet'};
b278daf3
AH		 3931 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3932 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3933 goto VPNCONF_ERROR;
7c1d9faf
AH		 3934 }
3935
3936 if ( &validdotmask ($cgiparams{'OVPN_SUBNET'})) {
cd0c0a0d 3937 $errormessage = $Lang::tr{'openvpn prefix openvpn subnet'};
b278daf3
AH		 3938 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3939 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3940 goto VPNCONF_ERROR;
7c1d9faf
AH		 3941 }
3942
3943 if ( &validdotmask ($cgiparams{'REMOTE_SUBNET'})) {
cd0c0a0d 3944 $errormessage = $Lang::tr{'openvpn prefix remote subnet'};
b278daf3
AH		 3945 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3946 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3947 goto VPNCONF_ERROR;
8c252e6a
EK		 3948 }
3949
3950 if ($cgiparams{'DEST_PORT'} <= 1023) {
3951 $errormessage = $Lang::tr{'ovpn port in root range'};
3952 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3953 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3954 goto VPNCONF_ERROR;
3955 }
54fd0535 3956
4c962356 3957 if ($cgiparams{'OVPN_MGMT'} eq '') {
8c252e6a
EK		 3958 $cgiparams{'OVPN_MGMT'} = $cgiparams{'DEST_PORT'};
3959 }
3960
3961 if ($cgiparams{'OVPN_MGMT'} <= 1023) {
3962 $errormessage = $Lang::tr{'ovpn mgmt in root range'};
3963 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3964 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3965 goto VPNCONF_ERROR;
b2e75449
MT		 3966 }
3967 #Check if remote subnet is used elsewhere
3968 my ($n2nip,$n2nsub)=split("/",$cgiparams{'REMOTE_SUBNET'});
3969 $warnmessage=&General::checksubnets('',$n2nip,'ovpn');
3970 if ($warnmessage){
3971 $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) <br>".$warnmessage;
3972 }
7c1d9faf 3973}
d96c89eb 3974
ce9abb66
AH		 3975# if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) {
3976# $errormessage = $Lang::tr{'ipfire side is invalid'};
3977# goto VPNCONF_ERROR;
3978# }
3979
c6c9630e
MT		 3980 # Check if there is no other entry with this name
3981 if (! $cgiparams{'KEY'}) {
3982 foreach my $key (keys %confighash) {
3983 if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
3984 $errormessage = $Lang::tr{'a connection with this name already exists'};
b278daf3
AH		 3985 if ($cgiparams{'TYPE'} eq 'net') {
3986 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
3987 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
3988 }
c6c9630e 3989 goto VPNCONF_ERROR;
6e13d0a5 3990 }
c6c9630e
MT		 3991 }
3992 }
3993
c125d8a2 3994 # Check if a remote host/IP has been set for the client.
86228a56
MT		 3995 if ($cgiparams{'TYPE'} eq 'net') {
3996 if ($cgiparams{'SIDE'} ne 'server' && $cgiparams{'REMOTE'} eq '') {
3997 $errormessage = $Lang::tr{'invalid input for remote host/ip'};
c125d8a2 3998
86228a56
MT		 3999 # Check if this is a N2N connection and drop temporary config.
4000 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4001 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
ce9abb66 4002
86228a56
MT		 4003 goto VPNCONF_ERROR;
4004 }
c125d8a2 4005
86228a56
MT		 4006 # Check if a remote host/IP has been configured - the field can be empty on the server side.
4007 if ($cgiparams{'REMOTE'} ne '') {
4008 # Check if the given IP is valid - otherwise check if it is a valid domain.
4009 if (! &General::validip($cgiparams{'REMOTE'})) {
4010 # Check for a valid domain.
4011 if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
4012 $errormessage = $Lang::tr{'invalid input for remote host/ip'};
c125d8a2 4013
86228a56
MT		 4014 # Check if this is a N2N connection and drop temporary config.
4015 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4016 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
c125d8a2 4017
86228a56
MT		 4018 goto VPNCONF_ERROR;
4019 }
4020 }
6e13d0a5 4021 }
c6c9630e 4022 }
c125d8a2 4023
c6c9630e
MT		 4024 if ($cgiparams{'TYPE'} ne 'host') {
4025 unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) {
4026 $errormessage = $Lang::tr{'local subnet is invalid'};
b278daf3
AH		 4027 if ($cgiparams{'TYPE'} eq 'net') {
4028 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4029 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4030 }
c6c9630e
MT		 4031 goto VPNCONF_ERROR;}
4032 }
4033 # Check if there is no other entry without IP-address and PSK
4034 if ($cgiparams{'REMOTE'} eq '') {
4035 foreach my $key (keys %confighash) {
4036 if(($cgiparams{'KEY'} ne $key) &&
4037 ($confighash{$key}[4] eq 'psk' || $cgiparams{'AUTH'} eq 'psk') &&
4038 $confighash{$key}[10] eq '') {
4039 $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'};
4040 goto VPNCONF_ERROR;
6e13d0a5 4041 }
c6c9630e
MT		 4042 }
4043 }
ce9abb66
AH		 4044 if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) {
4045 $errormessage = $Lang::tr{'remote subnet is invalid'};
b278daf3
AH		 4046 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4047 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4048 goto VPNCONF_ERROR;
ce9abb66 4049 }
c6c9630e 4050
425465ed
EK		 4051 # Check for N2N that OpenSSL maximum of valid days will not be exceeded
4052 if ($cgiparams{'TYPE'} eq 'net') {
4053 if ($cgiparams{'DAYS_VALID'} >= '999999') {
4054 $errormessage = $Lang::tr{'invalid input for valid till days'};
4055 unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
4056 rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
4057 goto VPNCONF_ERROR;
4058 }
4059 }
4060
c6c9630e
MT		 4061 if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
4062 $errormessage = $Lang::tr{'invalid input'};
4063 goto VPNCONF_ERROR;
4064 }
4065 if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) {
4066 $errormessage = $Lang::tr{'invalid input'};
4067 goto VPNCONF_ERROR;
4068 }
4069
4070#fixplausi
4071 if ($cgiparams{'AUTH'} eq 'psk') {
4072# if (! length($cgiparams{'PSK'}) ) {
4073# $errormessage = $Lang::tr{'pre-shared key is too short'};
4074# goto VPNCONF_ERROR;
4075# }
4076# if ($cgiparams{'PSK'} =~ /['",&]/) {
4077# $errormessage = $Lang::tr{'invalid characters found in pre-shared key'};
4078# goto VPNCONF_ERROR;
4079# }
4080 } elsif ($cgiparams{'AUTH'} eq 'certreq') {
4081 if ($cgiparams{'KEY'}) {
4082 $errormessage = $Lang::tr{'cant change certificates'};
4083 goto VPNCONF_ERROR;
4084 }
2ad1b18b 4085 unless (ref ($cgiparams{'FH'})) {
c6c9630e
MT		 4086 $errormessage = $Lang::tr{'there was no file upload'};
4087 goto VPNCONF_ERROR;
4088 }
4089
4090 # Move uploaded certificate request to a temporary file
4091 (my $fh, my $filename) = tempfile( );
4092 if (copy ($cgiparams{'FH'}, $fh) != 1) {
4093 $errormessage = $!;
4094 goto VPNCONF_ERROR;
4095 }
6e13d0a5 4096
c6c9630e
MT		 4097 # Sign the certificate request and move it
4098 # Sign the host certificate request
2feacd98 4099 # The system call is safe, because all arguments are passed as an array.
f6e12093 4100 system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}",
c6c9630e
MT		 4101 '-batch', '-notext',
4102 '-in', $filename,
4103 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
4104 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
4105 if ($?) {
4106 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
4107 unlink ($filename);
4108 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4109 &newcleanssldatabase();
4110 goto VPNCONF_ERROR;
4111 } else {
4112 unlink ($filename);
4113 &deletebackupcert();
4114 }
4115
2feacd98
SS		 4116 my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4117 my $temp;
4118
4119 foreach my $line (@temp) {
4120 if ($line =~ /Subject:.*CN\s?=\s?(.*)[\n]/) {
4121 $temp = $1;
4122 $temp =~ s+/Email+, E+;
4123 $temp =~ s/ ST=/ S=/;
4124
4125 last;
4126 }
4127 }
4128
c6c9630e
MT		 4129 $cgiparams{'CERT_NAME'} = $temp;
4130 $cgiparams{'CERT_NAME'} =~ s/,//g;
4131 $cgiparams{'CERT_NAME'} =~ s/\'//g;
4132 if ($cgiparams{'CERT_NAME'} eq '') {
4133 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
4134 goto VPNCONF_ERROR;
4135 }
4136 } elsif ($cgiparams{'AUTH'} eq 'certfile') {
4137 if ($cgiparams{'KEY'}) {
4138 $errormessage = $Lang::tr{'cant change certificates'};
4139 goto VPNCONF_ERROR;
4140 }
2ad1b18b 4141 unless (ref ($cgiparams{'FH'})) {
c6c9630e
MT		 4142 $errormessage = $Lang::tr{'there was no file upload'};
4143 goto VPNCONF_ERROR;
4144 }
4145 # Move uploaded certificate to a temporary file
4146 (my $fh, my $filename) = tempfile( );
4147 if (copy ($cgiparams{'FH'}, $fh) != 1) {
4148 $errormessage = $!;
4149 goto VPNCONF_ERROR;
4150 }
4151
4152 # Verify the certificate has a valid CA and move it
4153 my $validca = 0;
2feacd98
SS		 4154 my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/cacert.pem", "$filename");
4155 if (grep(/: OK/, @test)) {
c6c9630e
MT		 4156 $validca = 1;
4157 } else {
4158 foreach my $key (keys %cahash) {
2feacd98
SS		 4159 @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem", "$filename");
4160 if (grep(/: OK/, @test)) {
c6c9630e
MT		 4161 $validca = 1;
4162 }
6e13d0a5 4163 }
c6c9630e
MT		 4164 }
4165 if (! $validca) {
4166 $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'};
4167 unlink ($filename);
4168 goto VPNCONF_ERROR;
4169 } else {
cc79d281 4170 unless(move($filename, "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem")) {
c6c9630e
MT		 4171 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
4172 unlink ($filename);
4173 goto VPNCONF_ERROR;
6e13d0a5 4174 }
c6c9630e
MT		 4175 }
4176
2feacd98
SS		 4177 my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4178 my $temp;
4179
4180 foreach my $line (@temp) {
4181 if ($line =~ /Subject:.*CN\s?=\s?(.*)[\n]/) {
4182 $temp = $1;
4183 $temp =~ s+/Email+, E+;
4184 $temp =~ s/ ST=/ S=/;
4185
4186 last;
4187 }
4188 }
4189
c6c9630e
MT		 4190 $cgiparams{'CERT_NAME'} = $temp;
4191 $cgiparams{'CERT_NAME'} =~ s/,//g;
4192 $cgiparams{'CERT_NAME'} =~ s/\'//g;
4193 if ($cgiparams{'CERT_NAME'} eq '') {
4194 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4195 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
4196 goto VPNCONF_ERROR;
4197 }
4198 } elsif ($cgiparams{'AUTH'} eq 'certgen') {
4199 if ($cgiparams{'KEY'}) {
4200 $errormessage = $Lang::tr{'cant change certificates'};
4201 goto VPNCONF_ERROR;
4202 }
4203 # Validate input since the form was submitted
4204 if (length($cgiparams{'CERT_NAME'}) >60) {
4205 $errormessage = $Lang::tr{'name too long'};
4206 goto VPNCONF_ERROR;
4207 }
194314b2 4208 if ($cgiparams{'CERT_NAME'} eq '' || $cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
c6c9630e
MT		 4209 $errormessage = $Lang::tr{'invalid input for name'};
4210 goto VPNCONF_ERROR;
4211 }
4212 if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {
4213 $errormessage = $Lang::tr{'invalid input for e-mail address'};
4214 goto VPNCONF_ERROR;
4215 }
4216 if (length($cgiparams{'CERT_EMAIL'}) > 40) {
4217 $errormessage = $Lang::tr{'e-mail address too long'};
4218 goto VPNCONF_ERROR;
4219 }
4220 if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
4221 $errormessage = $Lang::tr{'invalid input for department'};
4222 goto VPNCONF_ERROR;
4223 }
4224 if (length($cgiparams{'CERT_ORGANIZATION'}) >60) {
4225 $errormessage = $Lang::tr{'organization too long'};
4226 goto VPNCONF_ERROR;
4227 }
4228 if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
4229 $errormessage = $Lang::tr{'invalid input for organization'};
4230 goto VPNCONF_ERROR;
4231 }
4232 if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
4233 $errormessage = $Lang::tr{'invalid input for city'};
4234 goto VPNCONF_ERROR;
4235 }
4236 if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
4237 $errormessage = $Lang::tr{'invalid input for state or province'};
4238 goto VPNCONF_ERROR;
4239 }
4240 if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) {
4241 $errormessage = $Lang::tr{'invalid input for country'};
4242 goto VPNCONF_ERROR;
4243 }
4244 if ($cgiparams{'CERT_PASS1'} ne '' && $cgiparams{'CERT_PASS2'} ne ''){
4245 if (length($cgiparams{'CERT_PASS1'}) < 5) {
4246 $errormessage = $Lang::tr{'password too short'};
4247 goto VPNCONF_ERROR;
6e13d0a5 4248 }
c6c9630e
MT		 4249 }
4250 if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {
4251 $errormessage = $Lang::tr{'passwords do not match'};
4252 goto VPNCONF_ERROR;
4253 }
425465ed 4254 if ($cgiparams{'DAYS_VALID'} eq '' && $cgiparams{'DAYS_VALID'} !~ /^[0-9]+$/) {
f4fbb935
EK		 4255 $errormessage = $Lang::tr{'invalid input for valid till days'};
4256 goto VPNCONF_ERROR;
4257 }
c6c9630e 4258
425465ed
EK		 4259 # Check for RW that OpenSSL maximum of valid days will not be exceeded
4260 if ($cgiparams{'TYPE'} eq 'host') {
4261 if ($cgiparams{'DAYS_VALID'} >= '999999') {
4262 $errormessage = $Lang::tr{'invalid input for valid till days'};
4263 goto VPNCONF_ERROR;
4264 }
4265 }
4266
beac479f
EK		 4267 # Check for RW if client name is already set
4268 if ($cgiparams{'TYPE'} eq 'host') {
4269 foreach my $key (keys %confighash) {
4270 if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
4271 $errormessage = $Lang::tr{'a connection with this name already exists'};
4272 goto VPNCONF_ERROR;
4273 }
4274 }
4275 }
4276
c6c9630e
MT		 4277 # Replace empty strings with a .
4278 (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
4279 (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
4280 (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
4281
4282 # Create the Host certificate request client
4283 my $pid = open(OPENSSL, "|-");
4284 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto VPNCONF_ERROR;};
4285 if ($pid) { # parent
4286 print OPENSSL "$cgiparams{'CERT_COUNTRY'}\n";
4287 print OPENSSL "$state\n";
4288 print OPENSSL "$city\n";
4289 print OPENSSL "$cgiparams{'CERT_ORGANIZATION'}\n";
4290 print OPENSSL "$ou\n";
4291 print OPENSSL "$cgiparams{'CERT_NAME'}\n";
4292 print OPENSSL "$cgiparams{'CERT_EMAIL'}\n";
4293 print OPENSSL ".\n";
4294 print OPENSSL ".\n";
4295 close (OPENSSL);
4296 if ($?) {
4297 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
4298 unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}key.pem");
4299 unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}req.pem");
4300 goto VPNCONF_ERROR;
6e13d0a5 4301 }
c6c9630e 4302 } else { # child
badd8c1c 4303 unless (exec ('/usr/bin/openssl', 'req', '-nodes',
4c962356 4304 '-newkey', 'rsa:2048',
c6c9630e
MT		 4305 '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
4306 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
4307 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
4308 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
4309 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
4310 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
4311 goto VPNCONF_ERROR;
6e13d0a5 4312 }
c6c9630e
MT		 4313 }
4314
4315 # Sign the host certificate request
2feacd98 4316 # The system call is safe, because all arguments are passed as an array.
f6e12093 4317 system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}",
c6c9630e
MT		 4318 '-batch', '-notext',
4319 '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
4320 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
4321 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
4322 if ($?) {
4323 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
4324 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
4325 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
4326 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4327 &newcleanssldatabase();
4328 goto VPNCONF_ERROR;
4329 } else {
4330 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
4331 &deletebackupcert();
4332 }
4333
4334 # Create the pkcs12 file
2feacd98 4335 # The system call is safe, because all arguments are passed as an array.
c6c9630e
MT		 4336 system('/usr/bin/openssl', 'pkcs12', '-export',
4337 '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
4338 '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
4339 '-name', $cgiparams{'NAME'},
4340 '-passout', "pass:$cgiparams{'CERT_PASS1'}",
4341 '-certfile', "${General::swroot}/ovpn/ca/cacert.pem",
4342 '-caname', "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA",
4343 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
4344 if ($?) {
4345 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
4346 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
4347 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
4348 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
4349 goto VPNCONF_ERROR;
4350 } else {
4351 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
4352 }
4353 } elsif ($cgiparams{'AUTH'} eq 'cert') {
4354 ;# Nothing, just editing
4355 } else {
4356 $errormessage = $Lang::tr{'invalid input for authentication method'};
4357 goto VPNCONF_ERROR;
4358 }
4359
4360 # Check if there is no other entry with this common name
4361 if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) {
4362 foreach my $key (keys %confighash) {
4363 if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) {
4364 $errormessage = $Lang::tr{'a connection with this common name already exists'};
4365 goto VPNCONF_ERROR;
6e13d0a5 4366 }
c6c9630e
MT		 4367 }
4368 }
4369
ab4cf06c 4370 # Save the config
c6c9630e 4371 my $key = $cgiparams{'KEY'};
8c877a82 4372
c6c9630e
MT		 4373 if (! $key) {
4374 $key = &General::findhasharraykey (\%confighash);
49abe7af 4375 foreach my $i (0 .. 43) { $confighash{$key}[$i] = "";}
c6c9630e 4376 }
8c877a82
AM		 4377 $confighash{$key}[0] = $cgiparams{'ENABLED'};
4378 $confighash{$key}[1] = $cgiparams{'NAME'};
c6c9630e 4379 if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') {
8c877a82 4380 $confighash{$key}[2] = $cgiparams{'CERT_NAME'};
c6c9630e 4381 }
8c877a82
AM		 4382
4383 $confighash{$key}[3] = $cgiparams{'TYPE'};
c6c9630e 4384 if ($cgiparams{'AUTH'} eq 'psk') {
8c877a82
AM		 4385 $confighash{$key}[4] = 'psk';
4386 $confighash{$key}[5] = $cgiparams{'PSK'};
c6c9630e 4387 } else {
8c877a82 4388 $confighash{$key}[4] = 'cert';
c6c9630e 4389 }
ce9abb66 4390 if ($cgiparams{'TYPE'} eq 'net') {
8c877a82
AM		 4391 $confighash{$key}[6] = $cgiparams{'SIDE'};
4392 $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'};
ce9abb66 4393 }
4c962356 4394 $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'};
8c877a82 4395 $confighash{$key}[10] = $cgiparams{'REMOTE'};
4c962356 4396 if ($cgiparams{'OVPN_MGMT'} eq '') {
8c877a82 4397 $confighash{$key}[22] = $confighash{$key}[29];
4c962356 4398 } else {
8c877a82 4399 $confighash{$key}[22] = $cgiparams{'OVPN_MGMT'};
4c962356 4400 }
8c877a82
AM		 4401 $confighash{$key}[23] = $cgiparams{'MSSFIX'};
4402 $confighash{$key}[24] = $cgiparams{'FRAGMENT'};
4403 $confighash{$key}[25] = $cgiparams{'REMARK'};
4404 $confighash{$key}[26] = $cgiparams{'INTERFACE'};
c6c9630e 4405# new fields
8c877a82
AM		 4406 $confighash{$key}[27] = $cgiparams{'OVPN_SUBNET'};
4407 $confighash{$key}[28] = $cgiparams{'PROTOCOL'};
4408 $confighash{$key}[29] = $cgiparams{'DEST_PORT'};
4409 $confighash{$key}[30] = $cgiparams{'COMPLZO'};
4410 $confighash{$key}[31] = $cgiparams{'MTU'};
4411 $confighash{$key}[32] = $cgiparams{'CHECK1'};
df9b48b7 4412 $name=$cgiparams{'CHECK1'};
8c877a82
AM		 4413 $confighash{$key}[33] = $cgiparams{$name};
4414 $confighash{$key}[34] = $cgiparams{'RG'};
4415 $confighash{$key}[35] = $cgiparams{'CCD_DNS1'};
4416 $confighash{$key}[36] = $cgiparams{'CCD_DNS2'};
4417 $confighash{$key}[37] = $cgiparams{'CCD_WINS'};
4c962356
EK		 4418 $confighash{$key}[39] = $cgiparams{'DAUTH'};
4419 $confighash{$key}[40] = $cgiparams{'DCIPHER'};
350f2980 4420
71af643c
MT		 4421 if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
4422 $confighash{$key}[41] = "no-pass";
4423 }
4424
c6c9630e 4425 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
8c877a82
AM		 4426
4427 if ($cgiparams{'CHECK1'} ){
4428
4429 my ($ccdip,$ccdsub)=split "/",$cgiparams{$name};
4430 my ($a,$b,$c,$d) = split (/\./,$ccdip);
df9b48b7
AM		 4431 if ( -e "${General::swroot}/ovpn/ccd/$confighash{$key}[2]"){
4432 unlink "${General::swroot}/ovpn/ccd/$cgiparams{'CERT_NAME'}";
4433 }
8c877a82 4434 open ( CCDRWCONF,'>',"${General::swroot}/ovpn/ccd/$confighash{$key}[2]") or die "Unable to create clientconfigfile $!";
82c809c7 4435 print CCDRWCONF "# OpenVPN clientconfig from ccd extension by Copymaster#\n\n";
8c877a82
AM		 4436 if($cgiparams{'CHECK1'} eq 'dynamic'){
4437 print CCDRWCONF "#This client uses the dynamic pool\n";
4438 }else{
82c809c7 4439 print CCDRWCONF "#Ip address client and server\n";
8c877a82
AM		 4440 print CCDRWCONF "ifconfig-push $ccdip ".&General::getlastip($ccdip,1)."\n";
4441 }
4442 if ($confighash{$key}[34] eq 'on'){
4443 print CCDRWCONF "\n#Redirect Gateway: \n#All IP traffic is redirected through the vpn \n";
4444 print CCDRWCONF "push redirect-gateway\n";
4445 }
52d08bcb 4446 &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
8c877a82 4447 if ($cgiparams{'IR'} ne ''){
82c809c7 4448 print CCDRWCONF "\n#Client routes these networks (behind Client)\n";
8c877a82
AM		 4449 foreach my $key (keys %ccdroutehash){
4450 if ($ccdroutehash{$key}[0] eq $cgiparams{'NAME'}){
4451 foreach my $i ( 1 .. $#{$ccdroutehash{$key}}){
4452 my ($a,$b)=split (/\//,$ccdroutehash{$key}[$i]);
4453 print CCDRWCONF "iroute $a $b\n";
4454 }
4455 }
4456 }
4457 }
52d08bcb 4458 if ($cgiparams{'IFROUTE'} eq $Lang::tr{'ccd none'} ){$cgiparams{'IFROUTE'}='';}
8c877a82 4459 if ($cgiparams{'IFROUTE'} ne ''){
82c809c7 4460 print CCDRWCONF "\n#Client gets routes to these networks (behind IPFire)\n";
8c877a82
AM		 4461 foreach my $key (keys %ccdroute2hash){
4462 if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
4463 foreach my $i ( 1 .. $#{$ccdroute2hash{$key}}){
4464 if($ccdroute2hash{$key}[$i] eq $Lang::tr{'blue'}){
4465 my %blue=();
4466 &General::readhash("${General::swroot}/ethernet/settings", \%blue);
52d08bcb 4467 print CCDRWCONF "push \"route $blue{BLUE_ADDRESS} $blue{BLUE_NETMASK}\n";
8c877a82
AM		 4468 }elsif($ccdroute2hash{$key}[$i] eq $Lang::tr{'orange'}){
4469 my %orange=();
4470 &General::readhash("${General::swroot}/ethernet/settings", \%orange);
4471 print CCDRWCONF "push \"route $orange{ORANGE_ADDRESS} $orange{ORANGE_NETMASK}\n";
4472 }else{
4473 my ($a,$b)=split (/\//,$ccdroute2hash{$key}[$i]);
4474 print CCDRWCONF "push \"route $a $b\"\n";
4475 }
4476 }
4477 }
4478 }
4479 }
4480 if(($cgiparams{'CCD_DNS1'} eq '') && ($cgiparams{'CCD_DNS1'} ne '')){ $cgiparams{'CCD_DNS1'} = $cgiparams{'CCD_DNS2'};$cgiparams{'CCD_DNS2'}='';}
4481 if($cgiparams{'CCD_DNS1'} ne ''){
82c809c7 4482 print CCDRWCONF "\n#Client gets these nameservers\n";
8c877a82
AM		 4483 print CCDRWCONF "push \"dhcp-option DNS $cgiparams{'CCD_DNS1'}\" \n";
4484 }
4485 if($cgiparams{'CCD_DNS2'} ne ''){
4486 print CCDRWCONF "push \"dhcp-option DNS $cgiparams{'CCD_DNS2'}\" \n";
4487 }
4488 if($cgiparams{'CCD_WINS'} ne ''){
4489 print CCDRWCONF "\n#Client gets this WINS server\n";
4490 print CCDRWCONF "push \"dhcp-option WINS $cgiparams{'CCD_WINS'}\" \n";
4491 }
4492 close CCDRWCONF;
4493 }
18837a6a
AH		 4494
4495###
4496# m.a.d n2n begin
4497###
4498
4499 if ($cgiparams{'TYPE'} eq 'net') {
4500
2feacd98
SS		 4501 if (-e "/var/run/$confighash{$key}[1]n2n.pid") {
4502 &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]");
18837a6a 4503
2feacd98
SS		 4504 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
4505 my $key = $cgiparams{'KEY'};
4506 if (! $key) {
4507 $key = &General::findhasharraykey (\%confighash);
4508 foreach my $i (0 .. 31) {
4509 $confighash{$key}[$i] = "";
4510 }
4511 }
4512
4513 $confighash{$key}[0] = 'on';
4514 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
18837a6a 4515
2feacd98
SS		 4516 &General::system("/usr/local/bin/openvpnctrl", "-sn2n", "$confighash{$cgiparams{'KEY'}}[1]");
4517 }
4518 }
18837a6a
AH		 4519
4520###
4521# m.a.d n2n end
4522###
4523
c6c9630e
MT		 4524 if ($cgiparams{'EDIT_ADVANCED'} eq 'on') {
4525 $cgiparams{'KEY'} = $key;
4526 $cgiparams{'ACTION'} = $Lang::tr{'advanced'};
4527 }
4528 goto VPNCONF_END;
6e13d0a5 4529 } else {
c6c9630e 4530 $cgiparams{'ENABLED'} = 'on';
54fd0535
MT		 4531###
4532# m.a.d n2n begin
4533###
4534 $cgiparams{'MSSFIX'} = 'on';
4535 $cgiparams{'FRAGMENT'} = '1300';
70900745 4536 $cgiparams{'DAUTH'} = 'SHA512';
54fd0535
MT		 4537###
4538# m.a.d n2n end
4539###
4c962356 4540 $cgiparams{'SIDE'} = 'left';
c6c9630e
MT		 4541 if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) {
4542 $cgiparams{'AUTH'} = 'psk';
4543 } elsif ( ! -f "${General::swroot}/ovpn/ca/cacert.pem") {
4544 $cgiparams{'AUTH'} = 'certfile';
4545 } else {
6e13d0a5 4546 $cgiparams{'AUTH'} = 'certgen';
c6c9630e
MT		 4547 }
4548 $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
4549 $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
4550 $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'};
4551 $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'};
4552 $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};
c0a7c9b2 4553 $cgiparams{'DAYS_VALID'} = $vpnsettings{'DAYS_VALID'} = '730';
6e13d0a5 4554 }
c6c9630e 4555
6e13d0a5 4556 VPNCONF_ERROR:
6e13d0a5
MT		 4557 $checked{'ENABLED'}{'off'} = '';
4558 $checked{'ENABLED'}{'on'} = '';
4559 $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED';
4560 $checked{'ENABLED_BLUE'}{'off'} = '';
4561 $checked{'ENABLED_BLUE'}{'on'} = '';
4562 $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED';
4563 $checked{'ENABLED_ORANGE'}{'off'} = '';
4564 $checked{'ENABLED_ORANGE'}{'on'} = '';
4565 $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED';
c6c9630e
MT		 4566
4567
6e13d0a5
MT		 4568 $checked{'EDIT_ADVANCED'}{'off'} = '';
4569 $checked{'EDIT_ADVANCED'}{'on'} = '';
4570 $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = 'CHECKED';
c6c9630e 4571
6e13d0a5
MT		 4572 $selected{'SIDE'}{'server'} = '';
4573 $selected{'SIDE'}{'client'} = '';
4574 $selected{'SIDE'}{$cgiparams{'SIDE'}} = 'SELECTED';
d96c89eb
AH		 4575
4576 $selected{'PROTOCOL'}{'udp'} = '';
4577 $selected{'PROTOCOL'}{'tcp'} = '';
4578 $selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = 'SELECTED';
4579
c6c9630e 4580
6e13d0a5
MT		 4581 $checked{'AUTH'}{'psk'} = '';
4582 $checked{'AUTH'}{'certreq'} = '';
4583 $checked{'AUTH'}{'certgen'} = '';
4584 $checked{'AUTH'}{'certfile'} = '';
4585 $checked{'AUTH'}{$cgiparams{'AUTH'}} = 'CHECKED';
c6c9630e 4586
6e13d0a5 4587 $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = 'SELECTED';
c6c9630e 4588
6e13d0a5
MT		 4589 $checked{'COMPLZO'}{'off'} = '';
4590 $checked{'COMPLZO'}{'on'} = '';
4591 $checked{'COMPLZO'}{$cgiparams{'COMPLZO'}} = 'CHECKED';
c6c9630e 4592
d96c89eb
AH		 4593 $checked{'MSSFIX'}{'off'} = '';
4594 $checked{'MSSFIX'}{'on'} = '';
4595 $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
4596
52f61e49
EKD		 4597 $selected{'DCIPHER'}{'AES-256-GCM'} = '';
4598 $selected{'DCIPHER'}{'AES-192-GCM'} = '';
4599 $selected{'DCIPHER'}{'AES-128-GCM'} = '';
4c962356
EK		 4600 $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
4601 $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
4602 $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
4603 $selected{'DCIPHER'}{'AES-256-CBC'} = '';
4604 $selected{'DCIPHER'}{'AES-192-CBC'} = '';
4605 $selected{'DCIPHER'}{'AES-128-CBC'} = '';
4606 $selected{'DCIPHER'}{'DESX-CBC'} = '';
4607 $selected{'DCIPHER'}{'SEED-CBC'} = '';
4608 $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
4609 $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
4610 $selected{'DCIPHER'}{'CAST5-CBC'} = '';
4611 $selected{'DCIPHER'}{'BF-CBC'} = '';
4c962356 4612 $selected{'DCIPHER'}{'DES-CBC'} = '';
49abe7af
EK		 4613 # If no cipher has been chossen yet, select
4614 # the old default (AES-256-CBC) for compatiblity reasons.
4615 if ($cgiparams{'DCIPHER'} eq '') {
4616 $cgiparams{'DCIPHER'} = 'AES-256-CBC';
4617 }
4c962356 4618 $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
49abe7af
EK		 4619 $selected{'DAUTH'}{'whirlpool'} = '';
4620 $selected{'DAUTH'}{'SHA512'} = '';
4621 $selected{'DAUTH'}{'SHA384'} = '';
4622 $selected{'DAUTH'}{'SHA256'} = '';
4623 $selected{'DAUTH'}{'SHA1'} = '';
49abe7af 4624 $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
0c4ffc69
EK		 4625 $checked{'TLSAUTH'}{'off'} = '';
4626 $checked{'TLSAUTH'}{'on'} = '';
4627 $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
49abe7af 4628
6e13d0a5
MT		 4629 if (1) {
4630 &Header::showhttpheaders();
4c962356 4631 &Header::openpage($Lang::tr{'ovpn'}, 1, '');
6e13d0a5
MT		 4632 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
4633 if ($errormessage) {
4634 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
4635 print "<class name='base'>$errormessage";
4636 print "&nbsp;</class>";
4637 &Header::closebox();
4638 }
c6c9630e 4639
6e13d0a5
MT		 4640 if ($warnmessage) {
4641 &Header::openbox('100%', 'LEFT', "$Lang::tr{'warning messages'}:");
4642 print "<class name='base'>$warnmessage";
4643 print "&nbsp;</class>";
4644 &Header::closebox();
4645 }
c6c9630e 4646
6e13d0a5 4647 print "<form method='post' enctype='multipart/form-data'>";
ce9abb66 4648 print "<input type='hidden' name='TYPE' value='$cgiparams{'TYPE'}' />";
c6c9630e 4649
6e13d0a5
MT		 4650 if ($cgiparams{'KEY'}) {
4651 print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />";
4652 print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />";
6e13d0a5 4653 }
c6c9630e 4654
6e13d0a5 4655 &Header::openbox('100%', 'LEFT', "$Lang::tr{'connection'}:");
8c877a82 4656 print "<table width='100%' border='0'>\n";
4c962356 4657
e3edceeb 4658 print "<tr><td width='14%' class='boldbase'>$Lang::tr{'name'}:&nbsp;<img src='/blob.gif' alt='*' /></td>";
8c877a82 4659
ce9abb66 4660 if ($cgiparams{'TYPE'} eq 'host') {
6e13d0a5 4661 if ($cgiparams{'KEY'}) {
8c877a82 4662 print "<td width='35%' class='base'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />$cgiparams{'NAME'}</td>";
6e13d0a5
MT		 4663 } else {
4664 print "<td width='35%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' size='30' /></td>";
4665 }
c6c9630e
MT		 4666# print "<tr><td>$Lang::tr{'interface'}</td>";
4667# print "<td><select name='INTERFACE'>";
4668# print "<option value='RED' $selected{'INTERFACE'}{'RED'}>RED</option>";
4c962356
EK		 4669# if ($netsettings{'BLUE_DEV'} ne '') {
4670# print "<option value='BLUE' $selected{'INTERFACE'}{'BLUE'}>BLUE</option>";
4671# }
4672# print "<option value='GREEN' $selected{'INTERFACE'}{'GREEN'}>GREEN</option>";
4673# print "<option value='ORANGE' $selected{'INTERFACE'}{'ORANGE'}>ORANGE</option>";
4674# print "</select></td></tr>";
4675# print <<END;
ce9abb66
AH		 4676 } else {
4677 print "<input type='hidden' name='INTERFACE' value='red' />";
4678 if ($cgiparams{'KEY'}) {
4679 print "<td width='25%' class='base' nowrap='nowrap'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />$cgiparams{'NAME'}</td>";
4680 } else {
4681 print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' /></td>";
4682 }
52f61e49
EKD		 4683
4684 # If GCM ciphers are in usage, HMAC menu is disabled
4685 my $hmacdisabled;
4686 if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
4687 ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
4688 ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
4689 $hmacdisabled = "disabled='disabled'";
4690 };
4691
4c962356 4692 print <<END;
ce9abb66 4693 <td width='25%'>&nbsp;</td>
f527e53f
EK		 4694 <td width='25%'>&nbsp;</td></tr>
4695 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'Act as'}</td>
4696 <td><select name='SIDE'>
4697 <option value='server' $selected{'SIDE'}{'server'}>$Lang::tr{'openvpn server'}</option>
4698 <option value='client' $selected{'SIDE'}{'client'}>$Lang::tr{'openvpn client'}</option>
4699 </select>
4700 </td>
4c962356 4701
f527e53f
EK		 4702 <td class='boldbase'>$Lang::tr{'remote host/ip'}:</td>
4703 <td><input type='TEXT' name='REMOTE' value='$cgiparams{'REMOTE'}' /></td>
4704 </tr>
4c962356 4705
e3edceeb 4706 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
f527e53f 4707 <td><input type='TEXT' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' /></td>
4c962356 4708
e3edceeb 4709 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
f527e53f
EK		 4710 <td><input type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' /></td>
4711 </tr>
4c962356 4712
e3edceeb 4713 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
f527e53f 4714 <td><input type='TEXT' name='OVPN_SUBNET' value='$cgiparams{'OVPN_SUBNET'}' /></td>
49abe7af 4715
f527e53f
EK		 4716 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td>
4717 <td><select name='PROTOCOL'>
4718 <option value='udp' $selected{'PROTOCOL'}{'udp'}>UDP</option>
4719 <option value='tcp' $selected{'PROTOCOL'}{'tcp'}>TCP</option></select></td>
4720 </tr>
4721
4722 <tr>
e3edceeb 4723 <td class='boldbase'>$Lang::tr{'destination port'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
f527e53f 4724 <td><input type='TEXT' name='DEST_PORT' value='$cgiparams{'DEST_PORT'}' size='5' /></td>
4c962356 4725
e3edceeb 4726 <td class='boldbase' nowrap='nowrap'>Management Port ($Lang::tr{'openvpn default'}: <span class="base">$Lang::tr{'destination port'}):</td>
f527e53f
EK		 4727 <td> <input type='TEXT' name='OVPN_MGMT' VALUE='$cgiparams{'OVPN_MGMT'}'size='5' /></td>
4728 </tr>
49abe7af 4729
f527e53f
EK		 4730 <tr><td colspan=4><hr /></td></tr><tr>
4731
4732 <tr>
4733 <td class'base'><b>$Lang::tr{'MTU settings'}</b></td>
4734 </tr>
49abe7af 4735
e3edceeb 4736 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}</td>
f527e53f
EK		 4737 <td><input type='TEXT' name='MTU' VALUE='$cgiparams{'MTU'}'size='5' /></td>
4738 <td colspan='2'>$Lang::tr{'openvpn default'}: udp/tcp <span class="base">1500/1400</span></td>
4739 </tr>
4c962356 4740
e3edceeb 4741 <tr><td class='boldbase' nowrap='nowrap'>fragment:</td>
f527e53f
EK		 4742 <td><input type='TEXT' name='FRAGMENT' VALUE='$cgiparams{'FRAGMENT'}'size='5' /></td>
4743 <td>$Lang::tr{'openvpn default'}: <span class="base">1300</span></td>
4744 </tr>
4c962356 4745
e3edceeb 4746 <tr><td class='boldbase' nowrap='nowrap'>mssfix:</td>
f527e53f
EK		 4747 <td><input type='checkbox' name='MSSFIX' $checked{'MSSFIX'}{'on'} /></td>
4748 <td>$Lang::tr{'openvpn default'}: <span class="base">on</span></td>
4749 </tr>
4c962356 4750
e3edceeb 4751 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
f527e53f
EK		 4752 <td><input type='checkbox' name='COMPLZO' $checked{'COMPLZO'}{'on'} /></td>
4753 </tr>
2ee746be 4754
f527e53f
EK		 4755<tr><td colspan=4><hr /></td></tr><tr>
4756 <tr>
4757 <td class'base'><b>$Lang::tr{'ovpn crypt options'}:</b></td>
4758 </tr>
4759
4760 <tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
52f61e49
EKD		 4761 <td><select name='DCIPHER' id="n2ncipher" required>
4762 <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
4763 <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
4764 <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
f527e53f
EK		 4765 <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
4766 <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
4767 <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
f7fb5bc5 4768 <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'}, $Lang::tr{'default'})</option>
f527e53f
EK		 4769 <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
4770 <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
ea6dd5b0
EK		 4771 <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
4772 <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4773 <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4774 <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4775 <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4776 <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
f527e53f
EK		 4777 </select>
4778 </td>
4779
4780 <td class='boldbase'>$Lang::tr{'ovpn ha'}:</td>
52f61e49 4781 <td><select name='DAUTH' id="n2nhmac" $hmacdisabled>
f527e53f
EK		 4782 <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
4783 <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
4784 <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
4785 <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
f3dfb261 4786 <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
f527e53f
EK		 4787 </select>
4788 </td>
4789 </tr>
4790 <tr><td colspan=4><hr /></td></tr><tr>
4791
ce9abb66 4792END
8c877a82 4793;
ce9abb66 4794 }
52f61e49
EKD		 4795
4796#### JAVA SCRIPT ####
4797# Validate N2N cipher. If GCM will be used, HMAC menu will be disabled onchange
4798print<<END;
4799 <script>
4800 var disable_options = false;
4801 document.getElementById('n2ncipher').onchange = function () {
4802 if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) {
4803 document.getElementById('n2nhmac').setAttribute('disabled', true);
4804 } else {
4805 document.getElementById('n2nhmac').removeAttribute('disabled');
4806 }
4807 }
4808 </script>
4809END
4810
2ee746be 4811#jumper
e3edceeb 4812 print "<tr><td class='boldbase'>$Lang::tr{'remark title'}</td>";
8c877a82 4813 print "<td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td></tr></table>";
c6c9630e 4814
ce9abb66 4815 if ($cgiparams{'TYPE'} eq 'host') {
8c877a82
AM		 4816 print "<tr><td>$Lang::tr{'enabled'} <input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>";
4817 }
ce9abb66 4818
8c877a82
AM		 4819 print"</tr></table><br><br>";
4820#A.Marx CCD new client
e81be1e1 4821if ($cgiparams{'TYPE'} eq 'host') {
8c877a82 4822 print "<table border='0' width='100%' cellspacing='1' cellpadding='0'><tr><td colspan='3'><hr><br><b>$Lang::tr{'ccd choose net'}</td></tr><tr><td height='20' colspan='3'></td></tr>";
8c877a82
AM		 4823 my %vpnnet=();
4824 my $vpnip;
4825 &General::readhash("${General::swroot}/ovpn/settings", \%vpnnet);
4826 $vpnip=$vpnnet{'DOVPN_SUBNET'};
4827 &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash);
4828 my @ccdconf=();
4829 my $count=0;
4830 my $checked;
4831 $checked{'check1'}{'off'} = '';
4832 $checked{'check1'}{'on'} = '';
4833 $checked{'check1'}{$cgiparams{'CHECK1'}} = 'CHECKED';
4834 print"<tr><td align='center' width='1%' valign='top'><input type='radio' name='CHECK1' value='dynamic' checked /></td><td align='left' valign='top' width='35%'>$Lang::tr{'ccd dynrange'} ($vpnip)</td><td width='30%'>";
4835 print"</td></tr></table><br><br>";
4836 my $name=$cgiparams{'CHECK1'};
4837 $checked{'RG'}{$cgiparams{'RG'}} = 'CHECKED';
4838
4839 if (! -z "${General::swroot}/ovpn/ccd.conf"){
4840 print"<table border='0' width='100%' cellspacing='1' cellpadding='0'><tr><td width='1%'></td><td width='30%' class='boldbase' align='center'><b>$Lang::tr{'ccd name'}</td><td width='15%' class='boldbase' align='center'><b>$Lang::tr{'network'}</td><td class='boldbase' align='center' width='18%'><b>$Lang::tr{'ccd clientip'}</td></tr>";
df9b48b7 4841 foreach my $key (sort { uc($ccdconfhash{$a}[0]) cmp uc($ccdconfhash{$b}[0]) } keys %ccdconfhash) {
8c877a82
AM		 4842 $count++;
4843 @ccdconf=($ccdconfhash{$key}[0],$ccdconfhash{$key}[1]);
4844 if ($count % 2){print"<tr bgcolor='$color{'color22'}'>";}else{print"<tr bgcolor='$color{'color20'}'>";}
4845 print"<td align='center' width='1%'><input type='radio' name='CHECK1' value='$ccdconf[0]' $checked{'check1'}{$ccdconf[0]}/></td><td>$ccdconf[0]</td><td width='40%' align='center'>$ccdconf[1]</td><td align='left' width='10%'>";
4846 &fillselectbox($ccdconf[1],$ccdconf[0],$cgiparams{$name});
4847 print"</td></tr>";
4848 }
4849 print "</table><br><br><hr><br><br>";
4850 }
e81be1e1 4851}
8c877a82 4852# ccd end
6e13d0a5
MT		 4853 &Header::closebox();
4854 if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {
8c877a82
AM		 4855
4856 } elsif (! $cgiparams{'KEY'}) {
4857
4858
6e13d0a5
MT		 4859 my $disabled='';
4860 my $cakeydisabled='';
4861 my $cacrtdisabled='';
4862 if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) { $cakeydisabled = "disabled='disabled'" } else { $cakeydisabled = "" };
4863 if ( ! -f "${General::swroot}/ovpn/ca/cacert.pem" ) { $cacrtdisabled = "disabled='disabled'" } else { $cacrtdisabled = "" };
8c877a82 4864
6e13d0a5 4865 &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'});
ce9abb66
AH		 4866
4867
4868 if ($cgiparams{'TYPE'} eq 'host') {
4869
49abe7af 4870 print <<END;
6e13d0a5 4871 <table width='100%' cellpadding='0' cellspacing='5' border='0'>
54fd0535 4872
ce9abb66
AH		 4873 <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td><td class='base'>$Lang::tr{'upload a certificate request'}</td><td class='base' rowspan='2'><input type='file' name='FH' size='30' $cacrtdisabled></td></tr>
4874 <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td><td class='base'>$Lang::tr{'upload a certificate'}</td></tr>
54fd0535
MT		 4875 <tr><td colspan='3'>&nbsp;</td></tr>
4876 <tr><td colspan='3'><hr /></td></tr>
4877 <tr><td colspan='3'>&nbsp;</td></tr>
ce9abb66 4878 <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td><td class='base'>$Lang::tr{'generate a certificate'}</td><td>&nbsp;</td></tr>
e3edceeb
LS		 4879 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users fullname or system hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' SIZE='32' $cakeydisabled /></td></tr>
4880 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users email'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' SIZE='32' $cakeydisabled /></td></tr>
4881 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users department'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' SIZE='32' $cakeydisabled /></td></tr>
4882 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'organization name'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' SIZE='32' $cakeydisabled /></td></tr>
4883 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'city'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' SIZE='32' $cakeydisabled /></td></tr>
4884 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'state or province'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' SIZE='32' $cakeydisabled /></td></tr>
ce9abb66 4885 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'country'}:</td><td class='base'><select name='CERT_COUNTRY' $cakeydisabled>
6e13d0a5 4886END
ce9abb66
AH		 4887;
4888
4889###
7c1d9faf 4890# m.a.d net2net
ce9abb66
AH		 4891###
4892
4893} else {
4894
49abe7af 4895 print <<END;
ce9abb66
AH		 4896 <table width='100%' cellpadding='0' cellspacing='5' border='0'>
4897
4898 <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td><td class='base'>$Lang::tr{'generate a certificate'}</td><td>&nbsp;</td></tr>
e3edceeb
LS		 4899 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users fullname or system hostname'}:&nbsp;<img src='/blob.gif' alt='*' /></td><td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' SIZE='32' $cakeydisabled /></td></tr>
4900 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users email'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' SIZE='32' $cakeydisabled /></td></tr>
4901 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'users department'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' SIZE='32' $cakeydisabled /></td></tr>
4902 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'organization name'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' SIZE='32' $cakeydisabled /></td></tr>
4903 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'city'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' SIZE='32' $cakeydisabled /></td></tr>
4904 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'state or province'}:</td><td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' SIZE='32' $cakeydisabled /></td></tr>
ce9abb66 4905 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'country'}:</td><td class='base'><select name='CERT_COUNTRY' $cakeydisabled>
54fd0535
MT		 4906
4907
ce9abb66
AH		 4908END
4909;
4910
4911}
4912
4913###
7c1d9faf 4914# m.a.d net2net
ce9abb66 4915###
c6c9630e 4916
6e13d0a5
MT		 4917 foreach my $country (sort keys %{Countries::countries}) {
4918 print "<option value='$Countries::countries{$country}'";
4919 if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) {
4920 print " selected='selected'";
4921 }
4922 print ">$country</option>";
4923 }
ce9abb66 4924###
7c1d9faf 4925# m.a.d net2net
ce9abb66
AH		 4926###
4927
4928if ($cgiparams{'TYPE'} eq 'host') {
49abe7af 4929 print <<END;
f4fbb935 4930 </select></td></tr>
425465ed 4931 <td>&nbsp;</td><td class='base'>$Lang::tr{'valid till'} (days):&nbsp;<img src='/blob.gif' alt='*' /</td>
f4fbb935
EK		 4932 <td class='base' nowrap='nowrap'><input type='text' name='DAYS_VALID' value='$cgiparams{'DAYS_VALID'}' size='32' $cakeydisabled /></td></tr>
4933 <tr><td>&nbsp;</td>
6e13d0a5
MT		 4934 <td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
4935 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr>
f4fbb935 4936 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'pkcs12 file password'}:<br>($Lang::tr{'confirmation'})</td>
6e13d0a5 4937 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr>
f4fbb935
EK		 4938 <tr><td colspan='3'>&nbsp;</td></tr>
4939 <tr><td colspan='3'><hr /></td></tr>
e3edceeb 4940 <tr><td class='base' colspan='3' align='left'><img src='/blob.gif' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr>
f4fbb935 4941 </table>
ce9abb66
AH		 4942END
4943}else{
49abe7af 4944 print <<END;
f4fbb935 4945 </select></td></tr>
425465ed 4946 <td>&nbsp;</td><td class='base'>$Lang::tr{'valid till'} (days):&nbsp;<img src='/blob.gif' alt='*' /</td>
f4fbb935
EK		 4947 <td class='base' nowrap='nowrap'><input type='text' name='DAYS_VALID' value='$cgiparams{'DAYS_VALID'}' size='32' $cakeydisabled /></td></tr>
4948 <tr><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td></tr>
4949 <tr><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td></tr>
4950 <tr><td colspan='3'><hr /></td></tr>
e3edceeb 4951 <tr><td class='base' colspan='3' align='left'><img src='/blob.gif' alt='*' />&nbsp;$Lang::tr{'required field'}</td></tr>
ce9abb66
AH		 4952 </table>
4953
c6c9630e 4954END
ce9abb66
AH		 4955}
4956
4957###
7c1d9faf 4958# m.a.d net2net
ce9abb66 4959###
c6c9630e
MT		 4960 ;
4961 &Header::closebox();
8c877a82
AM		 4962
4963 }
e81be1e1
AM		 4964
4965#A.Marx CCD new client
4966if ($cgiparams{'TYPE'} eq 'host') {
8c877a82
AM		 4967 print"<br><br>";
4968 &Header::openbox('100%', 'LEFT', "$Lang::tr{'ccd client options'}:");
4969
8c877a82
AM		 4970
4971 print <<END;
4972 <table border='0' width='100%'>
4973 <tr><td width='20%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr>
4974 <tr><td colspan='4'><b><br>$Lang::tr{'ccd routes'}</b></td></tr>
4975 <tr><td colspan='4'>&nbsp</td></tr>
4976 <tr><td valign='top'>$Lang::tr{'ccd iroute'}</td><td align='left' width='30%'><textarea name='IR' cols='26' rows='6' wrap='off'>
4977END
4978
4979 if ($cgiparams{'IR'} ne ''){
4980 print $cgiparams{'IR'};
4981 }else{
4982 &General::readhasharray ("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
4983 foreach my $key (keys %ccdroutehash) {
4984 if( $cgiparams{'NAME'} eq $ccdroutehash{$key}[0]){
4985 foreach my $i (1 .. $#{$ccdroutehash{$key}}) {
4986 if ($ccdroutehash{$key}[$i] ne ''){
4987 print $ccdroutehash{$key}[$i]."\n";
4988 }
4989 $cgiparams{'IR'} .= $ccdroutehash{$key}[$i];
4990 }
4991 }
4992 }
c6c9630e 4993 }
8c877a82
AM		 4994
4995 print <<END;
4996</textarea></td><td valign='top' colspan='2'>$Lang::tr{'ccd iroutehint'}</td></tr>
4997 <tr><td colspan='4'><br></td></tr>
4998 <tr><td valign='top' rowspan='3'>$Lang::tr{'ccd iroute2'}</td><td align='left' valign='top' rowspan='3'><select name='IFROUTE' style="width: 205px"; size='6' multiple>
4999END
52d08bcb
AM		 5000
5001 my $set=0;
5002 my $selorange=0;
5003 my $selblue=0;
5004 my $selgreen=0;
5005 my $helpblue=0;
5006 my $helporange=0;
5007 my $other=0;
df9b48b7 5008 my $none=0;
52d08bcb
AM		 5009 my @temp=();
5010
8c877a82 5011 our @current = ();
52d08bcb
AM		 5012 open(FILE, "${General::swroot}/main/routing") ;
5013 @current = <FILE>;
5014 close (FILE);
5015 &General::readhasharray ("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash);
df9b48b7
AM		 5016 #check for "none"
5017 foreach my $key (keys %ccdroute2hash) {
5018 if($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
5019 if ($ccdroute2hash{$key}[1] eq ''){
5020 $none=1;
5021 last;
5022 }
5023 }
5024 }
5025 if ($none ne '1'){
5026 print"<option>$Lang::tr{'ccd none'}</option>";
5027 }else{
5028 print"<option selected>$Lang::tr{'ccd none'}</option>";
5029 }
52d08bcb
AM		 5030 #check if static routes are defined for client
5031 foreach my $line (@current) {
5032 chomp($line);
5033 $line=~s/\s*$//g; # remove newline
5034 @temp=split(/\,/,$line);
5035 $temp[1] = '' unless defined $temp[1]; # not always populated
5036 my ($a,$b) = split(/\//,$temp[1]);
5037 $temp[1] = $a."/".&General::iporsubtocidr($b);
5038 foreach my $key (keys %ccdroute2hash) {
5039 if($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
5040 foreach my $i (1 .. $#{$ccdroute2hash{$key}}) {
5041 if($ccdroute2hash{$key}[$i] eq $a."/".&General::iporsubtodec($b)){
5042 $set=1;
8c877a82
AM		 5043 }
5044 }
8c877a82 5045 }
52d08bcb
AM		 5046 }
5047 if ($set == '1' && $#temp != -1){ print"<option selected>$temp[1]</option>";$set=0;}elsif($set == '0' && $#temp != -1){print"<option>$temp[1]</option>";}
5048 }
3a445974
MT		 5049
5050 my %vpnconfig = ();
5051 &General::readhasharray("${General::swroot}/vpn/config", \%vpnconfig);
5052 foreach my $vpn (keys %vpnconfig) {
5053 # Skip all disabled VPN connections
5054 my $enabled = $vpnconfig{$vpn}[0];
5055 next unless ($enabled eq "on");
5056
5057 my $name = $vpnconfig{$vpn}[1];
5058
5059 # Remote subnets
5060 my @networks = split(/\|/, $vpnconfig{$vpn}[11]);
5061 foreach my $network (@networks) {
5062 my $selected = "";
5063
5064 foreach my $key (keys %ccdroute2hash) {
5065 if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}) {
5066 foreach my $i (1 .. $#{$ccdroute2hash{$key}}) {
5067 if ($ccdroute2hash{$key}[$i] eq $network) {
5068 $selected = "selected";
5069 }
5070 }
5071 }
5072 }
5073
5074 print "<option value=\"$network\" $selected>$name ($network)</option>\n";
5075 }
5076 }
5077
52d08bcb
AM		 5078 #check if green,blue,orange are defined for client
5079 foreach my $key (keys %ccdroute2hash) {
5080 if($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){
5081 $other=1;
5082 foreach my $i (1 .. $#{$ccdroute2hash{$key}}) {
5083 if ($ccdroute2hash{$key}[$i] eq $netsettings{'GREEN_NETADDRESS'}."/".&General::iporsubtodec($netsettings{'GREEN_NETMASK'})){
5084 $selgreen=1;
5085 }
5086 if (&haveBlueNet()){
5087 if( $ccdroute2hash{$key}[$i] eq $netsettings{'BLUE_NETADDRESS'}."/".&General::iporsubtodec($netsettings{'BLUE_NETMASK'})) {
5088 $selblue=1;
5089 }
5090 }
5091 if (&haveOrangeNet()){
5092 if( $ccdroute2hash{$key}[$i] eq $netsettings{'ORANGE_NETADDRESS'}."/".&General::iporsubtodec($netsettings{'ORANGE_NETMASK'}) ) {
5093 $selorange=1;
5094 }
5095 }
5096 }
5097 }
5098 }
5099 if (&haveBlueNet() && $selblue == '1'){ print"<option selected>$Lang::tr{'blue'}</option>";$selblue=0;}elsif(&haveBlueNet() && $selblue == '0'){print"<option>$Lang::tr{'blue'}</option>";}
5100 if (&haveOrangeNet() && $selorange == '1'){ print"<option selected>$Lang::tr{'orange'}</option>";$selorange=0;}elsif(&haveOrangeNet() && $selorange == '0'){print"<option>$Lang::tr{'orange'}</option>";}
5101 if ($selgreen == '1' || $other == '0'){ print"<option selected>$Lang::tr{'green'}</option>";$set=0;}else{print"<option>$Lang::tr{'green'}</option>";};
5102
49abe7af 5103 print<<END;
8c877a82
AM		 5104 </select></td><td valign='top'>DNS1:</td><td valign='top'><input type='TEXT' name='CCD_DNS1' value='$cgiparams{'CCD_DNS1'}' size='30' /></td></tr>
5105 <tr valign='top'><td>DNS2:</td><td><input type='TEXT' name='CCD_DNS2' value='$cgiparams{'CCD_DNS2'}' size='30' /></td></tr>
5106 <tr valign='top'><td valign='top'>WINS:</td><td><input type='TEXT' name='CCD_WINS' value='$cgiparams{'CCD_WINS'}' size='30' /></td></tr></table><br><hr>
5107
5108END
5109;
5110 &Header::closebox();
e81be1e1 5111}
c6c9630e
MT		 5112 print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
5113 if ($cgiparams{'KEY'}) {
5114# print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />";
5115 }
5116 print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
5117 &Header::closebigbox();
5118 &Header::closepage();
5119 exit (0);
6e13d0a5 5120 }
c6c9630e 5121 VPNCONF_END:
6e13d0a5 5122}
c6c9630e
MT		 5123
5124# SETTINGS_ERROR:
6e13d0a5
MT		 5125###
5126### Default status page
5127###
c6c9630e
MT		 5128 %cgiparams = ();
5129 %cahash = ();
5130 %confighash = ();
5131 &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
5132 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
5133 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
5134
2feacd98
SS		 5135 open(FILE, "/var/run/ovpnserver.log");
5136 my @status = <FILE>;
5137 close(FILE);
c6c9630e
MT		 5138
5139 if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
8c877a82
AM		 5140 if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
5141 my $ipaddr = <IPADDR>;
5142 close IPADDR;
5143 chomp ($ipaddr);
5144 $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
5145 if ($cgiparams{'VPN_IP'} eq '') {
5146 $cgiparams{'VPN_IP'} = $ipaddr;
5147 }
5148 }
c6c9630e
MT		 5149 }
5150
6e13d0a5 5151#default setzen
c6c9630e 5152 if ($cgiparams{'DCIPHER'} eq '') {
4c962356 5153 $cgiparams{'DCIPHER'} = 'AES-256-CBC';
c6c9630e 5154 }
c6c9630e 5155 if ($cgiparams{'DDEST_PORT'} eq '') {
4c962356 5156 $cgiparams{'DDEST_PORT'} = '1194';
c6c9630e
MT		 5157 }
5158 if ($cgiparams{'DMTU'} eq '') {
4c962356
EK		 5159 $cgiparams{'DMTU'} = '1400';
5160 }
5161 if ($cgiparams{'MSSFIX'} eq '') {
5162 $cgiparams{'MSSFIX'} = 'off';
5163 }
5164 if ($cgiparams{'DAUTH'} eq '') {
86308adb
EK		 5165 if (-z "${General::swroot}/ovpn/ovpnconfig") {
5166 $cgiparams{'DAUTH'} = 'SHA512';
5167 }
5168 foreach my $key (keys %confighash) {
5169 if ($confighash{$key}[3] ne 'host') {
5170 $cgiparams{'DAUTH'} = 'SHA512';
5171 } else {
5172 $cgiparams{'DAUTH'} = 'SHA1';
5173 }
5174 }
5175 }
0c4ffc69
EK		 5176 if ($cgiparams{'TLSAUTH'} eq '') {
5177 $cgiparams{'TLSAUTH'} = 'off';
5178 }
c6c9630e 5179 if ($cgiparams{'DOVPN_SUBNET'} eq '') {
4c962356 5180 $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
c6c9630e 5181 }
4c962356 5182 $checked{'ENABLED'}{'off'} = '';
c6c9630e
MT		 5183 $checked{'ENABLED'}{'on'} = '';
5184 $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED';
5185 $checked{'ENABLED_BLUE'}{'off'} = '';
5186 $checked{'ENABLED_BLUE'}{'on'} = '';
5187 $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED';
5188 $checked{'ENABLED_ORANGE'}{'off'} = '';
5189 $checked{'ENABLED_ORANGE'}{'on'} = '';
5190 $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED';
c6c9630e
MT		 5191
5192 $selected{'DPROTOCOL'}{'udp'} = '';
5193 $selected{'DPROTOCOL'}{'tcp'} = '';
5194 $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
4c962356 5195
52f61e49
EKD		 5196 $selected{'DCIPHER'}{'AES-256-GCM'} = '';
5197 $selected{'DCIPHER'}{'AES-192-GCM'} = '';
5198 $selected{'DCIPHER'}{'AES-128-GCM'} = '';
4c962356
EK		 5199 $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
5200 $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
5201 $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
5202 $selected{'DCIPHER'}{'AES-256-CBC'} = '';
5203 $selected{'DCIPHER'}{'AES-192-CBC'} = '';
5204 $selected{'DCIPHER'}{'AES-128-CBC'} = '';
c6c9630e
MT		 5205 $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
5206 $selected{'DCIPHER'}{'DESX-CBC'} = '';
4c962356
EK		 5207 $selected{'DCIPHER'}{'SEED-CBC'} = '';
5208 $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
5209 $selected{'DCIPHER'}{'CAST5-CBC'} = '';
5210 $selected{'DCIPHER'}{'BF-CBC'} = '';
4c962356 5211 $selected{'DCIPHER'}{'DES-CBC'} = '';
c6c9630e 5212 $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
4c962356
EK		 5213
5214 $selected{'DAUTH'}{'whirlpool'} = '';
5215 $selected{'DAUTH'}{'SHA512'} = '';
5216 $selected{'DAUTH'}{'SHA384'} = '';
5217 $selected{'DAUTH'}{'SHA256'} = '';
4c962356
EK		 5218 $selected{'DAUTH'}{'SHA1'} = '';
5219 $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
5220
0c4ffc69
EK		 5221 $checked{'TLSAUTH'}{'off'} = '';
5222 $checked{'TLSAUTH'}{'on'} = '';
5223 $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
5224
c6c9630e
MT		 5225 $checked{'DCOMPLZO'}{'off'} = '';
5226 $checked{'DCOMPLZO'}{'on'} = '';
5227 $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
4c962356 5228
d96c89eb
AH		 5229# m.a.d
5230 $checked{'MSSFIX'}{'off'} = '';
5231 $checked{'MSSFIX'}{'on'} = '';
5232 $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
6e13d0a5 5233#new settings
c6c9630e
MT		 5234 &Header::showhttpheaders();
5235 &Header::openpage($Lang::tr{'status ovpn'}, 1, '');
5236 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
6e13d0a5 5237
c6c9630e 5238 if ($errormessage) {
6e13d0a5
MT		 5239 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
5240 print "<class name='base'>$errormessage\n";
5241 print "&nbsp;</class>\n";
5242 &Header::closebox();
c6c9630e 5243 }
6e13d0a5 5244
400c8afd
EK		 5245 if ($cryptoerror) {
5246 &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto error'});
5247 print "<class name='base'>$cryptoerror";
5248 print "&nbsp;</class>";
5249 &Header::closebox();
5250 }
5251
5252 if ($cryptowarning) {
5253 &Header::openbox('100%', 'LEFT', $Lang::tr{'crypto warning'});
5254 print "<class name='base'>$cryptowarning";
5255 print "&nbsp;</class>";
5256 &Header::closebox();
5257 }
5258
b2e75449
MT		 5259 if ($warnmessage) {
5260 &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'});
5261 print "$warnmessage<br>";
5262 print "$Lang::tr{'fwdfw warn1'}<br>";
5263 &Header::closebox();
5264 print"<center><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'ok'}' style='width: 5em;'></form>";
5265 &Header::closepage();
5266 exit 0;
5267 }
4d81e0f3 5268
c6c9630e
MT		 5269 my $sactive = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourred}' width='50%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'stopped'}</font></b></td></tr></table>";
5270 my $srunning = "no";
5271 my $activeonrun = "";
5272 if ( -e "/var/run/openvpn.pid"){
6e13d0a5
MT		 5273 $sactive = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourgreen}' width='50%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'running'}</font></b></td></tr></table>";
5274 $srunning ="yes";
5275 $activeonrun = "";
c6c9630e 5276 } else {
6e13d0a5 5277 $activeonrun = "disabled='disabled'";
c6c9630e 5278 }
afabe9f7 5279 &Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'});
4c962356 5280 print <<END;
631b67b7 5281 <table width='100%' border='0'>
c6c9630e
MT		 5282 <form method='post'>
5283 <td width='25%'>&nbsp;</td>
5284 <td width='25%'>&nbsp;</td>
5285 <td width='25%'>&nbsp;</td></tr>
5286 <tr><td class='boldbase'>$Lang::tr{'ovpn server status'}</td>
5287 <td align='left'>$sactive</td>
5288 <tr><td class='boldbase'>$Lang::tr{'ovpn on red'}</td>
8c877a82 5289 <td><input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>
c6c9630e
MT		 5290END
5291;
5292 if (&haveBlueNet()) {
5293 print "<tr><td class='boldbase'>$Lang::tr{'ovpn on blue'}</td>";
5294 print "<td><input type='checkbox' name='ENABLED_BLUE' $checked{'ENABLED_BLUE'}{'on'} /></td>";
5295 }
5296 if (&haveOrangeNet()) {
5297 print "<tr><td class='boldbase'>$Lang::tr{'ovpn on orange'}</td>";
5298 print "<td><input type='checkbox' name='ENABLED_ORANGE' $checked{'ENABLED_ORANGE'}{'on'} /></td>";
86308adb
EK		 5299 }
5300
5301 print <<END;
5302
5303 <tr><td colspan='4'><br></td></tr>
5304 <tr>
5305 <td class'base'><b>$Lang::tr{'net config'}:</b></td>
5306 </tr>
5307 <tr><td colspan='1'><br></td></tr>
5308
4e17adad
CS		 5309 <tr><td class='base' nowrap='nowrap' colspan='2'>$Lang::tr{'local vpn hostname/ip'}:<br /><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' size='30' /></td>
5310 <td class='boldbase' nowrap='nowrap' colspan='2'>$Lang::tr{'ovpn subnet'}<br /><input type='TEXT' name='DOVPN_SUBNET' value='$cgiparams{'DOVPN_SUBNET'}' size='30' /></td></tr>
c6c9630e
MT		 5311 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td>
5312 <td><select name='DPROTOCOL'><option value='udp' $selected{'DPROTOCOL'}{'udp'}>UDP</option>
5313 <option value='tcp' $selected{'DPROTOCOL'}{'tcp'}>TCP</option></select></td>
5314 <td class='boldbase'>$Lang::tr{'destination port'}:</td>
5315 <td><input type='TEXT' name='DDEST_PORT' value='$cgiparams{'DDEST_PORT'}' size='5' /></td></tr>
5316 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}&nbsp;</td>
bc2b3e94 5317 <td> <input type='TEXT' name='DMTU' VALUE='$cgiparams{'DMTU'}' size='5' /></td>
86308adb
EK		 5318 </tr>
5319
5320 <tr><td colspan='4'><br></td></tr>
5321 <tr>
5322 <td class'base'><b>$Lang::tr{'ovpn crypt options'}:</b></td>
5323 </tr>
5324 <tr><td colspan='1'><br></td></tr>
5325
5326 <tr>
5327 <td class='base'>$Lang::tr{'ovpn ha'}</td>
5328 <td><select name='DAUTH'>
5329 <option value='whirlpool' $selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
5330 <option value='SHA512' $selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
5331 <option value='SHA384' $selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
5332 <option value='SHA256' $selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
5333 <option value='SHA1' $selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5334 </select>
5335 </td>
f527e53f 5336
4c962356
EK		 5337 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
5338 <td><select name='DCIPHER'>
52f61e49
EKD		 5339 <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
5340 <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
5341 <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
4c962356 5342 <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
f527e53f 5343 <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
4c962356
EK		 5344 <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
5345 <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
5346 <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
5347 <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
4c962356 5348 <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
ea6dd5b0
EK		 5349 <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5350 <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5351 <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5352 <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
5353 <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
4c962356
EK		 5354 </select>
5355 </td>
4c962356 5356 </tr>
0c4ffc69
EK		 5357
5358 <tr><td colspan='4'><br></td></tr>
5359 <tr>
5360 <td class='base'>$Lang::tr{'ovpn tls auth'}</td>
5361 <td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td>
5362 </tr>
5363
f7edf97a 5364 <tr><td colspan='4'><br><br></td></tr>
c6c9630e
MT		 5365END
5366;
5367
5368 if ( $srunning eq "yes" ) {
8c877a82
AM		 5369 print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' disabled='disabled' />";
5370 print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
5371 print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
5372 print "<input type='submit' name='ACTION' value='$Lang::tr{'stop ovpn server'}' /></td></tr>";
c6c9630e 5373 } else{
8c877a82
AM		 5374 print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
5375 print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
5376 print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
c6c9630e
MT		 5377 if (( -e "${General::swroot}/ovpn/ca/cacert.pem" &&
5378 -e "${General::swroot}/ovpn/ca/dh1024.pem" &&
5379 -e "${General::swroot}/ovpn/certs/servercert.pem" &&
5380 -e "${General::swroot}/ovpn/certs/serverkey.pem") &&
5381 (( $cgiparams{'ENABLED'} eq 'on') ||
5382 ( $cgiparams{'ENABLED_BLUE'} eq 'on') ||
5383 ( $cgiparams{'ENABLED_ORANGE'} eq 'on'))){
8c877a82 5384 print "<input type='submit' name='ACTION' value='$Lang::tr{'start ovpn server'}' /></td></tr>";
c6c9630e 5385 } else {
8c877a82 5386 print "<input type='submit' name='ACTION' value='$Lang::tr{'start ovpn server'}' disabled='disabled' /></td></tr>";
c6c9630e
MT		 5387 }
5388 }
5389 print "</form></table>";
5390 &Header::closebox();
6e13d0a5 5391
c6c9630e 5392 if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) {
ce9abb66 5393###
7c1d9faf 5394# m.a.d net2net
54fd0535 5395#<td width='25%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b><br /><img src='/images/null.gif' width='125' height='1' border='0' alt='L2089' /></td>
ce9abb66
AH		 5396###
5397
4c962356 5398 &Header::openbox('100%', 'LEFT', $Lang::tr{'connection status and controlc' });
c6c9630e 5399 ;
99bfa85c
AM		 5400 my $id = 0;
5401 my $gif;
f7edf97a 5402 my $col1="";
5b942f7f 5403 my $lastnet;
c8b51e28 5404 foreach my $key (sort { ncmp ($confighash{$a}[32],$confighash{$b}[32]) } sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) {
5b942f7f
AM		 5405 if ($confighash{$key}[32] eq "" && $confighash{$key}[3] eq 'net' ){$confighash{$key}[32]=$Lang::tr{'fwhost OpenVPN N-2-N'};}
5406 if ($confighash{$key}[32] eq "dynamic"){$confighash{$key}[32]=$Lang::tr{'ccd dynrange'};}
5407 if($id == 0){
5408 print"<b>$confighash{$key}[32]</b>";
5409 print <<END;
5410 <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
5411<tr>
5412 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
5413 <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
5414 <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
5415 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
71af643c 5416 <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th>
5b942f7f
AM		 5417</tr>
5418END
5419 }
5420 if ($id > 0 && $lastnet ne $confighash{$key}[32]){
5421 print "</table><br>";
5422 print"<b>$confighash{$key}[32]</b>";
5423 print <<END;
5424 <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
5425<tr>
5426 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
5427 <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th>
5428 <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th>
5429 <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th>
71af643c 5430 <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th>
5b942f7f
AM		 5431</tr>
5432END
5433 }
eff2dbf8 5434 if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
c6c9630e 5435 if ($id % 2) {
99bfa85c
AM		 5436 print "<tr>";
5437 $col="bgcolor='$color{'color20'}'";
bb89e92a 5438 } else {
99bfa85c
AM		 5439 print "<tr>";
5440 $col="bgcolor='$color{'color22'}'";
c6c9630e 5441 }
99bfa85c
AM		 5442 print "<td align='center' nowrap='nowrap' $col>$confighash{$key}[1]</td>";
5443 print "<td align='center' nowrap='nowrap' $col>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")</td>";
8c877a82
AM		 5444 #if ($confighash{$key}[4] eq 'cert') {
5445 #print "<td align='left' nowrap='nowrap'>$confighash{$key}[2]</td>";
5446 #} else {
5447 #print "<td align='left'>&nbsp;</td>";
5448 #}
2feacd98
SS		 5449 my @cavalid = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem");
5450 my $cavalid;
5451
5452 foreach my $line (@cavalid) {
5453 if ($line =~ /Not After : (.*)[\n]/) {
5454 $cavalid = $1;
5455
5456 last;
5457 }
5458 }
5459
99bfa85c 5460 print "<td align='center' $col>$confighash{$key}[25]</td>";
f7edf97a
AM		 5461 $col1="bgcolor='${Header::colourred}'";
5462 my $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
ce9abb66 5463
c6c9630e 5464 if ($confighash{$key}[0] eq 'off') {
f7edf97a
AM		 5465 $col1="bgcolor='${Header::colourblue}'";
5466 $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b>";
c6c9630e 5467 } else {
ce9abb66
AH		 5468
5469###
7c1d9faf 5470# m.a.d net2net
f7edf97a
AM		 5471###
5472
b278daf3 5473 if ($confighash{$key}[3] eq 'net') {
54fd0535
MT		 5474
5475 if (-e "/var/run/$confighash{$key}[1]n2n.pid") {
5476 my @output = "";
5477 my @tustate = "";
5478 my $tport = $confighash{$key}[22];
5479 my $tnet = new Net::Telnet ( Timeout=>5, Errmode=>'return', Port=>$tport);
5480 if ($tport ne '') {
5481 $tnet->open('127.0.0.1');
5482 @output = $tnet->cmd(String => 'state', Prompt => '/(END.*\n|ERROR:.*\n)/');
5483 @tustate = split(/\,/, $output[1]);
5484###
5485#CONNECTING -- OpenVPN's initial state.
5486#WAIT -- (Client only) Waiting for initial response from server.
5487#AUTH -- (Client only) Authenticating with server.
5488#GET_CONFIG -- (Client only) Downloading configuration options from server.
5489#ASSIGN_IP -- Assigning IP address to virtual network interface.
5490#ADD_ROUTES -- Adding routes to system.
5491#CONNECTED -- Initialization Sequence Completed.
5492#RECONNECTING -- A restart has occurred.
5493#EXITING -- A graceful exit is in progress.
5494####
5495
ed4b4c19 5496 if (($tustate[1] eq 'CONNECTED') || ($tustate[1] eq 'WAIT')) {
f7edf97a
AM		 5497 $col1="bgcolor='${Header::colourgreen}'";
5498 $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>";
5499 }else {
5500 $col1="bgcolor='${Header::colourred}'";
5501 $active = "<b><font color='#FFFFFF'>$tustate[1]</font></b>";
5502 }
54fd0535 5503 }
54fd0535 5504 }
f7edf97a
AM		 5505 }else {
5506
5507 my $cn;
5508 my @match = ();
5509 foreach my $line (@status) {
5510 chomp($line);
5511 if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) {
5512 @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line);
5513 if ($match[1] ne "Common Name") {
5514 $cn = $match[1];
5515 }
5516 $cn =~ s/[_]/ /g;
5517 if ($cn eq "$confighash{$key}[2]") {
5518 $col1="bgcolor='${Header::colourgreen}'";
5519 $active = "<b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b>";
5520 }
5521 }
5522 }
c6c9630e 5523 }
7c1d9faf 5524}
ce9abb66
AH		 5525
5526
4c962356 5527 print <<END;
f7edf97a 5528 <td align='center' $col1>$active</td>
c6c9630e 5529
99bfa85c 5530 <form method='post' name='frm${key}a'><td align='center' $col>
96096995
AM		 5531 <input type='image' name='$Lang::tr{'dl client arch'}' src='/images/openvpn.png' alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' />
5532 <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
5533 <input type='hidden' name='KEY' value='$key' />
c6c9630e
MT		 5534 </td></form>
5535END
5536 ;
71af643c
MT		 5537
5538 if ($confighash{$key}[41] eq "no-pass") {
5539 print <<END;
5540 <form method='post' name='frm${key}g'><td align='center' $col>
5541 <input type='image' name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png'
5542 alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' />
5543 <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' />
5544 <input type='hidden' name='MODE' value='insecure' />
5545 <input type='hidden' name='KEY' value='$key' />
5546 </td></form>
5547END
5548 } else {
5549 print "<td $col>&nbsp;</td>";
5550 }
5551
c6c9630e 5552 if ($confighash{$key}[4] eq 'cert') {
4c962356 5553 print <<END;
99bfa85c 5554 <form method='post' name='frm${key}b'><td align='center' $col>
c6c9630e
MT		 5555 <input type='image' name='$Lang::tr{'show certificate'}' src='/images/info.gif' alt='$Lang::tr{'show certificate'}' title='$Lang::tr{'show certificate'}' border='0' />
5556 <input type='hidden' name='ACTION' value='$Lang::tr{'show certificate'}' />
5557 <input type='hidden' name='KEY' value='$key' />
5558 </td></form>
5559END
5560 ; } else {
5561 print "<td>&nbsp;</td>";
5562 }
5563 if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$key}[1].p12") {
4c962356 5564 print <<END;
99bfa85c 5565 <form method='post' name='frm${key}c'><td align='center' $col>
438dd0cc 5566 <input type='image' name='$Lang::tr{'download pkcs12 file'}' src='/images/media-floppy.png' alt='$Lang::tr{'download pkcs12 file'}' title='$Lang::tr{'download pkcs12 file'}' border='0' />
c6c9630e
MT		 5567 <input type='hidden' name='ACTION' value='$Lang::tr{'download pkcs12 file'}' />
5568 <input type='hidden' name='KEY' value='$key' />
5569 </td></form>
5570END
5571 ; } elsif ($confighash{$key}[4] eq 'cert') {
4c962356 5572 print <<END;
99bfa85c 5573 <form method='post' name='frm${key}c'><td align='center' $col>
438dd0cc 5574 <input type='image' name='$Lang::tr{'download certificate'}' src='/images/media-floppy.png' alt='$Lang::tr{'download certificate'}' title='$Lang::tr{'download certificate'}' border='0' />
c6c9630e
MT		 5575 <input type='hidden' name='ACTION' value='$Lang::tr{'download certificate'}' />
5576 <input type='hidden' name='KEY' value='$key' />
5577 </td></form>
5578END
5579 ; } else {
5580 print "<td>&nbsp;</td>";
5581 }
5582 print <<END
99bfa85c 5583 <form method='post' name='frm${key}d'><td align='center' $col>
c6c9630e
MT		 5584 <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' border='0' />
5585 <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
5586 <input type='hidden' name='KEY' value='$key' />
5587 </td></form>
5588
99bfa85c 5589 <form method='post' name='frm${key}e'><td align='center' $col>
c6c9630e
MT		 5590 <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
5591 <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' width='20' height='20' border='0'/>
5592 <input type='hidden' name='KEY' value='$key' />
5593 </td></form>
99bfa85c 5594 <form method='post' name='frm${key}f'><td align='center' $col>
c6c9630e
MT		 5595 <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' />
5596 <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' width='20' height='20' border='0' />
5597 <input type='hidden' name='KEY' value='$key' />
5598 </td></form>
5599 </tr>
5600END
5601 ;
5602 $id++;
5b942f7f 5603 $lastnet = $confighash{$key}[32];
c6c9630e 5604 }
5b942f7f 5605 print"</table>";
c6c9630e
MT		 5606 ;
5607
5608 # If the config file contains entries, print Key to action icons
5609 if ( $id ) {
4c962356 5610 print <<END;
8c877a82 5611 <table border='0'>
c6c9630e 5612 <tr>
4c962356
EK		 5613 <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
5614 <td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
5615 <td class='base'>$Lang::tr{'click to disable'}</td>
5616 <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
5617 <td class='base'>$Lang::tr{'show certificate'}</td>
5618 <td>&nbsp; &nbsp; <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
5619 <td class='base'>$Lang::tr{'edit'}</td>
5620 <td>&nbsp; &nbsp; <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
5621 <td class='base'>$Lang::tr{'remove'}</td>
c6c9630e
MT		 5622 </tr>
5623 <tr>
4c962356
EK		 5624 <td>&nbsp; </td>
5625 <td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td>
5626 <td class='base'>$Lang::tr{'click to enable'}</td>
5627 <td>&nbsp; &nbsp; <img src='/images/media-floppy.png' alt='?FLOPPY' /></td>
5628 <td class='base'>$Lang::tr{'download certificate'}</td>
5629 <td>&nbsp; &nbsp; <img src='/images/openvpn.png' alt='?RELOAD'/></td>
5630 <td class='base'>$Lang::tr{'dl client arch'}</td>
5631 </tr>
f7edf97a 5632 </table><br>
c6c9630e
MT		 5633END
5634 ;
5635 }
5636
4c962356 5637 print <<END;
c6c9630e
MT		 5638 <table width='100%'>
5639 <form method='post'>
4c962356
EK		 5640 <tr><td align='right'>
5641 <input type='submit' name='ACTION' value='$Lang::tr{'add'}' />
5642 <input type='submit' name='ACTION' value='$Lang::tr{'ovpn con stat'}' $activeonrun /></td>
5643 </tr>
c6c9630e
MT		 5644 </form>
5645 </table>
5646END
4c962356
EK		 5647 ;
5648 &Header::closebox();
5649 }
fd5ccb2d
EK		 5650
5651 # CA/key listing
4c962356
EK		 5652 &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}");
5653 print <<END;
5654 <table width='100%' cellspacing='1' cellpadding='0' class='tbl'>
5655 <tr>
5656 <th width='25%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></th>
5657 <th width='65%' class='boldbase' align='center'><b>$Lang::tr{'subject'}</b></th>
5658 <th width='10%' class='boldbase' colspan='3' align='center'><b>$Lang::tr{'action'}</b></th>
5659 </tr>
5660END
5661 ;
5662 my $col1="bgcolor='$color{'color22'}'";
f7fb5bc5 5663 my $col2="bgcolor='$color{'color20'}'";
c8f50356 5664 # DH parameter line
f7fb5bc5 5665 my $col3="bgcolor='$color{'color22'}'";
fd5ccb2d
EK		 5666 # ta.key line
5667 my $col4="bgcolor='$color{'color20'}'";
f7fb5bc5 5668
4c962356 5669 if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
2feacd98
SS		 5670 my @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/cacert.pem");
5671 my $casubject;
5672
5673 foreach my $line (@casubject) {
5674 if ($line =~ /Subject: (.*)[\n]/) {
5675 $casubject = $1;
5676 $casubject =~ s+/Email+, E+;
5677 $casubject =~ s/ ST=/ S=/;
5678
5679 last;
5680 }
5681 }
5682
4c962356
EK		 5683 print <<END;
5684 <tr>
5685 <td class='base' $col1>$Lang::tr{'root certificate'}</td>
5686 <td class='base' $col1>$casubject</td>
c8f50356 5687 <form method='post' name='frmrootcrta'><td width='3%' align='center' $col1>
4c962356
EK		 5688 <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' />
5689 <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' width='20' height='20' border='0' />
c8f50356
EK		 5690 </form>
5691 <form method='post' name='frmrootcrtb'><td width='3%' align='center' $col1>
4c962356
EK		 5692 <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/media-floppy.png' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' border='0' />
5693 <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' />
c8f50356
EK		 5694 </form>
5695 <td width='4%' $col1>&nbsp;</td>
5696 </tr>
4c962356
EK		 5697END
5698 ;
5699 } else {
5700 # display rootcert generation buttons
5701 print <<END;
5702 <tr>
5703 <td class='base' $col1>$Lang::tr{'root certificate'}:</td>
5704 <td class='base' $col1>$Lang::tr{'not present'}</td>
c8f50356
EK		 5705 <td colspan='3' $col1>&nbsp;</td>
5706 </tr>
4c962356
EK		 5707END
5708 ;
5709 }
5710
5711 if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
2feacd98
SS		 5712 my @hostsubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem");
5713 my $hostsubject;
5714
5715 foreach my $line (@hostsubject) {
5716 if ($line =~ /Subject: (.*)[\n]/) {
5717 $hostsubject = $1;
5718 $hostsubject =~ s+/Email+, E+;
5719 $hostsubject =~ s/ ST=/ S=/;
5720
5721 last;
5722 }
5723 }
4c962356
EK		 5724
5725 print <<END;
5726 <tr>
5727 <td class='base' $col2>$Lang::tr{'host certificate'}</td>
5728 <td class='base' $col2>$hostsubject</td>
c8f50356 5729 <form method='post' name='frmhostcrta'><td width='3%' align='center' $col2>
4c962356
EK		 5730 <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' />
5731 <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' width='20' height='20' border='0' />
c8f50356
EK		 5732 </form>
5733 <form method='post' name='frmhostcrtb'><td width='3%' align='center' $col2>
4c962356
EK		 5734 <input type='image' name="$Lang::tr{'download host certificate'}" src='/images/media-floppy.png' alt="$Lang::tr{'download host certificate'}" title="$Lang::tr{'download host certificate'}" border='0' />
5735 <input type='hidden' name='ACTION' value="$Lang::tr{'download host certificate'}" />
c8f50356
EK		 5736 </td></form>
5737 <td width='4%' $col2>&nbsp;</td>
5738 </tr>
4c962356
EK		 5739END
5740 ;
5741 } else {
5742 # Nothing
5743 print <<END;
5744 <tr>
5745 <td width='25%' class='base' $col2>$Lang::tr{'host certificate'}:</td>
5746 <td class='base' $col2>$Lang::tr{'not present'}</td>
c8f50356
EK		 5747 </td><td colspan='3' $col2>&nbsp;</td>
5748 </tr>
4c962356
EK		 5749END
5750 ;
5751 }
ce9abb66 5752
f7fb5bc5
EK		 5753 # Adding DH parameter to chart
5754 if (-f "${General::swroot}/ovpn/ca/dh1024.pem") {
b959b9f5 5755 my @dhsubject = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem");
2feacd98 5756 my $dhsubject;
f7fb5bc5 5757
2feacd98
SS		 5758 foreach my $line (@dhsubject) {
5759 if ($line =~ / (.*)[\n]/) {
5760 $dhsubject = $1;
5761
5762 last;
5763 }
5764 }
f7fb5bc5
EK		 5765
5766 print <<END;
5767 <tr>
5768 <td class='base' $col3>$Lang::tr{'dh parameter'}</td>
5769 <td class='base' $col3>$dhsubject</td>
c8f50356 5770 <form method='post' name='frmdhparam'><td width='3%' align='center' $col3>
f7fb5bc5
EK		 5771 <input type='hidden' name='ACTION' value='$Lang::tr{'show dh'}' />
5772 <input type='image' name='$Lang::tr{'show dh'}' src='/images/info.gif' alt='$Lang::tr{'show dh'}' title='$Lang::tr{'show dh'}' width='20' height='20' border='0' />
c8f50356
EK		 5773 </form>
5774 <form method='post' name='frmdhparam'><td width='3%' align='center' $col3>
c8f50356
EK		 5775 </form>
5776 <td width='4%' $col3>&nbsp;</td>
5777 </tr>
f7fb5bc5
EK		 5778END
5779 ;
5780 } else {
5781 # Nothing
5782 print <<END;
5783 <tr>
5784 <td width='25%' class='base' $col3>$Lang::tr{'dh parameter'}:</td>
5785 <td class='base' $col3>$Lang::tr{'not present'}</td>
c8f50356
EK		 5786 </td><td colspan='3' $col3>&nbsp;</td>
5787 </tr>
f7fb5bc5
EK		 5788END
5789 ;
5790 }
5791
fd5ccb2d
EK		 5792 # Adding ta.key to chart
5793 if (-f "${General::swroot}/ovpn/certs/ta.key") {
2feacd98
SS		 5794 open(FILE, "${General::swroot}/ovpn/certs/ta.key");
5795 my @tasubject = <FILE>;
5796 close(FILE);
5797
5798 my $tasubject;
5799 foreach my $line (@tasubject) {
5800 if($line =~ /# (.*)[\n]/) {
5801 $tasubject = $1;
5802
5803 last;
5804 }
5805 }
5806
fd5ccb2d
EK		 5807 print <<END;
5808
5809 <tr>
5810 <td class='base' $col4>$Lang::tr{'ta key'}</td>
5811 <td class='base' $col4>$tasubject</td>
5812 <form method='post' name='frmtakey'><td width='3%' align='center' $col4>
5813 <input type='hidden' name='ACTION' value='$Lang::tr{'show tls-auth key'}' />
5814 <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show tls-auth key'}' title='$Lang::tr{'show tls-auth key'}' width='20' height='20' border='0' />
5815 </form>
5816 <form method='post' name='frmtakey'><td width='3%' align='center' $col4>
5817 <input type='image' name='$Lang::tr{'download tls-auth key'}' src='/images/media-floppy.png' alt='$Lang::tr{'download tls-auth key'}' title='$Lang::tr{'download tls-auth key'}' border='0' />
5818 <input type='hidden' name='ACTION' value='$Lang::tr{'download tls-auth key'}' />
5819 </form>
5820 <td width='4%' $col4>&nbsp;</td>
5821 </tr>
5822END
5823 ;
5824 } else {
5825 # Nothing
5826 print <<END;
5827 <tr>
5828 <td width='25%' class='base' $col4>$Lang::tr{'ta key'}:</td>
5829 <td class='base' $col4>$Lang::tr{'not present'}</td>
5830 <td colspan='3' $col4>&nbsp;</td>
5831 </tr>
5832END
5833 ;
5834 }
5835
4c962356
EK		 5836 if (! -f "${General::swroot}/ovpn/ca/cacert.pem") {
5837 print "<tr><td colspan='5' align='center'><form method='post'>";
5838 print "<input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' />";
5839 print "</form></td></tr>\n";
5840 }
5841
5842 if (keys %cahash > 0) {
5843 foreach my $key (keys %cahash) {
5844 if (($key + 1) % 2) {
5845 print "<tr bgcolor='$color{'color20'}'>\n";
5846 } else {
5847 print "<tr bgcolor='$color{'color22'}'>\n";
5848 }
5849 print "<td class='base'>$cahash{$key}[0]</td>\n";
5850 print "<td class='base'>$cahash{$key}[1]</td>\n";
5851 print <<END;
5852 <form method='post' name='cafrm${key}a'><td align='center'>
5853 <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' border='0' />
5854 <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' />
5855 <input type='hidden' name='KEY' value='$key' />
5856 </td></form>
5857 <form method='post' name='cafrm${key}b'><td align='center'>
5858 <input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/media-floppy.png' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' border='0' />
5859 <input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' />
5860 <input type='hidden' name='KEY' value='$key' />
5861 </td></form>
5862 <form method='post' name='cafrm${key}c'><td align='center'>
5863 <input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
5864 <input type='image' name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' width='20' height='20' border='0' />
5865 <input type='hidden' name='KEY' value='$key' />
5866 </td></form></tr>
5867END
5868 ;
5869 }
5870 }
5871
5872 print "</table>";
5873
5874 # If the file contains entries, print Key to action icons
5875 if ( -f "${General::swroot}/ovpn/ca/cacert.pem") {
5876 print <<END;
5877 <table>
5878 <tr>
5879 <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
5880 <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
5881 <td class='base'>$Lang::tr{'show certificate'}</td>
5882 <td>&nbsp; &nbsp; <img src='/images/media-floppy.png' alt='$Lang::tr{'download certificate'}' /></td>
5883 <td class='base'>$Lang::tr{'download certificate'}</td>
5884 </tr>
5885 </table>
5886END
5887 ;
5888 }
ce9abb66 5889
4c962356 5890 print <<END
578f23c8
SS		 5891
5892 <br><hr><br>
5893
4c962356 5894 <form method='post' enctype='multipart/form-data'>
578f23c8
SS		 5895 <table border='0' width='100%'>
5896 <tr>
5897 <td colspan='4'><b>$Lang::tr{'upload ca certificate'}</b></td>
5898 </tr>
4c962356 5899
578f23c8
SS		 5900 <tr>
5901 <td width='10%'>$Lang::tr{'ca name'}:</td>
5902 <td width='30%'><input type='text' name='CA_NAME' value='$cgiparams{'CA_NAME'}' size='15' align='left'></td>
5903 <td width='30%'><input type='file' name='FH' size='25'>
5904 <td width='30%'align='right'><input type='submit' name='ACTION' value='$Lang::tr{'upload ca certificate'}'></td>
5905 </tr>
f527e53f 5906
578f23c8
SS		 5907 <tr>
5908 <td colspan='3'>&nbsp;</td>
5909 <td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'show crl'}' /></td>
5910 </tr>
5911 </table>
f527e53f 5912
578f23c8
SS		 5913 <br>
5914
5915 <table border='0' width='100%'>
5916 <tr>
5917 <td colspan='4'><b>$Lang::tr{'ovpn dh parameters'}</b></td>
5918 </tr>
5919
5920 <tr>
5921 <td width='40%'>$Lang::tr{'ovpn dh upload'}:</td>
5922 <td width='30%'><input type='file' name='FH' size='25'>
5923 <td width='30%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'upload dh key'}'></td>
5924 </tr>
5925
5926 <tr>
5927 <td width='40%'>$Lang::tr{'ovpn dh new key'}:</td>
5928 <td colspan='2' width='60%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'generate dh key'}' /></td>
5929 </tr>
5930 </table>
5931 </form>
f527e53f 5932
578f23c8 5933 <br><hr>
4c962356
EK		 5934END
5935 ;
5936
5937 if ( $srunning eq "yes" ) {
5938 print "<div align='center'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' disabled='disabled' /></div></form>\n";
5939 } else {
5940 print "<div align='center'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'remove x509'}' /></div></form>\n";
5941 }
5942 &Header::closebox();
5943END
5944 ;
5945
5946&Header::closepage();
ce9abb66 5947
Peter's tree of IPFire 2.x