Fixed syntax of persist option for ovpn 2.1.
[people/pmueller/ipfire-2.x.git] / html / cgi-bin / ovpnmain.cgi
1 #!/usr/bin/perl
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2007 Michael Tremer & Christian Schmidt #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 use CGI;
23 use CGI qw/:standard/;
24 use Net::DNS;
25 use File::Copy;
26 use File::Temp qw/ tempfile tempdir /;
27 use strict;
28 use Archive::Zip qw(:ERROR_CODES :CONSTANTS);
29 require '/var/ipfire/general-functions.pl';
30 require "${General::swroot}/lang.pl";
31 require "${General::swroot}/header.pl";
32 require "${General::swroot}/countries.pl";
33
34 # enable only the following on debugging purpose
35 #use warnings;
36 #use CGI::Carp 'fatalsToBrowser';
37 #workaround to suppress a warning when a variable is used only once
38 my @dummy = ( ${Header::colourgreen} );
39 undef (@dummy);
40
41 my %color = ();
42 my %mainsettings = ();
43 &General::readhash("${General::swroot}/main/settings", \%mainsettings);
44 &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
45
46 ###
47 ### Initialize variables
48 ###
49 my %netsettings=();
50 my %cgiparams=();
51 my %vpnsettings=();
52 my %checked=();
53 my %confighash=();
54 my %cahash=();
55 my %selected=();
56 my $warnmessage = '';
57 my $errormessage = '';
58 my %settings=();
59 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
60 $cgiparams{'ENABLED'} = 'off';
61 $cgiparams{'ENABLED_BLUE'} = 'off';
62 $cgiparams{'ENABLED_ORANGE'} = 'off';
63 $cgiparams{'EDIT_ADVANCED'} = 'off';
64 $cgiparams{'NAT'} = 'off';
65 $cgiparams{'COMPRESSION'} = 'off';
66 $cgiparams{'ONLY_PROPOSED'} = 'off';
67 $cgiparams{'ACTION'} = '';
68 $cgiparams{'CA_NAME'} = '';
69 $cgiparams{'DHCP_DOMAIN'} = '';
70 $cgiparams{'DHCP_DNS'} = '';
71 $cgiparams{'DHCP_WINS'} = '';
72 $cgiparams{'DCOMPLZO'} = 'off';
73 &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
74
75 # prepare openvpn config file
76 ###
77 ### Useful functions
78 ###
79 sub haveOrangeNet
80 {
81 if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;}
82 if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
83 return 0;
84 }
85
86 sub haveBlueNet
87 {
88 if ($netsettings{'CONFIG_TYPE'} == 3) {return 1;}
89 if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
90 return 0;
91 }
92
93 sub sizeformat{
94 my $bytesize = shift;
95 my $i = 0;
96
97 while(abs($bytesize) >= 1024){
98 $bytesize=$bytesize/1024;
99 $i++;
100 last if($i==6);
101 }
102
103 my @units = ("Bytes","KB","MB","GB","TB","PB","EB");
104 my $newsize=(int($bytesize*100 +0.5))/100;
105 return("$newsize $units[$i]");
106 }
107
108 sub valid_dns_host {
109 my $hostname = $_[0];
110 unless ($hostname) { return "No hostname"};
111 my $res = new Net::DNS::Resolver;
112 my $query = $res->search("$hostname");
113 if ($query) {
114 foreach my $rr ($query->answer) {
115 ## Potential bug - we are only looking at A records:
116 return 0 if $rr->type eq "A";
117 }
118 } else {
119 return $res->errorstring;
120 }
121 }
122
123 sub cleanssldatabase
124 {
125 if (open(FILE, ">${General::swroot}/ovpn/certs/serial")) {
126 print FILE "01";
127 close FILE;
128 }
129 if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt")) {
130 print FILE "";
131 close FILE;
132 }
133 unlink ("${General::swroot}/ovpn/certs/index.txt.old");
134 unlink ("${General::swroot}/ovpn/certs/serial.old");
135 unlink ("${General::swroot}/ovpn/certs/01.pem");
136 }
137
138 sub newcleanssldatabase
139 {
140 if (! -s "${General::swroot}/ovpn/certs/serial" ) {
141 open(FILE, ">${General::swroot}(ovpn/certs/serial");
142 print FILE "01";
143 close FILE;
144 }
145 if (! -s ">${General::swroot}/ovpn/certs/index.txt") {
146 system ("touch ${General::swroot}/ovpn/certs/index.txt");
147 }
148 unlink ("${General::swroot}/ovpn/certs/index.txt.old");
149 unlink ("${General::swroot}/ovpn/certs/serial.old");
150 }
151
152 sub deletebackupcert
153 {
154 if (open(FILE, "${General::swroot}/ovpn/certs/serial.old")) {
155 my $hexvalue = <FILE>;
156 chomp $hexvalue;
157 close FILE;
158 unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem");
159 }
160 }
161
162 sub checkportfw {
163 my $KEY2 = $_[0]; # key2
164 my $SRC_PORT = $_[1]; # src_port
165 my $PROTOCOL = $_[2]; # protocol
166 my $SRC_IP = $_[3]; # sourceip
167
168 my $pfwfilename = "${General::swroot}/portfw/config";
169 open(FILE, $pfwfilename) or die 'Unable to open config file.';
170 my @pfwcurrent = <FILE>;
171 close(FILE);
172 my $pfwkey1 = 0; # used for finding last sequence number used
173 foreach my $pfwline (@pfwcurrent)
174 {
175 my @pfwtemp = split(/\,/,$pfwline);
176
177 chomp ($pfwtemp[8]);
178 if ($KEY2 eq "0"){ # if key2 is 0 then it is a portfw addition
179 if ( $SRC_PORT eq $pfwtemp[3] &&
180 $PROTOCOL eq $pfwtemp[2] &&
181 $SRC_IP eq $pfwtemp[7])
182 {
183 $errormessage = "$Lang::tr{'source port in use'} $SRC_PORT";
184 }
185 # Check if key2 = 0, if it is then it is a port forward entry and we want the sequence number
186 if ( $pfwtemp[1] eq "0") {
187 $pfwkey1=$pfwtemp[0];
188 }
189 # Darren Critchley - Duplicate or overlapping Port range check
190 if ($pfwtemp[1] eq "0" &&
191 $PROTOCOL eq $pfwtemp[2] &&
192 $SRC_IP eq $pfwtemp[7] &&
193 $errormessage eq '')
194 {
195 &portchecks($SRC_PORT, $pfwtemp[5]);
196 # &portchecks($pfwtemp[3], $pfwtemp[5]);
197 # &portchecks($pfwtemp[3], $SRC_IP);
198 }
199 }
200 }
201 # $errormessage="$KEY2 $SRC_PORT $PROTOCOL $SRC_IP";
202
203 return;
204 }
205
206 sub checkportoverlap
207 {
208 my $portrange1 = $_[0]; # New port range
209 my $portrange2 = $_[1]; # existing port range
210 my @tempr1 = split(/\:/,$portrange1);
211 my @tempr2 = split(/\:/,$portrange2);
212
213 unless (&checkportinc($tempr1[0], $portrange2)){ return 0;}
214 unless (&checkportinc($tempr1[1], $portrange2)){ return 0;}
215
216 unless (&checkportinc($tempr2[0], $portrange1)){ return 0;}
217 unless (&checkportinc($tempr2[1], $portrange1)){ return 0;}
218
219 return 1; # Everything checks out!
220 }
221
222 # Darren Critchley - we want to make sure that a port entry is not within an already existing range
223 sub checkportinc
224 {
225 my $port1 = $_[0]; # Port
226 my $portrange2 = $_[1]; # Port range
227 my @tempr1 = split(/\:/,$portrange2);
228
229 if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) {
230 return 1;
231 } else {
232 return 0;
233 }
234 }
235 # Darren Critchley - Duplicate or overlapping Port range check
236 sub portchecks
237 {
238 my $p1 = $_[0]; # New port range
239 my $p2 = $_[1]; # existing port range
240 # $_ = $_[0];
241 our ($prtrange1, $prtrange2);
242 $prtrange1 = 0;
243 # if (m/:/ && $prtrange1 == 1) { # comparing two port ranges
244 # unless (&checkportoverlap($p1,$p2)) {
245 # $errormessage = "$Lang::tr{'source port overlaps'} $p1";
246 # }
247 # }
248 if (m/:/ && $prtrange1 == 0 && $errormessage eq '') { # compare one port to a range
249 unless (&checkportinc($p2,$p1)) {
250 $errormessage = "$Lang::tr{'srcprt within existing'} $p1";
251 }
252 }
253 $prtrange1 = 1;
254 if (! m/:/ && $prtrange1 == 1 && $errormessage eq '') { # compare one port to a range
255 unless (&checkportinc($p1,$p2)) {
256 $errormessage = "$Lang::tr{'srcprt range overlaps'} $p2";
257 }
258 }
259 return;
260 }
261
262 # Darren Critchley - certain ports are reserved for IPFire
263 # TCP 67,68,81,222,445
264 # UDP 67,68
265 # Params passed in -> port, rangeyn, protocol
266 sub disallowreserved
267 {
268 # port 67 and 68 same for tcp and udp, don't bother putting in an array
269 my $msg = "";
270 my @tcp_reserved = (81,222,445);
271 my $prt = $_[0]; # the port or range
272 my $ryn = $_[1]; # tells us whether or not it is a port range
273 my $prot = $_[2]; # protocol
274 my $srcdst = $_[3]; # source or destination
275 if ($ryn) { # disect port range
276 if ($srcdst eq "src") {
277 $msg = "$Lang::tr{'rsvd src port overlap'}";
278 } else {
279 $msg = "$Lang::tr{'rsvd dst port overlap'}";
280 }
281 my @tmprng = split(/\:/,$prt);
282 unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; }
283 unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; }
284 if ($prot eq "tcp") {
285 foreach my $prange (@tcp_reserved) {
286 unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; }
287 }
288 }
289 } else {
290 if ($srcdst eq "src") {
291 $msg = "$Lang::tr{'reserved src port'}";
292 } else {
293 $msg = "$Lang::tr{'reserved dst port'}";
294 }
295 if ($prt == 67) { $errormessage="$msg 67"; return; }
296 if ($prt == 68) { $errormessage="$msg 68"; return; }
297 if ($prot eq "tcp") {
298 foreach my $prange (@tcp_reserved) {
299 if ($prange == $prt) { $errormessage="$msg $prange"; return; }
300 }
301 }
302 }
303 return;
304 }
305
306 sub writeserverconf {
307 my %sovpnsettings = ();
308 &General::readhash("${General::swroot}/ovpn/settings", \%sovpnsettings);
309
310 open(CONF, ">${General::swroot}/ovpn/server.conf") or die "Unable to open ${General::swroot}/ovpn/server.conf: $!";
311 flock CONF, 2;
312 print CONF "#OpenVPN Server conf\n";
313 print CONF "\n";
314 print CONF "daemon openvpnserver\n";
315 print CONF "writepid /var/run/openvpn.pid\n";
316 print CONF "#DAN prepare OpenVPN for listening on blue and orange\n";
317 print CONF ";local $sovpnsettings{'VPN_IP'}\n";
318 print CONF "dev $sovpnsettings{'DDEVICE'}\n";
319 print CONF "$sovpnsettings{'DDEVICE'}-mtu $sovpnsettings{'DMTU'}\n";
320 print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
321 print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
322 print CONF "script-security 3 system\n";
323 print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n";
324 print CONF "tls-server\n";
325 print CONF "ca /var/ipfire/ovpn/ca/cacert.pem\n";
326 print CONF "cert /var/ipfire/ovpn/certs/servercert.pem\n";
327 print CONF "key /var/ipfire/ovpn/certs/serverkey.pem\n";
328 print CONF "dh /var/ipfire/ovpn/ca/dh1024.pem\n";
329 my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'});
330 print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
331 print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
332 if ($sovpnsettings{CLIENT2CLIENT} eq 'on') {
333 print CONF "client-to-client\n";
334 }
335 if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) {
336 print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n";
337 }
338 print CONF "status-version 1\n";
339 print CONF "status /var/log/ovpnserver.log 30\n";
340 print CONF "cipher $sovpnsettings{DCIPHER}\n";
341 if ($sovpnsettings{DCOMPLZO} eq 'on') {
342 print CONF "comp-lzo\n";
343 }
344 if ($sovpnsettings{REDIRECT_GW_DEF1} eq 'on') {
345 print CONF "push \"redirect-gateway def1\"\n";
346 }
347 if ($sovpnsettings{DHCP_DOMAIN} ne '') {
348 print CONF "push \"dhcp-option DOMAIN $sovpnsettings{DHCP_DOMAIN}\"\n";
349 }
350
351 if ($sovpnsettings{DHCP_DNS} ne '') {
352 print CONF "push \"dhcp-option DNS $sovpnsettings{DHCP_DNS}\"\n";
353 }
354
355 if ($sovpnsettings{DHCP_WINS} ne '') {
356 print CONF "push \"dhcp-option WINS $sovpnsettings{DHCP_WINS}\"\n";
357 }
358
359 if ($sovpnsettings{DHCP_WINS} eq '') {
360 print CONF "max-clients 100\n";
361 }
362
363 if ($sovpnsettings{DHCP_WINS} ne '') {
364 print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n";
365 }
366 print CONF "tls-verify /var/ipfire/ovpn/verify\n";
367 print CONF "crl-verify /var/ipfire/ovpn/crls/cacrl.pem\n";
368 print CONF "user nobody\n";
369 print CONF "group nobody\n";
370 print CONF "persist-key\n";
371 print CONF "persist-tun\n";
372 if ($sovpnsettings{LOG_VERB} ne '') {
373 print CONF "verb $sovpnsettings{LOG_VERB}\n";
374 } else {
375 print CONF "verb 3\n";
376 }
377 print CONF "\n";
378
379 close(CONF);
380 }
381 #
382 sub emptyserverlog{
383 if (open(FILE, ">/var/log/ovpnserver.log")) {
384 flock FILE, 2;
385 print FILE "";
386 close FILE;
387 }
388
389 }
390
391 #hier die refresh page
392 if ( -e "${General::swroot}/ovpn/gencanow") {
393 my $refresh = '';
394 $refresh = "<meta http-equiv='refresh' content='15;' />";
395 &Header::showhttpheaders();
396 &Header::openpage($Lang::tr{'OVPN'}, 1, $refresh);
397 &Header::openbigbox('100%', 'center');
398 &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:");
399 print "<tr>\n<td align='center'><img src='/images/clock.gif' alt='' /></td>\n";
400 print "<td colspan='2'><font color='red'>Please be patient this realy can take some time on older hardware...</font></td></tr>\n";
401 &Header::closebox();
402 &Header::closebigbox();
403 &Header::closepage();
404 exit (0);
405 }
406 ##hier die refresh page
407
408
409 ###
410 ### OpenVPN Server Control
411 ###
412 if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'} ||
413 $cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'} ||
414 $cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}) {
415 #start openvpn server
416 if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'}){
417 &emptyserverlog();
418 system('/usr/local/bin/openvpnctrl', '-s');
419 }
420 #stop openvpn server
421 if ($cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'}){
422 system('/usr/local/bin/openvpnctrl', '-k');
423 &emptyserverlog();
424 }
425 # #restart openvpn server
426 if ($cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}){
427 #workarund, till SIGHUP also works when running as nobody
428 system('/usr/local/bin/openvpnctrl', '-r');
429 &emptyserverlog();
430 }
431 }
432
433 ###
434 ### Save Advanced options
435 ###
436
437 if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
438 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
439 #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
440 #DAN this value has to leave.
441 #new settings for daemon
442 $vpnsettings{'LOG_VERB'} = $cgiparams{'LOG_VERB'};
443 $vpnsettings{'KEEPALIVE_1'} = $cgiparams{'KEEPALIVE_1'};
444 $vpnsettings{'KEEPALIVE_2'} = $cgiparams{'KEEPALIVE_2'};
445 $vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'};
446 $vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'};
447 $vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'};
448 $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'};
449 $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'};
450 $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
451
452 if ($cgiparams{'DHCP_DOMAIN'} ne ''){
453 unless (&General::validfqdn($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) {
454 $errormessage = $Lang::tr{'invalid input for dhcp domain'};
455 goto ADV_ERROR;
456 }
457 }
458 if ($cgiparams{'DHCP_DNS'} ne ''){
459 unless (&General::validfqdn($cgiparams{'DHCP_DNS'}) || &General::validip($cgiparams{'DHCP_DNS'})) {
460 $errormessage = $Lang::tr{'invalid input for dhcp dns'};
461 goto ADV_ERROR;
462 }
463 }
464 if ($cgiparams{'DHCP_WINS'} ne ''){
465 unless (&General::validfqdn($cgiparams{'DHCP_WINS'}) || &General::validip($cgiparams{'DHCP_WINS'})) {
466 $errormessage = $Lang::tr{'invalid input for dhcp wins'};
467 goto ADV_ERROR;
468 }
469 }
470 if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 255 )) {
471 $errormessage = $Lang::tr{'invalid input for max clients'};
472 goto ADV_ERROR;
473 }
474 if ($cgiparams{'KEEPALIVE_1'} ne '') {
475 if ($cgiparams{'KEEPALIVE_1'} !~ /^[0-9]+$/) {
476 $errormessage = $Lang::tr{'invalid input for keepalive 1'};
477 goto ADV_ERROR;
478 }
479 }
480 if ($cgiparams{'KEEPALIVE_2'} ne ''){
481 if ($cgiparams{'KEEPALIVE_2'} !~ /^[0-9]+$/) {
482 $errormessage = $Lang::tr{'invalid input for keepalive 2'};
483 goto ADV_ERROR;
484 }
485 }
486 if ($cgiparams{'KEEPALIVE_2'} < ($cgiparams{'KEEPALIVE_1'} * 2)){
487 $errormessage = $Lang::tr{'invalid input for keepalive 1:2'};
488 goto ADV_ERROR;
489 }
490
491 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
492 &writeserverconf();#hier ok
493 }
494
495
496
497
498 ###
499 ### Save main settings
500 ###
501 if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
502 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
503 #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
504 #DAN this value has to leave.
505 if ($cgiparams{'ENABLED'} eq 'on'){
506 unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})) {
507 $errormessage = $Lang::tr{'invalid input for hostname'};
508 goto SETTINGS_ERROR;
509 }
510 }
511 if ($cgiparams{'ENABLED'} eq 'on'){
512 &disallowreserved($cgiparams{'DDEST_PORT'},0,$cgiparams{'DPROTOCOL'},"dest");
513 }
514 if ($errormessage) { goto SETTINGS_ERROR; }
515
516
517 if ($cgiparams{'ENABLED'} eq 'on'){
518 &checkportfw(0,$cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'},'0.0.0.0');
519 }
520
521 if ($errormessage) { goto SETTINGS_ERROR; }
522
523 if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) {
524 $errormessage = $Lang::tr{'ovpn subnet is invalid'};
525 goto SETTINGS_ERROR;
526 }
527 my @tmpovpnsubnet = split("\/",$cgiparams{'DOVPN_SUBNET'});
528
529 if (&General::IpInSubnet ( $netsettings{'RED_ADDRESS'},
530 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
531 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire RED Network $netsettings{'RED_ADDRESS'}";
532 goto SETTINGS_ERROR;
533 }
534
535 if (&General::IpInSubnet ( $netsettings{'GREEN_ADDRESS'},
536 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
537 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Green Network $netsettings{'GREEN_ADDRESS'}";
538 goto SETTINGS_ERROR;
539 }
540
541 if (&General::IpInSubnet ( $netsettings{'BLUE_ADDRESS'},
542 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
543 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Blue Network $netsettings{'BLUE_ADDRESS'}";
544 goto SETTINGS_ERROR;
545 }
546
547 if (&General::IpInSubnet ( $netsettings{'ORANGE_ADDRESS'},
548 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
549 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Orange Network $netsettings{'ORANGE_ADDRESS'}";
550 goto SETTINGS_ERROR;
551 }
552 open(ALIASES, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
553 while (<ALIASES>)
554 {
555 chomp($_);
556 my @tempalias = split(/\,/,$_);
557 if ($tempalias[1] eq 'on') {
558 if (&General::IpInSubnet ($tempalias[0] ,
559 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
560 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire alias entry $tempalias[0]";
561 }
562 }
563 }
564 close(ALIASES);
565 if ($errormessage ne ''){
566 goto SETTINGS_ERROR;
567 }
568 if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
569 $errormessage = $Lang::tr{'invalid input'};
570 goto SETTINGS_ERROR;
571 }
572 if ((length($cgiparams{'DMTU'})==0) || (($cgiparams{'DMTU'}) < 1000 )) {
573 $errormessage = $Lang::tr{'invalid mtu input'};
574 goto SETTINGS_ERROR;
575 }
576
577 unless (&General::validport($cgiparams{'DDEST_PORT'})) {
578 $errormessage = $Lang::tr{'invalid port'};
579 goto SETTINGS_ERROR;
580 }
581 $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'};
582 $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'};
583 $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
584 $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
585 #new settings for daemon
586 $vpnsettings{'DOVPN_SUBNET'} = $cgiparams{'DOVPN_SUBNET'};
587 $vpnsettings{'DDEVICE'} = $cgiparams{'DDEVICE'};
588 $vpnsettings{'DPROTOCOL'} = $cgiparams{'DPROTOCOL'};
589 $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
590 $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
591 $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
592 $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
593 #wrtie enable
594
595 if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");}
596 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_orange 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_orange 2>/dev/null");}
597 if ( $vpnsettings{'ENABLED'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable 2>/dev/null");}
598 #new settings for daemon
599 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
600 &writeserverconf();#hier ok
601 SETTINGS_ERROR:
602 ###
603 ### Reset all step 2
604 ###
605 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'} && $cgiparams{'AREUSURE'} eq 'yes') {
606 my $file = '';
607 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
608
609 foreach my $key (keys %confighash) {
610 if ($confighash{$key}[4] eq 'cert') {
611 delete $confighash{$cgiparams{'$key'}};
612 }
613 }
614 while ($file = glob("${General::swroot}/ovpn/ca/*")) {
615 unlink $file
616 }
617 while ($file = glob("${General::swroot}/ovpn/certs/*")) {
618 unlink $file
619 }
620 while ($file = glob("${General::swroot}/ovpn/crls/*")) {
621 unlink $file
622 }
623 &cleanssldatabase();
624 if (open(FILE, ">${General::swroot}/ovpn/caconfig")) {
625 print FILE "";
626 close FILE;
627 }
628 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
629 #&writeserverconf();
630 ###
631 ### Reset all step 1
632 ###
633 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'}) {
634 &Header::showhttpheaders();
635 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
636 &Header::openbigbox('100%', 'LEFT', '', '');
637 &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'});
638 print <<END
639 <table><form method='post'><input type='hidden' name='AREUSURE' value='yes' />
640 <tr><td align='center'>
641 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:
642 $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}
643 <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'reset'}' />
644 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td></tr>
645 </form></table>
646 END
647 ;
648 &Header::closebox();
649 &Header::closebigbox();
650 &Header::closepage();
651 exit (0);
652
653 ###
654 ### Upload CA Certificate
655 ###
656 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) {
657 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
658
659 if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) {
660 $errormessage = $Lang::tr{'name must only contain characters'};
661 goto UPLOADCA_ERROR;
662 }
663
664 if (length($cgiparams{'CA_NAME'}) >60) {
665 $errormessage = $Lang::tr{'name too long'};
666 goto VPNCONF_ERROR;
667 }
668
669 if ($cgiparams{'CA_NAME'} eq 'ca') {
670 $errormessage = $Lang::tr{'name is invalid'};
671 goto UPLOAD_CA_ERROR;
672 }
673
674 # Check if there is no other entry with this name
675 foreach my $key (keys %cahash) {
676 if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) {
677 $errormessage = $Lang::tr{'a ca certificate with this name already exists'};
678 goto UPLOADCA_ERROR;
679 }
680 }
681
682 if (ref ($cgiparams{'FH'}) ne 'Fh') {
683 $errormessage = $Lang::tr{'there was no file upload'};
684 goto UPLOADCA_ERROR;
685 }
686 # Move uploaded ca to a temporary file
687 (my $fh, my $filename) = tempfile( );
688 if (copy ($cgiparams{'FH'}, $fh) != 1) {
689 $errormessage = $!;
690 goto UPLOADCA_ERROR;
691 }
692 my $temp = `/usr/bin/openssl x509 -text -in $filename`;
693 if ($temp !~ /CA:TRUE/i) {
694 $errormessage = $Lang::tr{'not a valid ca certificate'};
695 unlink ($filename);
696 goto UPLOADCA_ERROR;
697 } else {
698 move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem");
699 if ($? ne 0) {
700 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
701 unlink ($filename);
702 goto UPLOADCA_ERROR;
703 }
704 }
705
706 my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem`;
707 $casubject =~ /Subject: (.*)[\n]/;
708 $casubject = $1;
709 $casubject =~ s+/Email+, E+;
710 $casubject =~ s/ ST=/ S=/;
711 $casubject = &Header::cleanhtml($casubject);
712
713 my $key = &General::findhasharraykey (\%cahash);
714 $cahash{$key}[0] = $cgiparams{'CA_NAME'};
715 $cahash{$key}[1] = $casubject;
716 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
717 # system('/usr/local/bin/ipsecctrl', 'R');
718
719 UPLOADCA_ERROR:
720
721 ###
722 ### Display ca certificate
723 ###
724 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) {
725 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
726
727 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") {
728 &Header::showhttpheaders();
729 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
730 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
731 &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:");
732 my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
733 $output = &Header::cleanhtml($output,"y");
734 print "<pre>$output</pre>\n";
735 &Header::closebox();
736 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
737 &Header::closebigbox();
738 &Header::closepage();
739 exit(0);
740 } else {
741 $errormessage = $Lang::tr{'invalid key'};
742 }
743
744 ###
745 ### Download ca certificate
746 ###
747 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca certificate'}) {
748 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
749
750 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
751 print "Content-Type: application/octet-stream\r\n";
752 print "Content-Disposition: filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";
753 print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
754 exit(0);
755 } else {
756 $errormessage = $Lang::tr{'invalid key'};
757 }
758
759 ###
760 ### Remove ca certificate (step 2)
761 ###
762 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} && $cgiparams{'AREUSURE'} eq 'yes') {
763 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
764 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
765
766 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
767 foreach my $key (keys %confighash) {
768 my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`;
769 if ($test =~ /: OK/) {
770 # Delete connection
771 # if ($vpnsettings{'ENABLED'} eq 'on' ||
772 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
773 # system('/usr/local/bin/ipsecctrl', 'D', $key);
774 # }
775 unlink ("${General::swroot}/ovpn//certs/$confighash{$key}[1]cert.pem");
776 unlink ("${General::swroot}/ovpn/certs/$confighash{$key}[1].p12");
777 delete $confighash{$key};
778 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
779 # &writeipsecfiles();
780 }
781 }
782 unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
783 delete $cahash{$cgiparams{'KEY'}};
784 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
785 # system('/usr/local/bin/ipsecctrl', 'R');
786 } else {
787 $errormessage = $Lang::tr{'invalid key'};
788 }
789 ###
790 ### Remove ca certificate (step 1)
791 ###
792 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) {
793 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
794 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
795
796 my $assignedcerts = 0;
797 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
798 foreach my $key (keys %confighash) {
799 my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`;
800 if ($test =~ /: OK/) {
801 $assignedcerts++;
802 }
803 }
804 if ($assignedcerts) {
805 &Header::showhttpheaders();
806 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
807 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
808 &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'});
809 print <<END
810 <table><form method='post'><input type='hidden' name='AREUSURE' value='yes' />
811 <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
812 <tr><td align='center'>
813 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: $assignedcerts
814 $Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}
815 <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
816 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td></tr>
817 </form></table>
818 END
819 ;
820 &Header::closebox();
821 &Header::closebigbox();
822 &Header::closepage();
823 exit (0);
824 } else {
825 unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
826 delete $cahash{$cgiparams{'KEY'}};
827 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
828 # system('/usr/local/bin/ipsecctrl', 'R');
829 }
830 } else {
831 $errormessage = $Lang::tr{'invalid key'};
832 }
833
834 ###
835 ### Display root certificate
836 ###
837 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||
838 $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {
839 my $output;
840 &Header::showhttpheaders();
841 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
842 &Header::openbigbox('100%', 'LEFT', '', '');
843 if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
844 &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:");
845 $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`;
846 } else {
847 &Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:");
848 $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
849 }
850 $output = &Header::cleanhtml($output,"y");
851 print "<pre>$output</pre>\n";
852 &Header::closebox();
853 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
854 &Header::closebigbox();
855 &Header::closepage();
856 exit(0);
857
858 ###
859 ### Download root certificate
860 ###
861 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root certificate'}) {
862 if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) {
863 print "Content-Type: application/octet-stream\r\n";
864 print "Content-Disposition: filename=cacert.pem\r\n\r\n";
865 print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/ca/cacert.pem`;
866 exit(0);
867 }
868
869 ###
870 ### Download host certificate
871 ###
872 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host certificate'}) {
873 if ( -f "${General::swroot}/ovpn/certs/servercert.pem" ) {
874 print "Content-Type: application/octet-stream\r\n";
875 print "Content-Disposition: filename=servercert.pem\r\n\r\n";
876 print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/certs/servercert.pem`;
877 exit(0);
878 }
879 ###
880 ### Form for generating a root certificate
881 ###
882 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
883 $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
884
885 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
886 if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
887 $errormessage = $Lang::tr{'valid root certificate already exists'};
888 $cgiparams{'ACTION'} = '';
889 goto ROOTCERT_ERROR;
890 }
891
892 if (($cgiparams{'ROOTCERT_HOSTNAME'} eq '') && -e "${General::swroot}/red/active") {
893 if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
894 my $ipaddr = <IPADDR>;
895 close IPADDR;
896 chomp ($ipaddr);
897 $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
898 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
899 $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
900 }
901 }
902 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
903
904 if (ref ($cgiparams{'FH'}) ne 'Fh') {
905 $errormessage = $Lang::tr{'there was no file upload'};
906 goto ROOTCERT_ERROR;
907 }
908
909 # Move uploaded certificate request to a temporary file
910 (my $fh, my $filename) = tempfile( );
911 if (copy ($cgiparams{'FH'}, $fh) != 1) {
912 $errormessage = $!;
913 goto ROOTCERT_ERROR;
914 }
915
916 # Create a temporary dirctory
917 my $tempdir = tempdir( CLEANUP => 1 );
918
919 # Extract the CA certificate from the file
920 my $pid = open(OPENSSL, "|-");
921 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
922 if ($pid) { # parent
923 if ($cgiparams{'P12_PASS'} ne '') {
924 print OPENSSL "$cgiparams{'P12_PASS'}\n";
925 }
926 close (OPENSSL);
927 if ($?) {
928 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
929 unlink ($filename);
930 goto ROOTCERT_ERROR;
931 }
932 } else { # child
933 unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys',
934 '-in', $filename,
935 '-out', "$tempdir/cacert.pem")) {
936 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
937 unlink ($filename);
938 goto ROOTCERT_ERROR;
939 }
940 }
941
942 # Extract the Host certificate from the file
943 $pid = open(OPENSSL, "|-");
944 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
945 if ($pid) { # parent
946 if ($cgiparams{'P12_PASS'} ne '') {
947 print OPENSSL "$cgiparams{'P12_PASS'}\n";
948 }
949 close (OPENSSL);
950 if ($?) {
951 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
952 unlink ($filename);
953 goto ROOTCERT_ERROR;
954 }
955 } else { # child
956 unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys',
957 '-in', $filename,
958 '-out', "$tempdir/hostcert.pem")) {
959 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
960 unlink ($filename);
961 goto ROOTCERT_ERROR;
962 }
963 }
964
965 # Extract the Host key from the file
966 $pid = open(OPENSSL, "|-");
967 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
968 if ($pid) { # parent
969 if ($cgiparams{'P12_PASS'} ne '') {
970 print OPENSSL "$cgiparams{'P12_PASS'}\n";
971 }
972 close (OPENSSL);
973 if ($?) {
974 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
975 unlink ($filename);
976 goto ROOTCERT_ERROR;
977 }
978 } else { # child
979 unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts',
980 '-nodes',
981 '-in', $filename,
982 '-out', "$tempdir/serverkey.pem")) {
983 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
984 unlink ($filename);
985 goto ROOTCERT_ERROR;
986 }
987 }
988
989 move("$tempdir/cacert.pem", "${General::swroot}/ovpn/ca/cacert.pem");
990 if ($? ne 0) {
991 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
992 unlink ($filename);
993 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
994 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
995 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
996 goto ROOTCERT_ERROR;
997 }
998
999 move("$tempdir/hostcert.pem", "${General::swroot}/ovpn/certs/servercert.pem");
1000 if ($? ne 0) {
1001 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1002 unlink ($filename);
1003 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1004 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1005 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1006 goto ROOTCERT_ERROR;
1007 }
1008
1009 move("$tempdir/serverkey.pem", "${General::swroot}/ovpn/certs/serverkey.pem");
1010 if ($? ne 0) {
1011 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1012 unlink ($filename);
1013 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1014 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1015 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1016 goto ROOTCERT_ERROR;
1017 }
1018
1019 goto ROOTCERT_SUCCESS;
1020
1021 } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') {
1022
1023 # Validate input since the form was submitted
1024 if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){
1025 $errormessage = $Lang::tr{'organization cant be empty'};
1026 goto ROOTCERT_ERROR;
1027 }
1028 if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) {
1029 $errormessage = $Lang::tr{'organization too long'};
1030 goto ROOTCERT_ERROR;
1031 }
1032 if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1033 $errormessage = $Lang::tr{'invalid input for organization'};
1034 goto ROOTCERT_ERROR;
1035 }
1036 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){
1037 $errormessage = $Lang::tr{'hostname cant be empty'};
1038 goto ROOTCERT_ERROR;
1039 }
1040 unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) {
1041 $errormessage = $Lang::tr{'invalid input for hostname'};
1042 goto ROOTCERT_ERROR;
1043 }
1044 if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) {
1045 $errormessage = $Lang::tr{'invalid input for e-mail address'};
1046 goto ROOTCERT_ERROR;
1047 }
1048 if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) {
1049 $errormessage = $Lang::tr{'e-mail address too long'};
1050 goto ROOTCERT_ERROR;
1051 }
1052 if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1053 $errormessage = $Lang::tr{'invalid input for department'};
1054 goto ROOTCERT_ERROR;
1055 }
1056 if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1057 $errormessage = $Lang::tr{'invalid input for city'};
1058 goto ROOTCERT_ERROR;
1059 }
1060 if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1061 $errormessage = $Lang::tr{'invalid input for state or province'};
1062 goto ROOTCERT_ERROR;
1063 }
1064 if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) {
1065 $errormessage = $Lang::tr{'invalid input for country'};
1066 goto ROOTCERT_ERROR;
1067 }
1068
1069 # Copy the cgisettings to vpnsettings and save the configfile
1070 $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'};
1071 $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'};
1072 $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'};
1073 $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'};
1074 $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'};
1075 $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'};
1076 $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'};
1077 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
1078
1079 # Replace empty strings with a .
1080 (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./;
1081 (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./;
1082 (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./;
1083
1084 # refresh
1085 #system ('/bin/touch', "${General::swroot}/ovpn/gencanow");
1086
1087 # Create the CA certificate
1088 my $pid = open(OPENSSL, "|-");
1089 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1090 if ($pid) { # parent
1091 print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1092 print OPENSSL "$state\n";
1093 print OPENSSL "$city\n";
1094 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1095 print OPENSSL "$ou\n";
1096 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n";
1097 print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
1098 close (OPENSSL);
1099 if ($?) {
1100 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1101 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1102 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1103 goto ROOTCERT_ERROR;
1104 }
1105 } else { # child
1106 unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
1107 '-days', '999999', '-newkey', 'rsa:2048',
1108 '-keyout', "${General::swroot}/ovpn/ca/cakey.pem",
1109 '-out', "${General::swroot}/ovpn/ca/cacert.pem",
1110 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
1111 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1112 goto ROOTCERT_ERROR;
1113 }
1114 }
1115
1116 # Create the Host certificate request
1117 $pid = open(OPENSSL, "|-");
1118 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1119 if ($pid) { # parent
1120 print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1121 print OPENSSL "$state\n";
1122 print OPENSSL "$city\n";
1123 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1124 print OPENSSL "$ou\n";
1125 print OPENSSL "$cgiparams{'ROOTCERT_HOSTNAME'}\n";
1126 print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
1127 print OPENSSL ".\n";
1128 print OPENSSL ".\n";
1129 close (OPENSSL);
1130 if ($?) {
1131 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1132 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1133 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1134 goto ROOTCERT_ERROR;
1135 }
1136 } else { # child
1137 unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
1138 '-newkey', 'rsa:1024',
1139 '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
1140 '-out', "${General::swroot}/ovpn/certs/serverreq.pem",
1141 '-extensions', 'server',
1142 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) {
1143 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1144 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1145 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1146 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1147 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1148 goto ROOTCERT_ERROR;
1149 }
1150 }
1151
1152 # Sign the host certificate request
1153 system('/usr/bin/openssl', 'ca', '-days', '999999',
1154 '-batch', '-notext',
1155 '-in', "${General::swroot}/ovpn/certs/serverreq.pem",
1156 '-out', "${General::swroot}/ovpn/certs/servercert.pem",
1157 '-extensions', 'server',
1158 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf");
1159 if ($?) {
1160 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1161 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1162 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1163 unlink ("${General::swroot}/ovpn/serverkey.pem");
1164 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1165 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1166 &newcleanssldatabase();
1167 goto ROOTCERT_ERROR;
1168 } else {
1169 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1170 &deletebackupcert();
1171 }
1172
1173 # Create an empty CRL
1174 system('/usr/bin/openssl', 'ca', '-gencrl',
1175 '-out', "${General::swroot}/ovpn/crls/cacrl.pem",
1176 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
1177 if ($?) {
1178 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1179 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1180 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1181 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1182 unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
1183 &cleanssldatabase();
1184 goto ROOTCERT_ERROR;
1185 # } else {
1186 # &cleanssldatabase();
1187 }
1188 # Create Diffie Hellmann Parameter
1189 system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache',
1190 '-out', "${General::swroot}/ovpn/ca/dh1024.pem",
1191 '1024' );
1192 if ($?) {
1193 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1194 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1195 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1196 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1197 unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
1198 unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
1199 &cleanssldatabase();
1200 goto ROOTCERT_ERROR;
1201 # } else {
1202 # &cleanssldatabase();
1203 }
1204 goto ROOTCERT_SUCCESS;
1205 }
1206 ROOTCERT_ERROR:
1207 if ($cgiparams{'ACTION'} ne '') {
1208 &Header::showhttpheaders();
1209 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
1210 &Header::openbigbox('100%', 'LEFT', '', '');
1211 if ($errormessage) {
1212 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
1213 print "<class name='base'>$errormessage";
1214 print "&nbsp;</class>";
1215 &Header::closebox();
1216 }
1217 &Header::openbox('100%', 'LEFT', "$Lang::tr{'generate root/host certificates'}:");
1218 print <<END
1219 <form method='post' enctype='multipart/form-data'>
1220 <table width='100%' border='0' cellspacing='1' cellpadding='0'>
1221 <tr><td width='30%' class='base'>$Lang::tr{'organization name'}:</td>
1222 <td width='35%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td>
1223 <td width='35%' colspan='2'>&nbsp;</td></tr>
1224 <tr><td class='base'>$Lang::tr{'ipfires hostname'}:</td>
1225 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td>
1226 <td colspan='2'>&nbsp;</td></tr>
1227 <tr><td class='base'>$Lang::tr{'your e-mail'}:&nbsp;<img src='/blob.gif' alt'*' /></td>
1228 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td>
1229 <td colspan='2'>&nbsp;</td></tr>
1230 <tr><td class='base'>$Lang::tr{'your department'}:&nbsp;<img src='/blob.gif' alt'*' /></td>
1231 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td>
1232 <td colspan='2'>&nbsp;</td></tr>
1233 <tr><td class='base'>$Lang::tr{'city'}:&nbsp;<img src='/blob.gif' alt'*' /></td>
1234 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td>
1235 <td colspan='2'>&nbsp;</td></tr>
1236 <tr><td class='base'>$Lang::tr{'state or province'}:&nbsp;<img src='/blob.gif' alt'*' /></td>
1237 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td>
1238 <td colspan='2'>&nbsp;</td></tr>
1239 <tr><td class='base'>$Lang::tr{'country'}:</td>
1240 <td class='base'><select name='ROOTCERT_COUNTRY'>
1241
1242 END
1243 ;
1244 foreach my $country (sort keys %{Countries::countries}) {
1245 print "<option value='$Countries::countries{$country}'";
1246 if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) {
1247 print " selected='selected'";
1248 }
1249 print ">$country</option>";
1250 }
1251 print <<END
1252 </select></td>
1253 <td colspan='2'>&nbsp;</td></tr>
1254 <tr><td>&nbsp;</td>
1255 <td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td>
1256 <td>&nbsp;</td><td>&nbsp;</td></tr>
1257 <tr><td class='base' colspan='4' align='left'>
1258 <img src='/blob.gif' valign='top' alt='*' />&nbsp;$Lang::tr{'this field may be blank'}</td></tr>
1259 <tr><td class='base' colspan='4' align='left'>
1260 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:
1261 $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'}
1262 </td></tr>
1263 <tr><td colspan='4' bgcolor='#000000'><img src='/images/null.gif' width='1' height='1' border='0' /></td></tr>
1264 <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:</td>
1265 <td nowrap='nowrap'><input type='file' name='FH' size='32'></td>
1266 <td colspan='2'>&nbsp;</td></tr>
1267 <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:&nbsp;<img src='/blob.gif' alt='*' ></td>
1268 <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td>
1269 <td colspan='2'>&nbsp;</td></tr>
1270 <tr><td>&nbsp;</td>
1271 <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td>
1272 <td colspan='2'>&nbsp;</td></tr>
1273 <tr><td class='base' colspan='4' align='left'>
1274 <img src='/blob.gif' valign='top' al='*' >&nbsp;$Lang::tr{'this field may be blank'}</td></tr>
1275 </form></table>
1276 END
1277 ;
1278 &Header::closebox();
1279
1280 &Header::closebigbox();
1281 &Header::closepage();
1282 exit(0)
1283 }
1284
1285 ROOTCERT_SUCCESS:
1286 system ("chmod 600 ${General::swroot}/ovpn/certs/serverkey.pem");
1287 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1288 # $vpnsettings{'ENABLE_BLUE'} eq 'on') {
1289 # system('/usr/local/bin/ipsecctrl', 'S');
1290 # }
1291
1292 ###
1293 ### Enable/Disable connection
1294 ###
1295 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
1296
1297 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1298 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1299
1300 if ($confighash{$cgiparams{'KEY'}}) {
1301 if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
1302 $confighash{$cgiparams{'KEY'}}[0] = 'on';
1303 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1304 #&writeserverconf();
1305 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1306 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1307 # system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
1308 # }
1309 } else {
1310 $confighash{$cgiparams{'KEY'}}[0] = 'off';
1311 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1312 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1313 # system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
1314 # }
1315 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1316 #&writeserverconf();
1317 }
1318 } else {
1319 $errormessage = $Lang::tr{'invalid key'};
1320 }
1321
1322 ###
1323 ### Download OpenVPN client package
1324 ###
1325 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'dl client arch'}) {
1326 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1327 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1328 my $file = '';
1329 my $clientovpn = '';
1330 my @fileholder;
1331 my $tempdir = tempdir( CLEANUP => 1 );
1332 my $zippath = "$tempdir/";
1333 my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.zip";
1334 my $zippathname = "$zippath$zipname";
1335 $clientovpn = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.ovpn";
1336 open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!";
1337 flock CLIENTCONF, 2;
1338
1339 my $zip = Archive::Zip->new();
1340
1341 print CLIENTCONF "#OpenVPN Server conf\r\n";
1342 print CLIENTCONF "tls-client\r\n";
1343 print CLIENTCONF "client\r\n";
1344 print CLIENTCONF "dev $vpnsettings{'DDEVICE'}\r\n";
1345 print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
1346 print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu $vpnsettings{'DMTU'}\r\n";
1347 if ( $vpnsettings{'ENABLED'} eq 'on'){
1348 print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n";
1349 if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){
1350 print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Blue interface\r\n";
1351 print CLIENTCONF ";remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
1352 }
1353 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
1354 print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n";
1355 print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
1356 }
1357 } elsif ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){
1358 print CLIENTCONF "remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
1359 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
1360 print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n";
1361 print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
1362 }
1363 } elsif ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
1364 print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
1365 }
1366
1367 if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") {
1368 print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
1369 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
1370 } else {
1371 print CLIENTCONF "ca cacert.pem\r\n";
1372 print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n";
1373 print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
1374 $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
1375 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
1376 }
1377 print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
1378 if ($vpnsettings{DCOMPLZO} eq 'on') {
1379 print CLIENTCONF "comp-lzo\r\n";
1380 }
1381 print CLIENTCONF "verb 3\r\n";
1382 print CLIENTCONF "ns-cert-type server\r\n";
1383 print CLIENTCONF "tls-remote $vpnsettings{ROOTCERT_HOSTNAME}\r\n";
1384 close(CLIENTCONF);
1385 $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n";
1386 my $status = $zip->writeToFileNamed($zippathname);
1387
1388 open(DLFILE, "<$zippathname") or die "Unable to open $zippathname: $!";
1389 @fileholder = <DLFILE>;
1390 print "Content-Type:application/x-download\n";
1391 print "Content-Disposition:attachment;filename=$zipname\n\n";
1392 print @fileholder;
1393 exit (0);
1394
1395 ###
1396 ### Remove connection
1397 ###
1398 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
1399 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1400 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1401
1402 if ($confighash{$cgiparams{'KEY'}}) {
1403 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1404 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1405 # system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
1406 # }
1407 #
1408 my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
1409 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
1410 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
1411 delete $confighash{$cgiparams{'KEY'}};
1412 my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
1413 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1414 #&writeserverconf();
1415 } else {
1416 $errormessage = $Lang::tr{'invalid key'};
1417 }
1418 ###
1419 ### Download PKCS12 file
1420 ###
1421 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) {
1422 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1423
1424 print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";
1425 print "Content-Type: application/octet-stream\r\n\r\n";
1426 print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;
1427 exit (0);
1428
1429 ###
1430 ### Display certificate
1431 ###
1432 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) {
1433 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1434
1435 if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
1436 &Header::showhttpheaders();
1437 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
1438 &Header::openbigbox('100%', 'LEFT', '', '');
1439 &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:");
1440 my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
1441 $output = &Header::cleanhtml($output,"y");
1442 print "<pre>$output</pre>\n";
1443 &Header::closebox();
1444 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1445 &Header::closebigbox();
1446 &Header::closepage();
1447 exit(0);
1448 }
1449 ###
1450 ### Display Certificate Revoke List
1451 ###
1452 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show crl'}) {
1453 # &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1454
1455 if ( -f "${General::swroot}/ovpn/crls/cacrl.pem") {
1456 &Header::showhttpheaders();
1457 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
1458 &Header::openbigbox('100%', 'LEFT', '', '');
1459 &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:");
1460 my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`;
1461 $output = &Header::cleanhtml($output,"y");
1462 print "<pre>$output</pre>\n";
1463 &Header::closebox();
1464 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1465 &Header::closebigbox();
1466 &Header::closepage();
1467 exit(0);
1468 }
1469
1470 ###
1471 ### Advanced Server Settings
1472 ###
1473
1474 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'advanced server'}) {
1475 %cgiparams = ();
1476 %cahash = ();
1477 %confighash = ();
1478 &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
1479
1480 # if ($cgiparams{'CLIENT2CLIENT'} eq '') {
1481 # $cgiparams{'CLIENT2CLIENT'} = 'on';
1482 # }
1483 ADV_ERROR:
1484 if ($cgiparams{'MAX_CLIENTS'} eq '') {
1485 $cgiparams{'MAX_CLIENTS'} = '100';
1486 }
1487
1488 if ($cgiparams{'KEEPALIVE_1'} eq '') {
1489 $cgiparams{'KEEPALIVE_1'} = '10';
1490 }
1491 if ($cgiparams{'KEEPALIVE_2'} eq '') {
1492 $cgiparams{'KEEPALIVE_2'} = '60';
1493 }
1494 if ($cgiparams{'LOG_VERB'} eq '') {
1495 $cgiparams{'LOG_VERB'} = '3';
1496 }
1497 $checked{'CLIENT2CLIENT'}{'off'} = '';
1498 $checked{'CLIENT2CLIENT'}{'on'} = '';
1499 $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED';
1500 $checked{'REDIRECT_GW_DEF1'}{'off'} = '';
1501 $checked{'REDIRECT_GW_DEF1'}{'on'} = '';
1502 $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED';
1503 $selected{'LOG_VERB'}{'1'} = '';
1504 $selected{'LOG_VERB'}{'2'} = '';
1505 $selected{'LOG_VERB'}{'3'} = '';
1506 $selected{'LOG_VERB'}{'4'} = '';
1507 $selected{'LOG_VERB'}{'5'} = '';
1508 $selected{'LOG_VERB'}{'6'} = '';
1509 $selected{'LOG_VERB'}{'7'} = '';
1510 $selected{'LOG_VERB'}{'8'} = '';
1511 $selected{'LOG_VERB'}{'9'} = '';
1512 $selected{'LOG_VERB'}{'10'} = '';
1513 $selected{'LOG_VERB'}{'11'} = '';
1514 $selected{'LOG_VERB'}{'0'} = '';
1515 $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED';
1516
1517 &Header::showhttpheaders();
1518 &Header::openpage($Lang::tr{'status ovpn'}, 1, '');
1519 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
1520 if ($errormessage) {
1521 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
1522 print "<class name='base'>$errormessage\n";
1523 print "&nbsp;</class>\n";
1524 &Header::closebox();
1525 }
1526 &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'});
1527 print <<END
1528 <form method='post' enctype='multipart/form-data'>
1529 <table width='100%'>
1530 <tr>
1531 <td colspan='4'><b>$Lang::tr{'dhcp-options'}</b></td>
1532 </tr>
1533 <tr>
1534 <td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
1535 </tr>
1536 <tr>
1537 <td class='base'>Domain</td>
1538 <td><input type='TEXT' name='DHCP_DOMAIN' value='$cgiparams{'DHCP_DOMAIN'}' size='30' /></td>
1539 </tr>
1540 <tr>
1541 <td class='base'>DNS</td>
1542 <td><input type='TEXT' name='DHCP_DNS' value='$cgiparams{'DHCP_DNS'}' size='30' /></td>
1543 </tr>
1544 <tr>
1545 <td class='base'>WINS</td>
1546 <td><input type='TEXT' name='DHCP_WINS' value='$cgiparams{'DHCP_WINS'}' size='30' /></td>
1547 </tr>
1548 </table>
1549 <hr size='1'>
1550 <table width='100%'>
1551 <tr>
1552 <td class'base'><b>$Lang::tr{'misc-options'}</b></td>
1553 </tr>
1554 <tr>
1555 <td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
1556 </tr>
1557 <tr>
1558 <td class='base'>Client-To-Client</td>
1559 <td><input type='checkbox' name='CLIENT2CLIENT' $checked{'CLIENT2CLIENT'}{'on'} /></td>
1560 </tr>
1561 <tr>
1562 <td class='base'>Redirect-Gateway def1</td>
1563 <td><input type='checkbox' name='REDIRECT_GW_DEF1' $checked{'REDIRECT_GW_DEF1'}{'on'} /></td>
1564 </tr>
1565 <tr>
1566 <td class='base'>Max-Clients</td>
1567 <td><input type='text' name='MAX_CLIENTS' value='$cgiparams{'MAX_CLIENTS'}' size='30' /></td>
1568 </tr>
1569 <td class='base'>Keppalive (ping/ping-restart)</td>
1570 <td><input type='TEXT' name='KEEPALIVE_1' value='$cgiparams{'KEEPALIVE_1'}' size='30' /></td>
1571 <td><input type='TEXT' name='KEEPALIVE_2' value='$cgiparams{'KEEPALIVE_2'}' size='30' /></td>
1572 </tr>
1573 </table>
1574 <hr size='1'>
1575 <table width='100%'>
1576 <tr>
1577 <td class'base'><b>$Lang::tr{'log-options'}</b></td>
1578 </tr>
1579 <tr>
1580 <td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
1581 </tr>
1582
1583 <tr><td class='base'>VERB</td>
1584 <td><select name='LOG_VERB'><option value='1' $selected{'LOG_VERB'}{'1'}>1</option>
1585 <option value='2' $selected{'LOG_VERB'}{'2'}>2</option>
1586 <option value='3' $selected{'LOG_VERB'}{'3'}>3</option>
1587 <option value='4' $selected{'LOG_VERB'}{'4'}>4</option>
1588 <option value='5' $selected{'LOG_VERB'}{'5'}>5</option>
1589 <option value='6' $selected{'LOG_VERB'}{'6'}>6</option>
1590 <option value='7' $selected{'LOG_VERB'}{'7'}>7</option>
1591 <option value='8' $selected{'LOG_VERB'}{'8'}>8</option>
1592 <option value='9' $selected{'LOG_VERB'}{'9'}>9</option>
1593 <option value='10' $selected{'LOG_VERB'}{'10'}>10</option>
1594 <option value='11' $selected{'LOG_VERB'}{'11'}>11</option>
1595 <option value='0' $selected{'LOG_VERB'}{'0'}>0</option></select></td>
1596 </table>
1597 <hr size='1'>
1598 <table width='100%'>
1599 <tr>
1600 <td>&nbsp;</td>
1601 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-adv-options'}' /></td>
1602 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
1603 <td>&nbsp;</td>
1604 </tr>
1605 </table>
1606 </form>
1607 END
1608 ;
1609
1610 &Header::closebox();
1611 # print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1612 &Header::closebigbox();
1613 &Header::closepage();
1614 exit(0);
1615
1616 ###
1617 ### Openvpn Connections Statistics
1618 ###
1619 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ovpn con stat'}) {
1620 &Header::showhttpheaders();
1621 &Header::openpage($Lang::tr{'ovpn con stat'}, 1, '');
1622 &Header::openbigbox('100%', 'LEFT', '', '');
1623 &Header::openbox('100%', 'LEFT', $Lang::tr{'ovpn con stat'});
1624
1625 #
1626 # <td><b>$Lang::tr{'protocol'}</b></td>
1627 # protocol temp removed
1628 print <<END
1629 <table width='100%' border='0' cellpadding='2' cellspacing='0'>
1630 <tr>
1631 <td><b>$Lang::tr{'common name'}</b></td>
1632 <td><b>$Lang::tr{'real address'}</b></td>
1633 <td><b>$Lang::tr{'virtual address'}</b></td>
1634 <td><b>$Lang::tr{'loged in at'}</b></td>
1635 <td><b>$Lang::tr{'bytes sent'}</b></td>
1636 <td><b>$Lang::tr{'bytes received'}</b></td>
1637 <td><b>$Lang::tr{'last activity'}</b></td>
1638 </tr>
1639 END
1640 ;
1641 my $filename = "/var/log/ovpnserver.log";
1642 open(FILE, $filename) or die 'Unable to open config file.';
1643 my @current = <FILE>;
1644 close(FILE);
1645 my @users =();
1646 my $status;
1647 my $uid = 0;
1648 my $cn;
1649 my @match = ();
1650 my $proto = "udp";
1651 my $address;
1652 my %userlookup = ();
1653 foreach my $line (@current)
1654 {
1655 chomp($line);
1656 if ( $line =~ /^Updated,(.+)/){
1657 @match = split( /^Updated,(.+)/, $line);
1658 $status = $match[1];
1659 }
1660 #gian
1661 if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) {
1662 @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line);
1663 if ($match[1] ne "Common Name") {
1664 $cn = $match[1];
1665 $userlookup{$match[2]} = $uid;
1666 $users[$uid]{'CommonName'} = $match[1];
1667 $users[$uid]{'RealAddress'} = $match[2];
1668 $users[$uid]{'BytesReceived'} = &sizeformat($match[3]);
1669 $users[$uid]{'BytesSent'} = &sizeformat($match[4]);
1670 $users[$uid]{'Since'} = $match[5];
1671 $users[$uid]{'Proto'} = $proto;
1672 $uid++;
1673 }
1674 }
1675 if ( $line =~ /^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/) {
1676 @match = split(m/^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/, $line);
1677 if ($match[1] ne "Virtual Address") {
1678 $address = $match[3];
1679 #find the uid in the lookup table
1680 $uid = $userlookup{$address};
1681 $users[$uid]{'VirtualAddress'} = $match[1];
1682 $users[$uid]{'LastRef'} = $match[4];
1683 }
1684 }
1685 }
1686 my $user2 = @users;
1687 if ($user2 >= 1){
1688 for (my $idx = 1; $idx <= $user2; $idx++){
1689 if ($idx % 2) {
1690 print "<tr bgcolor='$color{'color20'}'>\n";
1691 } else {
1692 print "<tr bgcolor='$color{'color22'}'>\n";
1693 }
1694 print "<td align='left'>$users[$idx-1]{'CommonName'}</td>";
1695 print "<td align='left'>$users[$idx-1]{'RealAddress'}</td>";
1696 print "<td align='left'>$users[$idx-1]{'VirtualAddress'}</td>";
1697 print "<td align='left'>$users[$idx-1]{'Since'}</td>";
1698 print "<td align='left'>$users[$idx-1]{'BytesSent'}</td>";
1699 print "<td align='left'>$users[$idx-1]{'BytesReceived'}</td>";
1700 print "<td align='left'>$users[$idx-1]{'LastRef'}</td>";
1701 # print "<td align='left'>$users[$idx-1]{'Proto'}</td>";
1702 }
1703 }
1704
1705 print "</table>";
1706 print <<END
1707 <table width='100%' border='0' cellpadding='2' cellspacing='0'>
1708 <tr><td></td></tr>
1709 <tr><td></td></tr>
1710 <tr><td></td></tr>
1711 <tr><td></td></tr>
1712 <tr><td align='center' >$Lang::tr{'the statistics were last updated at'} <b>$status</b></td></tr>
1713 </table>
1714 END
1715 ;
1716 &Header::closebox();
1717 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1718 &Header::closebigbox();
1719 &Header::closepage();
1720 exit(0);
1721
1722 ###
1723 ### Download Certificate
1724 ###
1725 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) {
1726 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1727
1728 if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
1729 print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n";
1730 print "Content-Type: application/octet-stream\r\n\r\n";
1731 print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
1732 exit (0);
1733 }
1734
1735 ###
1736 ### Enable/Disable connection
1737 ###
1738 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
1739
1740 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1741 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1742
1743 if ($confighash{$cgiparams{'KEY'}}) {
1744 if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
1745 $confighash{$cgiparams{'KEY'}}[0] = 'on';
1746 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1747 #&writeserverconf();
1748 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1749 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1750 # system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
1751 # }
1752 } else {
1753 $confighash{$cgiparams{'KEY'}}[0] = 'off';
1754 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1755 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1756 # system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
1757 # }
1758 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1759 #&writeserverconf();
1760 }
1761 } else {
1762 $errormessage = $Lang::tr{'invalid key'};
1763 }
1764
1765 ###
1766 ### Restart connection
1767 ###
1768 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) {
1769 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1770 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1771
1772 if ($confighash{$cgiparams{'KEY'}}) {
1773 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1774 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1775 # system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
1776 # }
1777 } else {
1778 $errormessage = $Lang::tr{'invalid key'};
1779 }
1780
1781 ###
1782 ### Remove connection
1783 ###
1784 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
1785 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1786 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1787
1788 if ($confighash{$cgiparams{'KEY'}}) {
1789 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1790 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1791 # system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
1792 # }
1793 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
1794 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
1795 delete $confighash{$cgiparams{'KEY'}};
1796 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1797 #&writeserverconf();
1798 } else {
1799 $errormessage = $Lang::tr{'invalid key'};
1800 }
1801 #test33
1802
1803 ###
1804 ### Choose between adding a host-net or net-net connection
1805 ###
1806 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') {
1807 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1808 &Header::showhttpheaders();
1809 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
1810 &Header::openbigbox('100%', 'LEFT', '', '');
1811 &Header::openbox('100%', 'LEFT', $Lang::tr{'connection type'});
1812 print <<END
1813 <b>$Lang::tr{'connection type'}:</b><br />
1814 <table><form method='post'>
1815 <tr><td><input type='radio' name='TYPE' value='host' checked /></td>
1816 <td class='base'>$Lang::tr{'host to net vpn'}</td></tr>
1817 <tr><td><input type='radio' name='TYPE' value='net' disabled='disabled' /></td>
1818 <td class='base'>$Lang::tr{'net to net vpn'}</td></tr>
1819 <tr><td align='center' colspan='2'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
1820 </form></table>
1821 END
1822 ;
1823 &Header::closebox();
1824 &Header::closebigbox();
1825 &Header::closepage();
1826 exit (0);
1827 ###
1828 ### Adding a new connection
1829 ###
1830 } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) ||
1831 ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) ||
1832 ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) {
1833
1834 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1835 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1836 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1837
1838 if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
1839 if (! $confighash{$cgiparams{'KEY'}}[0]) {
1840 $errormessage = $Lang::tr{'invalid key'};
1841 goto VPNCONF_END;
1842 }
1843 $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0];
1844 $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1];
1845 $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3];
1846 $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4];
1847 $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5];
1848 $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6];
1849 $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8];
1850 $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];
1851 $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11];
1852 $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];
1853 $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26];
1854 #new fields
1855 $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[27];
1856 $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[28];
1857 $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[29];
1858 $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[30];
1859 $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[31];
1860 #new fields
1861 #ab hiere error uebernehmen
1862 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
1863 $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
1864 if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
1865 $errormessage = $Lang::tr{'connection type is invalid'};
1866 goto VPNCONF_ERROR;
1867 }
1868
1869
1870 if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {
1871 $errormessage = $Lang::tr{'name must only contain characters'};
1872 goto VPNCONF_ERROR;
1873 }
1874
1875 if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {
1876 $errormessage = $Lang::tr{'name is invalid'};
1877 goto VPNCONF_ERROR;
1878 }
1879
1880 if (length($cgiparams{'NAME'}) >60) {
1881 $errormessage = $Lang::tr{'name too long'};
1882 goto VPNCONF_ERROR;
1883 }
1884
1885 # if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) {
1886 # $errormessage = $Lang::tr{'ipfire side is invalid'};
1887 # goto VPNCONF_ERROR;
1888 # }
1889
1890 # Check if there is no other entry with this name
1891 if (! $cgiparams{'KEY'}) {
1892 foreach my $key (keys %confighash) {
1893 if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
1894 $errormessage = $Lang::tr{'a connection with this name already exists'};
1895 goto VPNCONF_ERROR;
1896 }
1897 }
1898 }
1899
1900 if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) {
1901 $errormessage = $Lang::tr{'invalid input for remote host/ip'};
1902 goto VPNCONF_ERROR;
1903 }
1904
1905 if ($cgiparams{'REMOTE'}) {
1906 if (! &General::validip($cgiparams{'REMOTE'})) {
1907 if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
1908 $errormessage = $Lang::tr{'invalid input for remote host/ip'};
1909 goto VPNCONF_ERROR;
1910 } else {
1911 if (&valid_dns_host($cgiparams{'REMOTE'})) {
1912 $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}";
1913 }
1914 }
1915 }
1916 }
1917 if ($cgiparams{'TYPE'} ne 'host') {
1918 unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) {
1919 $errormessage = $Lang::tr{'local subnet is invalid'};
1920 goto VPNCONF_ERROR;}
1921 }
1922 # Check if there is no other entry without IP-address and PSK
1923 if ($cgiparams{'REMOTE'} eq '') {
1924 foreach my $key (keys %confighash) {
1925 if(($cgiparams{'KEY'} ne $key) &&
1926 ($confighash{$key}[4] eq 'psk' || $cgiparams{'AUTH'} eq 'psk') &&
1927 $confighash{$key}[10] eq '') {
1928 $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'};
1929 goto VPNCONF_ERROR;
1930 }
1931 }
1932 }
1933 if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) {
1934 $errormessage = $Lang::tr{'remote subnet is invalid'};
1935 goto VPNCONF_ERROR;
1936 }
1937
1938 if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
1939 $errormessage = $Lang::tr{'invalid input'};
1940 goto VPNCONF_ERROR;
1941 }
1942 if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) {
1943 $errormessage = $Lang::tr{'invalid input'};
1944 goto VPNCONF_ERROR;
1945 }
1946
1947 #fixplausi
1948 if ($cgiparams{'AUTH'} eq 'psk') {
1949 # if (! length($cgiparams{'PSK'}) ) {
1950 # $errormessage = $Lang::tr{'pre-shared key is too short'};
1951 # goto VPNCONF_ERROR;
1952 # }
1953 # if ($cgiparams{'PSK'} =~ /['",&]/) {
1954 # $errormessage = $Lang::tr{'invalid characters found in pre-shared key'};
1955 # goto VPNCONF_ERROR;
1956 # }
1957 } elsif ($cgiparams{'AUTH'} eq 'certreq') {
1958 if ($cgiparams{'KEY'}) {
1959 $errormessage = $Lang::tr{'cant change certificates'};
1960 goto VPNCONF_ERROR;
1961 }
1962 if (ref ($cgiparams{'FH'}) ne 'Fh') {
1963 $errormessage = $Lang::tr{'there was no file upload'};
1964 goto VPNCONF_ERROR;
1965 }
1966
1967 # Move uploaded certificate request to a temporary file
1968 (my $fh, my $filename) = tempfile( );
1969 if (copy ($cgiparams{'FH'}, $fh) != 1) {
1970 $errormessage = $!;
1971 goto VPNCONF_ERROR;
1972 }
1973
1974 # Sign the certificate request and move it
1975 # Sign the host certificate request
1976 system('/usr/bin/openssl', 'ca', '-days', '999999',
1977 '-batch', '-notext',
1978 '-in', $filename,
1979 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
1980 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
1981 if ($?) {
1982 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1983 unlink ($filename);
1984 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
1985 &newcleanssldatabase();
1986 goto VPNCONF_ERROR;
1987 } else {
1988 unlink ($filename);
1989 &deletebackupcert();
1990 }
1991
1992 my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
1993 $temp =~ /Subject:.*CN=(.*)[\n]/;
1994 $temp = $1;
1995 $temp =~ s+/Email+, E+;
1996 $temp =~ s/ ST=/ S=/;
1997 $cgiparams{'CERT_NAME'} = $temp;
1998 $cgiparams{'CERT_NAME'} =~ s/,//g;
1999 $cgiparams{'CERT_NAME'} =~ s/\'//g;
2000 if ($cgiparams{'CERT_NAME'} eq '') {
2001 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
2002 goto VPNCONF_ERROR;
2003 }
2004 } elsif ($cgiparams{'AUTH'} eq 'certfile') {
2005 if ($cgiparams{'KEY'}) {
2006 $errormessage = $Lang::tr{'cant change certificates'};
2007 goto VPNCONF_ERROR;
2008 }
2009 if (ref ($cgiparams{'FH'}) ne 'Fh') {
2010 $errormessage = $Lang::tr{'there was no file upload'};
2011 goto VPNCONF_ERROR;
2012 }
2013 # Move uploaded certificate to a temporary file
2014 (my $fh, my $filename) = tempfile( );
2015 if (copy ($cgiparams{'FH'}, $fh) != 1) {
2016 $errormessage = $!;
2017 goto VPNCONF_ERROR;
2018 }
2019
2020 # Verify the certificate has a valid CA and move it
2021 my $validca = 0;
2022 my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/cacert.pem $filename`;
2023 if ($test =~ /: OK/) {
2024 $validca = 1;
2025 } else {
2026 foreach my $key (keys %cahash) {
2027 $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem $filename`;
2028 if ($test =~ /: OK/) {
2029 $validca = 1;
2030 }
2031 }
2032 }
2033 if (! $validca) {
2034 $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'};
2035 unlink ($filename);
2036 goto VPNCONF_ERROR;
2037 } else {
2038 move($filename, "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
2039 if ($? ne 0) {
2040 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
2041 unlink ($filename);
2042 goto VPNCONF_ERROR;
2043 }
2044 }
2045
2046 my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
2047 $temp =~ /Subject:.*CN=(.*)[\n]/;
2048 $temp = $1;
2049 $temp =~ s+/Email+, E+;
2050 $temp =~ s/ ST=/ S=/;
2051 $cgiparams{'CERT_NAME'} = $temp;
2052 $cgiparams{'CERT_NAME'} =~ s/,//g;
2053 $cgiparams{'CERT_NAME'} =~ s/\'//g;
2054 if ($cgiparams{'CERT_NAME'} eq '') {
2055 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
2056 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
2057 goto VPNCONF_ERROR;
2058 }
2059 } elsif ($cgiparams{'AUTH'} eq 'certgen') {
2060 if ($cgiparams{'KEY'}) {
2061 $errormessage = $Lang::tr{'cant change certificates'};
2062 goto VPNCONF_ERROR;
2063 }
2064 # Validate input since the form was submitted
2065 if (length($cgiparams{'CERT_NAME'}) >60) {
2066 $errormessage = $Lang::tr{'name too long'};
2067 goto VPNCONF_ERROR;
2068 }
2069 if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
2070 $errormessage = $Lang::tr{'invalid input for name'};
2071 goto VPNCONF_ERROR;
2072 }
2073 if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {
2074 $errormessage = $Lang::tr{'invalid input for e-mail address'};
2075 goto VPNCONF_ERROR;
2076 }
2077 if (length($cgiparams{'CERT_EMAIL'}) > 40) {
2078 $errormessage = $Lang::tr{'e-mail address too long'};
2079 goto VPNCONF_ERROR;
2080 }
2081 if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
2082 $errormessage = $Lang::tr{'invalid input for department'};
2083 goto VPNCONF_ERROR;
2084 }
2085 if (length($cgiparams{'CERT_ORGANIZATION'}) >60) {
2086 $errormessage = $Lang::tr{'organization too long'};
2087 goto VPNCONF_ERROR;
2088 }
2089 if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
2090 $errormessage = $Lang::tr{'invalid input for organization'};
2091 goto VPNCONF_ERROR;
2092 }
2093 if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
2094 $errormessage = $Lang::tr{'invalid input for city'};
2095 goto VPNCONF_ERROR;
2096 }
2097 if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
2098 $errormessage = $Lang::tr{'invalid input for state or province'};
2099 goto VPNCONF_ERROR;
2100 }
2101 if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) {
2102 $errormessage = $Lang::tr{'invalid input for country'};
2103 goto VPNCONF_ERROR;
2104 }
2105 if ($cgiparams{'CERT_PASS1'} ne '' && $cgiparams{'CERT_PASS2'} ne ''){
2106 if (length($cgiparams{'CERT_PASS1'}) < 5) {
2107 $errormessage = $Lang::tr{'password too short'};
2108 goto VPNCONF_ERROR;
2109 }
2110 }
2111 if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {
2112 $errormessage = $Lang::tr{'passwords do not match'};
2113 goto VPNCONF_ERROR;
2114 }
2115
2116 # Replace empty strings with a .
2117 (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
2118 (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
2119 (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
2120
2121 # Create the Host certificate request client
2122 my $pid = open(OPENSSL, "|-");
2123 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto VPNCONF_ERROR;};
2124 if ($pid) { # parent
2125 print OPENSSL "$cgiparams{'CERT_COUNTRY'}\n";
2126 print OPENSSL "$state\n";
2127 print OPENSSL "$city\n";
2128 print OPENSSL "$cgiparams{'CERT_ORGANIZATION'}\n";
2129 print OPENSSL "$ou\n";
2130 print OPENSSL "$cgiparams{'CERT_NAME'}\n";
2131 print OPENSSL "$cgiparams{'CERT_EMAIL'}\n";
2132 print OPENSSL ".\n";
2133 print OPENSSL ".\n";
2134 close (OPENSSL);
2135 if ($?) {
2136 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2137 unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}key.pem");
2138 unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}req.pem");
2139 goto VPNCONF_ERROR;
2140 }
2141 } else { # child
2142 unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
2143 '-newkey', 'rsa:1024',
2144 '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
2145 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
2146 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
2147 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
2148 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
2149 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
2150 goto VPNCONF_ERROR;
2151 }
2152 }
2153
2154 # Sign the host certificate request
2155 system('/usr/bin/openssl', 'ca', '-days', '999999',
2156 '-batch', '-notext',
2157 '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
2158 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
2159 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
2160 if ($?) {
2161 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2162 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
2163 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
2164 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
2165 &newcleanssldatabase();
2166 goto VPNCONF_ERROR;
2167 } else {
2168 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
2169 &deletebackupcert();
2170 }
2171
2172 # Create the pkcs12 file
2173 system('/usr/bin/openssl', 'pkcs12', '-export',
2174 '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
2175 '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
2176 '-name', $cgiparams{'NAME'},
2177 '-passout', "pass:$cgiparams{'CERT_PASS1'}",
2178 '-certfile', "${General::swroot}/ovpn/ca/cacert.pem",
2179 '-caname', "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA",
2180 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
2181 if ($?) {
2182 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2183 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
2184 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
2185 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
2186 goto VPNCONF_ERROR;
2187 } else {
2188 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
2189 }
2190 } elsif ($cgiparams{'AUTH'} eq 'cert') {
2191 ;# Nothing, just editing
2192 } else {
2193 $errormessage = $Lang::tr{'invalid input for authentication method'};
2194 goto VPNCONF_ERROR;
2195 }
2196
2197 # Check if there is no other entry with this common name
2198 if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) {
2199 foreach my $key (keys %confighash) {
2200 if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) {
2201 $errormessage = $Lang::tr{'a connection with this common name already exists'};
2202 goto VPNCONF_ERROR;
2203 }
2204 }
2205 }
2206
2207 # Save the config
2208 my $key = $cgiparams{'KEY'};
2209 if (! $key) {
2210 $key = &General::findhasharraykey (\%confighash);
2211 foreach my $i (0 .. 31) { $confighash{$key}[$i] = "";}
2212 }
2213 $confighash{$key}[0] = $cgiparams{'ENABLED'};
2214 $confighash{$key}[1] = $cgiparams{'NAME'};
2215 if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') {
2216 $confighash{$key}[2] = $cgiparams{'CERT_NAME'};
2217 }
2218 $confighash{$key}[3] = $cgiparams{'TYPE'};
2219 if ($cgiparams{'AUTH'} eq 'psk') {
2220 $confighash{$key}[4] = 'psk';
2221 $confighash{$key}[5] = $cgiparams{'PSK'};
2222 } else {
2223 $confighash{$key}[4] = 'cert';
2224 }
2225 if ($cgiparams{'TYPE'} eq 'net') {
2226 $confighash{$key}[6] = $cgiparams{'SIDE'};
2227 $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'};
2228 }
2229 $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'};
2230 $confighash{$key}[10] = $cgiparams{'REMOTE'};
2231 $confighash{$key}[25] = $cgiparams{'REMARK'};
2232 $confighash{$key}[26] = $cgiparams{'INTERFACE'};
2233 # new fields
2234 $confighash{$key}[27] = $cgiparams{'OVPN_SUBNET'};
2235 $confighash{$key}[28] = $cgiparams{'PROTOCOL'};
2236 $confighash{$key}[29] = $cgiparams{'DEST_PORT'};
2237 $confighash{$key}[30] = $cgiparams{'COMPLZO'};
2238 $confighash{$key}[31] = $cgiparams{'MTU'};
2239 # new fileds
2240 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2241 if ($cgiparams{'EDIT_ADVANCED'} eq 'on') {
2242 $cgiparams{'KEY'} = $key;
2243 $cgiparams{'ACTION'} = $Lang::tr{'advanced'};
2244 }
2245 goto VPNCONF_END;
2246 } else {
2247 $cgiparams{'ENABLED'} = 'on';
2248 $cgiparams{'SIDE'} = 'left';
2249 if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) {
2250 $cgiparams{'AUTH'} = 'psk';
2251 } elsif ( ! -f "${General::swroot}/ovpn/ca/cacert.pem") {
2252 $cgiparams{'AUTH'} = 'certfile';
2253 } else {
2254 $cgiparams{'AUTH'} = 'certgen';
2255 }
2256 $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
2257 $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
2258 $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'};
2259 $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'};
2260 $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};
2261 }
2262
2263 VPNCONF_ERROR:
2264 $checked{'ENABLED'}{'off'} = '';
2265 $checked{'ENABLED'}{'on'} = '';
2266 $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED';
2267 $checked{'ENABLED_BLUE'}{'off'} = '';
2268 $checked{'ENABLED_BLUE'}{'on'} = '';
2269 $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED';
2270 $checked{'ENABLED_ORANGE'}{'off'} = '';
2271 $checked{'ENABLED_ORANGE'}{'on'} = '';
2272 $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED';
2273
2274
2275 $checked{'EDIT_ADVANCED'}{'off'} = '';
2276 $checked{'EDIT_ADVANCED'}{'on'} = '';
2277 $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = 'CHECKED';
2278
2279 $selected{'SIDE'}{'server'} = '';
2280 $selected{'SIDE'}{'client'} = '';
2281 $selected{'SIDE'}{$cgiparams{'SIDE'}} = 'SELECTED';
2282
2283 $checked{'AUTH'}{'psk'} = '';
2284 $checked{'AUTH'}{'certreq'} = '';
2285 $checked{'AUTH'}{'certgen'} = '';
2286 $checked{'AUTH'}{'certfile'} = '';
2287 $checked{'AUTH'}{$cgiparams{'AUTH'}} = 'CHECKED';
2288
2289 $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = 'SELECTED';
2290
2291 $checked{'COMPLZO'}{'off'} = '';
2292 $checked{'COMPLZO'}{'on'} = '';
2293 $checked{'COMPLZO'}{$cgiparams{'COMPLZO'}} = 'CHECKED';
2294
2295
2296 if (1) {
2297 &Header::showhttpheaders();
2298 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
2299 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
2300 if ($errormessage) {
2301 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
2302 print "<class name='base'>$errormessage";
2303 print "&nbsp;</class>";
2304 &Header::closebox();
2305 }
2306
2307 if ($warnmessage) {
2308 &Header::openbox('100%', 'LEFT', "$Lang::tr{'warning messages'}:");
2309 print "<class name='base'>$warnmessage";
2310 print "&nbsp;</class>";
2311 &Header::closebox();
2312 }
2313
2314 print "<form method='post' enctype='multipart/form-data'>";
2315 print "<input type='hidden' name='TYPE' value='$cgiparams{'TYPE'}' />";
2316
2317 if ($cgiparams{'KEY'}) {
2318 print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />";
2319 print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />";
2320 }
2321
2322 &Header::openbox('100%', 'LEFT', "$Lang::tr{'connection'}:");
2323 print "<table width='100%'>\n";
2324 print "<tr><td width='25%' class='boldbase'>$Lang::tr{'name'}:</td>";
2325 if ($cgiparams{'TYPE'} eq 'host') {
2326 if ($cgiparams{'KEY'}) {
2327 print "<td width='35%' class='base'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />$cgiparams{'NAME'}</td>\n";
2328 } else {
2329 print "<td width='35%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' size='30' /></td>";
2330 }
2331 # print "<tr><td>$Lang::tr{'interface'}</td>";
2332 # print "<td><select name='INTERFACE'>";
2333 # print "<option value='RED' $selected{'INTERFACE'}{'RED'}>RED</option>";
2334 # if ($netsettings{'BLUE_DEV'} ne '') {
2335 # print "<option value='BLUE' $selected{'INTERFACE'}{'BLUE'}>BLUE</option>";
2336 # }
2337 # print "<option value='GREEN' $selected{'INTERFACE'}{'GREEN'}>GREEN</option>";
2338 # print "<option value='ORANGE' $selected{'INTERFACE'}{'ORANGE'}>ORANGE</option>";
2339 # print "</select></td></tr>";
2340 # print <<END
2341 } else {
2342 print "<input type='hidden' name='INTERFACE' value='red' />";
2343 if ($cgiparams{'KEY'}) {
2344 print "<td width='25%' class='base' nowrap='nowrap'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />$cgiparams{'NAME'}</td>";
2345 } else {
2346 print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' /></td>";
2347 }
2348 print <<END
2349 <td width='25%'>&nbsp;</td>
2350 <td width='25%'>&nbsp;</td></tr>
2351 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'Act as'}</td>
2352 <td><select name='SIDE'><option value='server' $selected{'SIDE'}{'server'}>OpenVPN Server</option>
2353 <option value='client' $selected{'SIDE'}{'client'}>OpenVPN Client</option></select></td>
2354 <td class='boldbase'>$Lang::tr{'remote host/ip'}:</td>
2355 <td><input type='TEXT' name='REMOTE' value='$cgiparams{'REMOTE'}' /></td></tr>
2356 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td>
2357 <td><input type='TEXT' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' /></td>
2358 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}</td>
2359 <td><input type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' /></td></tr>
2360 ttt
2361 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn subnet'}</td>
2362 <td><input type='TEXT' name='OVPN_SUBNET' value='$cgiparams{'OVPN_SUBNET'}' /></td></tr>
2363 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td>
2364 <td><select name='PROTOCOL'><option value='udp' $selected{'PROTOCOL'}{'udp'}>UDP</option>
2365 <option value='tcp' $selected{'PROTOCOL'}{'tcp'}>TCP</option></select></td>
2366 <td class='boldbase'>$Lang::tr{'destination port'}:</td>
2367 <td><input type='TEXT' name='DEST_PORT' value='$cgiparams{'DEST_PORT'}' size='5' /></td></tr>
2368 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
2369 <td><input type='checkbox' name='COMPLZO' $checked{'COMPLZO'}{'on'} /></td>
2370 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}&nbsp;<img src='/blob.gif' /></td>
2371 <td> <input type='TEXT' name='MTU' VALUE='$cgiparams{'MTU'}'size='5' /></TD>
2372
2373
2374 END
2375 ;
2376 }
2377 print "<tr><td class='boldbase'>$Lang::tr{'remark title'}&nbsp;<img src='/blob.gif' /></td>";
2378 print "<td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td></tr>";
2379
2380 # if ($cgiparams{'TYPE'} eq 'net') {
2381 print "<tr><td>$Lang::tr{'enabled'} <input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>\n";
2382
2383 # if ($cgiparams{'KEY'}) {
2384 # print "<td colspan='3'>&nbsp;</td></tr></table>";
2385 # } else {
2386 # print "<td colspan='3'><input type='checkbox' name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> $Lang::tr{'edit advanced settings when done'}</tr></table>";
2387 # }
2388 # }else{
2389 print "<td colspan='3'>&nbsp;</td></tr></table>";
2390 # }
2391
2392
2393
2394 &Header::closebox();
2395
2396 if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {
2397 # &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'});
2398 # print <<END
2399 # <table width='100%' cellpadding='0' cellspacing='5' border='0'>
2400 # <tr><td class='base' width='50%'>$Lang::tr{'use a pre-shared key'}</td>
2401 # <td class='base' width='50%'><input type='text' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr>
2402 # </table>
2403 END
2404 # ;
2405 # &Header::closebox();
2406 } elsif (! $cgiparams{'KEY'}) {
2407 my $disabled='';
2408 my $cakeydisabled='';
2409 my $cacrtdisabled='';
2410 if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) { $cakeydisabled = "disabled='disabled'" } else { $cakeydisabled = "" };
2411 if ( ! -f "${General::swroot}/ovpn/ca/cacert.pem" ) { $cacrtdisabled = "disabled='disabled'" } else { $cacrtdisabled = "" };
2412 &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'});
2413 print <<END
2414 <table width='100%' cellpadding='0' cellspacing='5' border='0'>
2415 <tr><td colspan='3' bgcolor='#000000'><img src='/images/null.gif' width='1' height='1' border='0' /></td></tr>
2416 <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td>
2417 <td class='base'>$Lang::tr{'upload a certificate request'}</td>
2418 <td class='base' rowspan='2'><input type='file' name='FH' size='30' $cacrtdisabled></td></tr>
2419 <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td>
2420 <td class='base'>$Lang::tr{'upload a certificate'}</td></tr>
2421 <tr><td colspan='3' bgcolor='#000000'><img src='/images/null.gif' width='1' height='1' BORDER='0' /></td></tr>
2422 <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td>
2423 <td class='base'>$Lang::tr{'generate a certificate'}</td><td>&nbsp;</td></tr>
2424 <tr><td>&nbsp;</td>
2425 <td class='base'>$Lang::tr{'users fullname or system hostname'}:</td>
2426 <td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' SIZE='32' $cakeydisabled /></td></tr>
2427 <tr><td>&nbsp;</td>
2428 <td class='base'>$Lang::tr{'users email'}:&nbsp;<img src='/blob.gif' /></td>
2429 <td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' SIZE='32' $cakeydisabled /></td></tr>
2430 <tr><td>&nbsp;</td>
2431 <td class='base'>$Lang::tr{'users department'}:&nbsp;<img src='/blob.gif' /></td>
2432 <td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' SIZE='32' $cakeydisabled /></td></tr>
2433 <tr><td>&nbsp;</td>
2434 <td class='base'>$Lang::tr{'organization name'}:&nbsp;<img src='/blob.gif' /></td>
2435 <td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' SIZE='32' $cakeydisabled /></td></tr>
2436 <tr><td>&nbsp;</td>
2437 <td class='base'>$Lang::tr{'city'}:&nbsp;<img src='/blob.gif'></td>
2438 <td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' SIZE='32' $cakeydisabled /></td></tr>
2439 <tr><td>&nbsp;</td>
2440 <td class='base'>$Lang::tr{'state or province'}:&nbsp;<img src='/blob.gif' /></td>
2441 <td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' SIZE='32' $cakeydisabled /></td></tr>
2442 <tr><td>&nbsp;</td>
2443 <td class='base'>$Lang::tr{'country'}:</td>
2444 <td class='base'><select name='CERT_COUNTRY' $cakeydisabled>
2445 END
2446
2447 ;
2448 foreach my $country (sort keys %{Countries::countries}) {
2449 print "<option value='$Countries::countries{$country}'";
2450 if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) {
2451 print " selected='selected'";
2452 }
2453 print ">$country</option>";
2454 }
2455 print <<END
2456 </select></td></tr>
2457 <tr><td>&nbsp;</td>
2458 <td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
2459 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr>
2460 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'pkcs12 file password'}:<BR>($Lang::tr{'confirmation'})</td>
2461 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr>
2462 </table>
2463 END
2464 ;
2465 &Header::closebox();
2466 }
2467
2468 print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
2469 if ($cgiparams{'KEY'}) {
2470 # print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />";
2471 }
2472 print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
2473 &Header::closebigbox();
2474 &Header::closepage();
2475 exit (0);
2476 }
2477 VPNCONF_END:
2478 }
2479
2480 # SETTINGS_ERROR:
2481 ###
2482 ### Default status page
2483 ###
2484 %cgiparams = ();
2485 %cahash = ();
2486 %confighash = ();
2487 &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
2488 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
2489 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2490
2491 my @status = `/bin/cat /var/log/ovpnserver.log`;
2492
2493 if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
2494 if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
2495 my $ipaddr = <IPADDR>;
2496 close IPADDR;
2497 chomp ($ipaddr);
2498 $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
2499 if ($cgiparams{'VPN_IP'} eq '') {
2500 $cgiparams{'VPN_IP'} = $ipaddr;
2501 }
2502 }
2503 }
2504
2505 #default setzen
2506 if ($cgiparams{'DCIPHER'} eq '') {
2507 $cgiparams{'DCIPHER'} = 'BF-CBC';
2508 }
2509 # if ($cgiparams{'DCOMPLZO'} eq '') {
2510 # $cgiparams{'DCOMPLZO'} = 'on';
2511 # }
2512 if ($cgiparams{'DDEST_PORT'} eq '') {
2513 $cgiparams{'DDEST_PORT'} = '1194';
2514 }
2515 if ($cgiparams{'DMTU'} eq '') {
2516 $cgiparams{'DMTU'} = '1400';
2517 }
2518 if ($cgiparams{'DOVPN_SUBNET'} eq '') {
2519 $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
2520 }
2521
2522 $checked{'ENABLED'}{'off'} = '';
2523 $checked{'ENABLED'}{'on'} = '';
2524 $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED';
2525 $checked{'ENABLED_BLUE'}{'off'} = '';
2526 $checked{'ENABLED_BLUE'}{'on'} = '';
2527 $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED';
2528 $checked{'ENABLED_ORANGE'}{'off'} = '';
2529 $checked{'ENABLED_ORANGE'}{'on'} = '';
2530 $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED';
2531
2532
2533 #new settings
2534 $selected{'DDEVICE'}{'tun'} = '';
2535 $selected{'DDEVICE'}{'tap'} = '';
2536 $selected{'DDEVICE'}{$cgiparams{'DDEVICE'}} = 'SELECTED';
2537
2538 $selected{'DPROTOCOL'}{'udp'} = '';
2539 $selected{'DPROTOCOL'}{'tcp'} = '';
2540 $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
2541