]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - html/cgi-bin/ovpnmain.cgi
projects / people / pmueller / ipfire-2.x.git / blob
? search:


8a8390a8f7f5430cf432ecc30583b836d10d210c
[people/pmueller/ipfire-2.x.git] / html / cgi-bin / ovpnmain.cgi
1 #!/usr/bin/perl
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2007 Michael Tremer & Christian Schmidt #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 use CGI;
23 use CGI qw/:standard/;
24 use Net::DNS;
25 use File::Copy;
26 use File::Temp qw/ tempfile tempdir /;
27 use strict;
28 use Archive::Zip qw(:ERROR_CODES :CONSTANTS);
29 require '/var/ipfire/general-functions.pl';
30 require "${General::swroot}/lang.pl";
31 require "${General::swroot}/header.pl";
32 require "${General::swroot}/countries.pl";
33
34 # enable only the following on debugging purpose
35 #use warnings;
36 #use CGI::Carp 'fatalsToBrowser';
37 #workaround to suppress a warning when a variable is used only once
38 my @dummy = ( ${Header::colourgreen} );
39 undef (@dummy);
40
41 my %color = ();
42 my %mainsettings = ();
43 &General::readhash("${General::swroot}/main/settings", \%mainsettings);
44 &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
45
46 ###
47 ### Initialize variables
48 ###
49 my %netsettings=();
50 my %cgiparams=();
51 my %vpnsettings=();
52 my %checked=();
53 my %confighash=();
54 my %cahash=();
55 my %selected=();
56 my $warnmessage = '';
57 my $errormessage = '';
58 my %settings=();
59 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
60 $cgiparams{'ENABLED'} = 'off';
61 $cgiparams{'ENABLED_BLUE'} = 'off';
62 $cgiparams{'ENABLED_ORANGE'} = 'off';
63 $cgiparams{'EDIT_ADVANCED'} = 'off';
64 $cgiparams{'NAT'} = 'off';
65 $cgiparams{'COMPRESSION'} = 'off';
66 $cgiparams{'ONLY_PROPOSED'} = 'off';
67 $cgiparams{'ACTION'} = '';
68 $cgiparams{'CA_NAME'} = '';
69 $cgiparams{'DHCP_DOMAIN'} = '';
70 $cgiparams{'DHCP_DNS'} = '';
71 $cgiparams{'DHCP_WINS'} = '';
72 $cgiparams{'DCOMPLZO'} = 'off';
73 &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
74
75 # prepare openvpn config file
76 ###
77 ### Useful functions
78 ###
79 sub haveOrangeNet
80 {
81 if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;}
82 if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
83 return 0;
84 }
85
86 sub haveBlueNet
87 {
88 if ($netsettings{'CONFIG_TYPE'} == 3) {return 1;}
89 if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
90 return 0;
91 }
92
93 sub sizeformat{
94 my $bytesize = shift;
95 my $i = 0;
96
97 while(abs($bytesize) >= 1024){
98 $bytesize=$bytesize/1024;
99 $i++;
100 last if($i==6);
101 }
102
103 my @units = ("Bytes","KB","MB","GB","TB","PB","EB");
104 my $newsize=(int($bytesize*100 +0.5))/100;
105 return("$newsize $units[$i]");
106 }
107
108 sub valid_dns_host {
109 my $hostname = $_[0];
110 unless ($hostname) { return "No hostname"};
111 my $res = new Net::DNS::Resolver;
112 my $query = $res->search("$hostname");
113 if ($query) {
114 foreach my $rr ($query->answer) {
115 ## Potential bug - we are only looking at A records:
116 return 0 if $rr->type eq "A";
117 }
118 } else {
119 return $res->errorstring;
120 }
121 }
122
123 sub cleanssldatabase
124 {
125 if (open(FILE, ">${General::swroot}/ovpn/certs/serial")) {
126 print FILE "01";
127 close FILE;
128 }
129 if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt")) {
130 print FILE "";
131 close FILE;
132 }
133 unlink ("${General::swroot}/ovpn/certs/index.txt.old");
134 unlink ("${General::swroot}/ovpn/certs/serial.old");
135 unlink ("${General::swroot}/ovpn/certs/01.pem");
136 }
137
138 sub newcleanssldatabase
139 {
140 if (! -s "${General::swroot}/ovpn/certs/serial" ) {
141 open(FILE, ">${General::swroot}(ovpn/certs/serial");
142 print FILE "01";
143 close FILE;
144 }
145 if (! -s ">${General::swroot}/ovpn/certs/index.txt") {
146 system ("touch ${General::swroot}/ovpn/certs/index.txt");
147 }
148 unlink ("${General::swroot}/ovpn/certs/index.txt.old");
149 unlink ("${General::swroot}/ovpn/certs/serial.old");
150 }
151
152 sub deletebackupcert
153 {
154 if (open(FILE, "${General::swroot}/ovpn/certs/serial.old")) {
155 my $hexvalue = <FILE>;
156 chomp $hexvalue;
157 close FILE;
158 unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem");
159 }
160 }
161
162 sub checkportfw {
163 my $KEY2 = $_[0]; # key2
164 my $SRC_PORT = $_[1]; # src_port
165 my $PROTOCOL = $_[2]; # protocol
166 my $SRC_IP = $_[3]; # sourceip
167
168 my $pfwfilename = "${General::swroot}/portfw/config";
169 open(FILE, $pfwfilename) or die 'Unable to open config file.';
170 my @pfwcurrent = <FILE>;
171 close(FILE);
172 my $pfwkey1 = 0; # used for finding last sequence number used
173 foreach my $pfwline (@pfwcurrent)
174 {
175 my @pfwtemp = split(/\,/,$pfwline);
176
177 chomp ($pfwtemp[8]);
178 if ($KEY2 eq "0"){ # if key2 is 0 then it is a portfw addition
179 if ( $SRC_PORT eq $pfwtemp[3] &&
180 $PROTOCOL eq $pfwtemp[2] &&
181 $SRC_IP eq $pfwtemp[7])
182 {
183 $errormessage = "$Lang::tr{'source port in use'} $SRC_PORT";
184 }
185 # Check if key2 = 0, if it is then it is a port forward entry and we want the sequence number
186 if ( $pfwtemp[1] eq "0") {
187 $pfwkey1=$pfwtemp[0];
188 }
189 # Darren Critchley - Duplicate or overlapping Port range check
190 if ($pfwtemp[1] eq "0" &&
191 $PROTOCOL eq $pfwtemp[2] &&
192 $SRC_IP eq $pfwtemp[7] &&
193 $errormessage eq '')
194 {
195 &portchecks($SRC_PORT, $pfwtemp[5]);
196 # &portchecks($pfwtemp[3], $pfwtemp[5]);
197 # &portchecks($pfwtemp[3], $SRC_IP);
198 }
199 }
200 }
201 # $errormessage="$KEY2 $SRC_PORT $PROTOCOL $SRC_IP";
202
203 return;
204 }
205
206 sub checkportoverlap
207 {
208 my $portrange1 = $_[0]; # New port range
209 my $portrange2 = $_[1]; # existing port range
210 my @tempr1 = split(/\:/,$portrange1);
211 my @tempr2 = split(/\:/,$portrange2);
212
213 unless (&checkportinc($tempr1[0], $portrange2)){ return 0;}
214 unless (&checkportinc($tempr1[1], $portrange2)){ return 0;}
215
216 unless (&checkportinc($tempr2[0], $portrange1)){ return 0;}
217 unless (&checkportinc($tempr2[1], $portrange1)){ return 0;}
218
219 return 1; # Everything checks out!
220 }
221
222 # Darren Critchley - we want to make sure that a port entry is not within an already existing range
223 sub checkportinc
224 {
225 my $port1 = $_[0]; # Port
226 my $portrange2 = $_[1]; # Port range
227 my @tempr1 = split(/\:/,$portrange2);
228
229 if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) {
230 return 1;
231 } else {
232 return 0;
233 }
234 }
235 # Darren Critchley - Duplicate or overlapping Port range check
236 sub portchecks
237 {
238 my $p1 = $_[0]; # New port range
239 my $p2 = $_[1]; # existing port range
240 # $_ = $_[0];
241 our ($prtrange1, $prtrange2);
242 $prtrange1 = 0;
243 # if (m/:/ && $prtrange1 == 1) { # comparing two port ranges
244 # unless (&checkportoverlap($p1,$p2)) {
245 # $errormessage = "$Lang::tr{'source port overlaps'} $p1";
246 # }
247 # }
248 if (m/:/ && $prtrange1 == 0 && $errormessage eq '') { # compare one port to a range
249 unless (&checkportinc($p2,$p1)) {
250 $errormessage = "$Lang::tr{'srcprt within existing'} $p1";
251 }
252 }
253 $prtrange1 = 1;
254 if (! m/:/ && $prtrange1 == 1 && $errormessage eq '') { # compare one port to a range
255 unless (&checkportinc($p1,$p2)) {
256 $errormessage = "$Lang::tr{'srcprt range overlaps'} $p2";
257 }
258 }
259 return;
260 }
261
262 # Darren Critchley - certain ports are reserved for IPFire
263 # TCP 67,68,81,222,445
264 # UDP 67,68
265 # Params passed in -> port, rangeyn, protocol
266 sub disallowreserved
267 {
268 # port 67 and 68 same for tcp and udp, don't bother putting in an array
269 my $msg = "";
270 my @tcp_reserved = (81,222,445);
271 my $prt = $_[0]; # the port or range
272 my $ryn = $_[1]; # tells us whether or not it is a port range
273 my $prot = $_[2]; # protocol
274 my $srcdst = $_[3]; # source or destination
275 if ($ryn) { # disect port range
276 if ($srcdst eq "src") {
277 $msg = "$Lang::tr{'rsvd src port overlap'}";
278 } else {
279 $msg = "$Lang::tr{'rsvd dst port overlap'}";
280 }
281 my @tmprng = split(/\:/,$prt);
282 unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; }
283 unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; }
284 if ($prot eq "tcp") {
285 foreach my $prange (@tcp_reserved) {
286 unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; }
287 }
288 }
289 } else {
290 if ($srcdst eq "src") {
291 $msg = "$Lang::tr{'reserved src port'}";
292 } else {
293 $msg = "$Lang::tr{'reserved dst port'}";
294 }
295 if ($prt == 67) { $errormessage="$msg 67"; return; }
296 if ($prt == 68) { $errormessage="$msg 68"; return; }
297 if ($prot eq "tcp") {
298 foreach my $prange (@tcp_reserved) {
299 if ($prange == $prt) { $errormessage="$msg $prange"; return; }
300 }
301 }
302 }
303 return;
304 }
305
306 sub writeserverconf {
307 my %sovpnsettings = ();
308 &General::readhash("${General::swroot}/ovpn/settings", \%sovpnsettings);
309
310 open(CONF, ">${General::swroot}/ovpn/server.conf") or die "Unable to open ${General::swroot}/ovpn/server.conf: $!";
311 flock CONF, 2;
312 print CONF "#OpenVPN Server conf\n";
313 print CONF "\n";
314 print CONF "daemon openvpnserver\n";
315 print CONF "writepid /var/run/openvpn.pid\n";
316 print CONF "#DAN prepare OpenVPN for listening on blue and orange\n";
317 print CONF ";local $sovpnsettings{'VPN_IP'}\n";
318 print CONF "dev $sovpnsettings{'DDEVICE'}\n";
319 print CONF "$sovpnsettings{'DDEVICE'}-mtu $sovpnsettings{'DMTU'}\n";
320 print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
321 print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
322 print CONF "script-security 3 system\n";
323 print CONF "tls-server\n";
324 print CONF "ca /var/ipfire/ovpn/ca/cacert.pem\n";
325 print CONF "cert /var/ipfire/ovpn/certs/servercert.pem\n";
326 print CONF "key /var/ipfire/ovpn/certs/serverkey.pem\n";
327 print CONF "dh /var/ipfire/ovpn/ca/dh1024.pem\n";
328 my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'});
329 print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
330 print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
331 if ($sovpnsettings{CLIENT2CLIENT} eq 'on') {
332 print CONF "client-to-client\n";
333 }
334 if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) {
335 print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n";
336 }
337 print CONF "status-version 1\n";
338 print CONF "status /var/log/ovpnserver.log 30\n";
339 print CONF "cipher $sovpnsettings{DCIPHER}\n";
340 if ($sovpnsettings{DCOMPLZO} eq 'on') {
341 print CONF "comp-lzo\n";
342 }
343 if ($sovpnsettings{REDIRECT_GW_DEF1} eq 'on') {
344 print CONF "push \"redirect-gateway def1\"\n";
345 }
346 if ($sovpnsettings{DHCP_DOMAIN} ne '') {
347 print CONF "push \"dhcp-option DOMAIN $sovpnsettings{DHCP_DOMAIN}\"\n";
348 }
349
350 if ($sovpnsettings{DHCP_DNS} ne '') {
351 print CONF "push \"dhcp-option DNS $sovpnsettings{DHCP_DNS}\"\n";
352 }
353
354 if ($sovpnsettings{DHCP_WINS} ne '') {
355 print CONF "push \"dhcp-option WINS $sovpnsettings{DHCP_WINS}\"\n";
356 }
357
358 if ($sovpnsettings{DHCP_WINS} eq '') {
359 print CONF "max-clients 100\n";
360 }
361
362 if ($sovpnsettings{DHCP_WINS} ne '') {
363 print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n";
364 }
365 print CONF "tls-verify /var/ipfire/ovpn/verify\n";
366 print CONF "crl-verify /var/ipfire/ovpn/crls/cacrl.pem\n";
367 print CONF "user nobody\n";
368 print CONF "group nobody\n";
369 print CONF "persist-key\n";
370 print CONF "persist-tun\n";
371 if ($sovpnsettings{LOG_VERB} ne '') {
372 print CONF "verb $sovpnsettings{LOG_VERB}\n";
373 } else {
374 print CONF "verb 3\n";
375 }
376 print CONF "\n";
377
378 close(CONF);
379 }
380 #
381 sub emptyserverlog{
382 if (open(FILE, ">/var/log/ovpnserver.log")) {
383 flock FILE, 2;
384 print FILE "";
385 close FILE;
386 }
387
388 }
389
390 #hier die refresh page
391 if ( -e "${General::swroot}/ovpn/gencanow") {
392 my $refresh = '';
393 $refresh = "<meta http-equiv='refresh' content='15;' />";
394 &Header::showhttpheaders();
395 &Header::openpage($Lang::tr{'OVPN'}, 1, $refresh);
396 &Header::openbigbox('100%', 'center');
397 &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:");
398 print "<tr>\n<td align='center'><img src='/images/clock.gif' alt='' /></td>\n";
399 print "<td colspan='2'><font color='red'>Please be patient this realy can take some time on older hardware...</font></td></tr>\n";
400 &Header::closebox();
401 &Header::closebigbox();
402 &Header::closepage();
403 exit (0);
404 }
405 ##hier die refresh page
406
407
408 ###
409 ### OpenVPN Server Control
410 ###
411 if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'} ||
412 $cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'} ||
413 $cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}) {
414 #start openvpn server
415 if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'}){
416 &emptyserverlog();
417 system('/usr/local/bin/openvpnctrl', '-s');
418 }
419 #stop openvpn server
420 if ($cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'}){
421 system('/usr/local/bin/openvpnctrl', '-k');
422 &emptyserverlog();
423 }
424 # #restart openvpn server
425 if ($cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}){
426 #workarund, till SIGHUP also works when running as nobody
427 system('/usr/local/bin/openvpnctrl', '-r');
428 &emptyserverlog();
429 }
430 }
431
432 ###
433 ### Save Advanced options
434 ###
435
436 if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
437 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
438 #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
439 #DAN this value has to leave.
440 #new settings for daemon
441 $vpnsettings{'LOG_VERB'} = $cgiparams{'LOG_VERB'};
442 $vpnsettings{'KEEPALIVE_1'} = $cgiparams{'KEEPALIVE_1'};
443 $vpnsettings{'KEEPALIVE_2'} = $cgiparams{'KEEPALIVE_2'};
444 $vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'};
445 $vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'};
446 $vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'};
447 $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'};
448 $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'};
449 $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
450
451 if ($cgiparams{'DHCP_DOMAIN'} ne ''){
452 unless (&General::validfqdn($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) {
453 $errormessage = $Lang::tr{'invalid input for dhcp domain'};
454 goto ADV_ERROR;
455 }
456 }
457 if ($cgiparams{'DHCP_DNS'} ne ''){
458 unless (&General::validfqdn($cgiparams{'DHCP_DNS'}) || &General::validip($cgiparams{'DHCP_DNS'})) {
459 $errormessage = $Lang::tr{'invalid input for dhcp dns'};
460 goto ADV_ERROR;
461 }
462 }
463 if ($cgiparams{'DHCP_WINS'} ne ''){
464 unless (&General::validfqdn($cgiparams{'DHCP_WINS'}) || &General::validip($cgiparams{'DHCP_WINS'})) {
465 $errormessage = $Lang::tr{'invalid input for dhcp wins'};
466 goto ADV_ERROR;
467 }
468 }
469 if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 255 )) {
470 $errormessage = $Lang::tr{'invalid input for max clients'};
471 goto ADV_ERROR;
472 }
473 if ($cgiparams{'KEEPALIVE_1'} ne '') {
474 if ($cgiparams{'KEEPALIVE_1'} !~ /^[0-9]+$/) {
475 $errormessage = $Lang::tr{'invalid input for keepalive 1'};
476 goto ADV_ERROR;
477 }
478 }
479 if ($cgiparams{'KEEPALIVE_2'} ne ''){
480 if ($cgiparams{'KEEPALIVE_2'} !~ /^[0-9]+$/) {
481 $errormessage = $Lang::tr{'invalid input for keepalive 2'};
482 goto ADV_ERROR;
483 }
484 }
485 if ($cgiparams{'KEEPALIVE_2'} < ($cgiparams{'KEEPALIVE_1'} * 2)){
486 $errormessage = $Lang::tr{'invalid input for keepalive 1:2'};
487 goto ADV_ERROR;
488 }
489
490 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
491 &writeserverconf();#hier ok
492 }
493
494
495
496
497 ###
498 ### Save main settings
499 ###
500 if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
501 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
502 #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
503 #DAN this value has to leave.
504 if ($cgiparams{'ENABLED'} eq 'on'){
505 unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})) {
506 $errormessage = $Lang::tr{'invalid input for hostname'};
507 goto SETTINGS_ERROR;
508 }
509 }
510 if ($cgiparams{'ENABLED'} eq 'on'){
511 &disallowreserved($cgiparams{'DDEST_PORT'},0,$cgiparams{'DPROTOCOL'},"dest");
512 }
513 if ($errormessage) { goto SETTINGS_ERROR; }
514
515
516 if ($cgiparams{'ENABLED'} eq 'on'){
517 &checkportfw(0,$cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'},'0.0.0.0');
518 }
519
520 if ($errormessage) { goto SETTINGS_ERROR; }
521
522 if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) {
523 $errormessage = $Lang::tr{'ovpn subnet is invalid'};
524 goto SETTINGS_ERROR;
525 }
526 my @tmpovpnsubnet = split("\/",$cgiparams{'DOVPN_SUBNET'});
527
528 if (&General::IpInSubnet ( $netsettings{'RED_ADDRESS'},
529 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
530 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire RED Network $netsettings{'RED_ADDRESS'}";
531 goto SETTINGS_ERROR;
532 }
533
534 if (&General::IpInSubnet ( $netsettings{'GREEN_ADDRESS'},
535 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
536 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Green Network $netsettings{'GREEN_ADDRESS'}";
537 goto SETTINGS_ERROR;
538 }
539
540 if (&General::IpInSubnet ( $netsettings{'BLUE_ADDRESS'},
541 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
542 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Blue Network $netsettings{'BLUE_ADDRESS'}";
543 goto SETTINGS_ERROR;
544 }
545
546 if (&General::IpInSubnet ( $netsettings{'ORANGE_ADDRESS'},
547 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
548 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Orange Network $netsettings{'ORANGE_ADDRESS'}";
549 goto SETTINGS_ERROR;
550 }
551 open(ALIASES, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
552 while (<ALIASES>)
553 {
554 chomp($_);
555 my @tempalias = split(/\,/,$_);
556 if ($tempalias[1] eq 'on') {
557 if (&General::IpInSubnet ($tempalias[0] ,
558 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
559 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire alias entry $tempalias[0]";
560 }
561 }
562 }
563 close(ALIASES);
564 if ($errormessage ne ''){
565 goto SETTINGS_ERROR;
566 }
567 if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
568 $errormessage = $Lang::tr{'invalid input'};
569 goto SETTINGS_ERROR;
570 }
571 if ((length($cgiparams{'DMTU'})==0) || (($cgiparams{'DMTU'}) < 1000 )) {
572 $errormessage = $Lang::tr{'invalid mtu input'};
573 goto SETTINGS_ERROR;
574 }
575
576 unless (&General::validport($cgiparams{'DDEST_PORT'})) {
577 $errormessage = $Lang::tr{'invalid port'};
578 goto SETTINGS_ERROR;
579 }
580 $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'};
581 $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'};
582 $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
583 $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
584 #new settings for daemon
585 $vpnsettings{'DOVPN_SUBNET'} = $cgiparams{'DOVPN_SUBNET'};
586 $vpnsettings{'DDEVICE'} = $cgiparams{'DDEVICE'};
587 $vpnsettings{'DPROTOCOL'} = $cgiparams{'DPROTOCOL'};
588 $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
589 $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
590 $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
591 $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
592 #wrtie enable
593
594 if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");}
595 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_orange 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_orange 2>/dev/null");}
596 if ( $vpnsettings{'ENABLED'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable 2>/dev/null");}
597 #new settings for daemon
598 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
599 &writeserverconf();#hier ok
600 SETTINGS_ERROR:
601 ###
602 ### Reset all step 2
603 ###
604 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'} && $cgiparams{'AREUSURE'} eq 'yes') {
605 my $file = '';
606 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
607
608 foreach my $key (keys %confighash) {
609 if ($confighash{$key}[4] eq 'cert') {
610 delete $confighash{$cgiparams{'$key'}};
611 }
612 }
613 while ($file = glob("${General::swroot}/ovpn/ca/*")) {
614 unlink $file
615 }
616 while ($file = glob("${General::swroot}/ovpn/certs/*")) {
617 unlink $file
618 }
619 while ($file = glob("${General::swroot}/ovpn/crls/*")) {
620 unlink $file
621 }
622 &cleanssldatabase();
623 if (open(FILE, ">${General::swroot}/ovpn/caconfig")) {
624 print FILE "";
625 close FILE;
626 }
627 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
628 #&writeserverconf();
629 ###
630 ### Reset all step 1
631 ###
632 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'}) {
633 &Header::showhttpheaders();
634 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
635 &Header::openbigbox('100%', 'LEFT', '', '');
636 &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'});
637 print <<END
638 <table><form method='post'><input type='hidden' name='AREUSURE' value='yes' />
639 <tr><td align='center'>
640 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:
641 $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}
642 <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'reset'}' />
643 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td></tr>
644 </form></table>
645 END
646 ;
647 &Header::closebox();
648 &Header::closebigbox();
649 &Header::closepage();
650 exit (0);
651
652 ###
653 ### Upload CA Certificate
654 ###
655 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) {
656 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
657
658 if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) {
659 $errormessage = $Lang::tr{'name must only contain characters'};
660 goto UPLOADCA_ERROR;
661 }
662
663 if (length($cgiparams{'CA_NAME'}) >60) {
664 $errormessage = $Lang::tr{'name too long'};
665 goto VPNCONF_ERROR;
666 }
667
668 if ($cgiparams{'CA_NAME'} eq 'ca') {
669 $errormessage = $Lang::tr{'name is invalid'};
670 goto UPLOAD_CA_ERROR;
671 }
672
673 # Check if there is no other entry with this name
674 foreach my $key (keys %cahash) {
675 if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) {
676 $errormessage = $Lang::tr{'a ca certificate with this name already exists'};
677 goto UPLOADCA_ERROR;
678 }
679 }
680
681 if (ref ($cgiparams{'FH'}) ne 'Fh') {
682 $errormessage = $Lang::tr{'there was no file upload'};
683 goto UPLOADCA_ERROR;
684 }
685 # Move uploaded ca to a temporary file
686 (my $fh, my $filename) = tempfile( );
687 if (copy ($cgiparams{'FH'}, $fh) != 1) {
688 $errormessage = $!;
689 goto UPLOADCA_ERROR;
690 }
691 my $temp = `/usr/bin/openssl x509 -text -in $filename`;
692 if ($temp !~ /CA:TRUE/i) {
693 $errormessage = $Lang::tr{'not a valid ca certificate'};
694 unlink ($filename);
695 goto UPLOADCA_ERROR;
696 } else {
697 move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem");
698 if ($? ne 0) {
699 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
700 unlink ($filename);
701 goto UPLOADCA_ERROR;
702 }
703 }
704
705 my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem`;
706 $casubject =~ /Subject: (.*)[\n]/;
707 $casubject = $1;
708 $casubject =~ s+/Email+, E+;
709 $casubject =~ s/ ST=/ S=/;
710 $casubject = &Header::cleanhtml($casubject);
711
712 my $key = &General::findhasharraykey (\%cahash);
713 $cahash{$key}[0] = $cgiparams{'CA_NAME'};
714 $cahash{$key}[1] = $casubject;
715 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
716 # system('/usr/local/bin/ipsecctrl', 'R');
717
718 UPLOADCA_ERROR:
719
720 ###
721 ### Display ca certificate
722 ###
723 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) {
724 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
725
726 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") {
727 &Header::showhttpheaders();
728 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
729 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
730 &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:");
731 my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
732 $output = &Header::cleanhtml($output,"y");
733 print "<pre>$output</pre>\n";
734 &Header::closebox();
735 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
736 &Header::closebigbox();
737 &Header::closepage();
738 exit(0);
739 } else {
740 $errormessage = $Lang::tr{'invalid key'};
741 }
742
743 ###
744 ### Download ca certificate
745 ###
746 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca certificate'}) {
747 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
748
749 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
750 print "Content-Type: application/octet-stream\r\n";
751 print "Content-Disposition: filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";
752 print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
753 exit(0);
754 } else {
755 $errormessage = $Lang::tr{'invalid key'};
756 }
757
758 ###
759 ### Remove ca certificate (step 2)
760 ###
761 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} && $cgiparams{'AREUSURE'} eq 'yes') {
762 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
763 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
764
765 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
766 foreach my $key (keys %confighash) {
767 my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`;
768 if ($test =~ /: OK/) {
769 # Delete connection
770 # if ($vpnsettings{'ENABLED'} eq 'on' ||
771 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
772 # system('/usr/local/bin/ipsecctrl', 'D', $key);
773 # }
774 unlink ("${General::swroot}/ovpn//certs/$confighash{$key}[1]cert.pem");
775 unlink ("${General::swroot}/ovpn/certs/$confighash{$key}[1].p12");
776 delete $confighash{$key};
777 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
778 # &writeipsecfiles();
779 }
780 }
781 unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
782 delete $cahash{$cgiparams{'KEY'}};
783 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
784 # system('/usr/local/bin/ipsecctrl', 'R');
785 } else {
786 $errormessage = $Lang::tr{'invalid key'};
787 }
788 ###
789 ### Remove ca certificate (step 1)
790 ###
791 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) {
792 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
793 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
794
795 my $assignedcerts = 0;
796 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
797 foreach my $key (keys %confighash) {
798 my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`;
799 if ($test =~ /: OK/) {
800 $assignedcerts++;
801 }
802 }
803 if ($assignedcerts) {
804 &Header::showhttpheaders();
805 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
806 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
807 &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'});
808 print <<END
809 <table><form method='post'><input type='hidden' name='AREUSURE' value='yes' />
810 <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
811 <tr><td align='center'>
812 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: $assignedcerts
813 $Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}
814 <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
815 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td></tr>
816 </form></table>
817 END
818 ;
819 &Header::closebox();
820 &Header::closebigbox();
821 &Header::closepage();
822 exit (0);
823 } else {
824 unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
825 delete $cahash{$cgiparams{'KEY'}};
826 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
827 # system('/usr/local/bin/ipsecctrl', 'R');
828 }
829 } else {
830 $errormessage = $Lang::tr{'invalid key'};
831 }
832
833 ###
834 ### Display root certificate
835 ###
836 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||
837 $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {
838 my $output;
839 &Header::showhttpheaders();
840 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
841 &Header::openbigbox('100%', 'LEFT', '', '');
842 if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
843 &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:");
844 $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`;
845 } else {
846 &Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:");
847 $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
848 }
849 $output = &Header::cleanhtml($output,"y");
850 print "<pre>$output</pre>\n";
851 &Header::closebox();
852 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
853 &Header::closebigbox();
854 &Header::closepage();
855 exit(0);
856
857 ###
858 ### Download root certificate
859 ###
860 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root certificate'}) {
861 if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) {
862 print "Content-Type: application/octet-stream\r\n";
863 print "Content-Disposition: filename=cacert.pem\r\n\r\n";
864 print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/ca/cacert.pem`;
865 exit(0);
866 }
867
868 ###
869 ### Download host certificate
870 ###
871 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host certificate'}) {
872 if ( -f "${General::swroot}/ovpn/certs/servercert.pem" ) {
873 print "Content-Type: application/octet-stream\r\n";
874 print "Content-Disposition: filename=servercert.pem\r\n\r\n";
875 print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/certs/servercert.pem`;
876 exit(0);
877 }
878 ###
879 ### Form for generating a root certificate
880 ###
881 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
882 $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
883
884 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
885 if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
886 $errormessage = $Lang::tr{'valid root certificate already exists'};
887 $cgiparams{'ACTION'} = '';
888 goto ROOTCERT_ERROR;
889 }
890
891 if (($cgiparams{'ROOTCERT_HOSTNAME'} eq '') && -e "${General::swroot}/red/active") {
892 if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
893 my $ipaddr = <IPADDR>;
894 close IPADDR;
895 chomp ($ipaddr);
896 $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
897 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
898 $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
899 }
900 }
901 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
902
903 if (ref ($cgiparams{'FH'}) ne 'Fh') {
904 $errormessage = $Lang::tr{'there was no file upload'};
905 goto ROOTCERT_ERROR;
906 }
907
908 # Move uploaded certificate request to a temporary file
909 (my $fh, my $filename) = tempfile( );
910 if (copy ($cgiparams{'FH'}, $fh) != 1) {
911 $errormessage = $!;
912 goto ROOTCERT_ERROR;
913 }
914
915 # Create a temporary dirctory
916 my $tempdir = tempdir( CLEANUP => 1 );
917
918 # Extract the CA certificate from the file
919 my $pid = open(OPENSSL, "|-");
920 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
921 if ($pid) { # parent
922 if ($cgiparams{'P12_PASS'} ne '') {
923 print OPENSSL "$cgiparams{'P12_PASS'}\n";
924 }
925 close (OPENSSL);
926 if ($?) {
927 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
928 unlink ($filename);
929 goto ROOTCERT_ERROR;
930 }
931 } else { # child
932 unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys',
933 '-in', $filename,
934 '-out', "$tempdir/cacert.pem")) {
935 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
936 unlink ($filename);
937 goto ROOTCERT_ERROR;
938 }
939 }
940
941 # Extract the Host certificate from the file
942 $pid = open(OPENSSL, "|-");
943 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
944 if ($pid) { # parent
945 if ($cgiparams{'P12_PASS'} ne '') {
946 print OPENSSL "$cgiparams{'P12_PASS'}\n";
947 }
948 close (OPENSSL);
949 if ($?) {
950 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
951 unlink ($filename);
952 goto ROOTCERT_ERROR;
953 }
954 } else { # child
955 unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys',
956 '-in', $filename,
957 '-out', "$tempdir/hostcert.pem")) {
958 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
959 unlink ($filename);
960 goto ROOTCERT_ERROR;
961 }
962 }
963
964 # Extract the Host key from the file
965 $pid = open(OPENSSL, "|-");
966 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
967 if ($pid) { # parent
968 if ($cgiparams{'P12_PASS'} ne '') {
969 print OPENSSL "$cgiparams{'P12_PASS'}\n";
970 }
971 close (OPENSSL);
972 if ($?) {
973 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
974 unlink ($filename);
975 goto ROOTCERT_ERROR;
976 }
977 } else { # child
978 unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts',
979 '-nodes',
980 '-in', $filename,
981 '-out', "$tempdir/serverkey.pem")) {
982 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
983 unlink ($filename);
984 goto ROOTCERT_ERROR;
985 }
986 }
987
988 move("$tempdir/cacert.pem", "${General::swroot}/ovpn/ca/cacert.pem");
989 if ($? ne 0) {
990 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
991 unlink ($filename);
992 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
993 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
994 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
995 goto ROOTCERT_ERROR;
996 }
997
998 move("$tempdir/hostcert.pem", "${General::swroot}/ovpn/certs/servercert.pem");
999 if ($? ne 0) {
1000 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1001 unlink ($filename);
1002 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1003 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1004 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1005 goto ROOTCERT_ERROR;
1006 }
1007
1008 move("$tempdir/serverkey.pem", "${General::swroot}/ovpn/certs/serverkey.pem");
1009 if ($? ne 0) {
1010 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
1011 unlink ($filename);
1012 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1013 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1014 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1015 goto ROOTCERT_ERROR;
1016 }
1017
1018 goto ROOTCERT_SUCCESS;
1019
1020 } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') {
1021
1022 # Validate input since the form was submitted
1023 if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){
1024 $errormessage = $Lang::tr{'organization cant be empty'};
1025 goto ROOTCERT_ERROR;
1026 }
1027 if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) {
1028 $errormessage = $Lang::tr{'organization too long'};
1029 goto ROOTCERT_ERROR;
1030 }
1031 if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1032 $errormessage = $Lang::tr{'invalid input for organization'};
1033 goto ROOTCERT_ERROR;
1034 }
1035 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){
1036 $errormessage = $Lang::tr{'hostname cant be empty'};
1037 goto ROOTCERT_ERROR;
1038 }
1039 unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) {
1040 $errormessage = $Lang::tr{'invalid input for hostname'};
1041 goto ROOTCERT_ERROR;
1042 }
1043 if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) {
1044 $errormessage = $Lang::tr{'invalid input for e-mail address'};
1045 goto ROOTCERT_ERROR;
1046 }
1047 if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) {
1048 $errormessage = $Lang::tr{'e-mail address too long'};
1049 goto ROOTCERT_ERROR;
1050 }
1051 if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1052 $errormessage = $Lang::tr{'invalid input for department'};
1053 goto ROOTCERT_ERROR;
1054 }
1055 if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1056 $errormessage = $Lang::tr{'invalid input for city'};
1057 goto ROOTCERT_ERROR;
1058 }
1059 if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1060 $errormessage = $Lang::tr{'invalid input for state or province'};
1061 goto ROOTCERT_ERROR;
1062 }
1063 if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) {
1064 $errormessage = $Lang::tr{'invalid input for country'};
1065 goto ROOTCERT_ERROR;
1066 }
1067
1068 # Copy the cgisettings to vpnsettings and save the configfile
1069 $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'};
1070 $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'};
1071 $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'};
1072 $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'};
1073 $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'};
1074 $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'};
1075 $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'};
1076 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
1077
1078 # Replace empty strings with a .
1079 (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./;
1080 (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./;
1081 (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./;
1082
1083 # refresh
1084 #system ('/bin/touch', "${General::swroot}/ovpn/gencanow");
1085
1086 # Create the CA certificate
1087 my $pid = open(OPENSSL, "|-");
1088 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1089 if ($pid) { # parent
1090 print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1091 print OPENSSL "$state\n";
1092 print OPENSSL "$city\n";
1093 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1094 print OPENSSL "$ou\n";
1095 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n";
1096 print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
1097 close (OPENSSL);
1098 if ($?) {
1099 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1100 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1101 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1102 goto ROOTCERT_ERROR;
1103 }
1104 } else { # child
1105 unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
1106 '-days', '999999', '-newkey', 'rsa:2048',
1107 '-keyout', "${General::swroot}/ovpn/ca/cakey.pem",
1108 '-out', "${General::swroot}/ovpn/ca/cacert.pem",
1109 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
1110 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1111 goto ROOTCERT_ERROR;
1112 }
1113 }
1114
1115 # Create the Host certificate request
1116 $pid = open(OPENSSL, "|-");
1117 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1118 if ($pid) { # parent
1119 print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1120 print OPENSSL "$state\n";
1121 print OPENSSL "$city\n";
1122 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1123 print OPENSSL "$ou\n";
1124 print OPENSSL "$cgiparams{'ROOTCERT_HOSTNAME'}\n";
1125 print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
1126 print OPENSSL ".\n";
1127 print OPENSSL ".\n";
1128 close (OPENSSL);
1129 if ($?) {
1130 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1131 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1132 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1133 goto ROOTCERT_ERROR;
1134 }
1135 } else { # child
1136 unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
1137 '-newkey', 'rsa:1024',
1138 '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
1139 '-out', "${General::swroot}/ovpn/certs/serverreq.pem",
1140 '-extensions', 'server',
1141 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) {
1142 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1143 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1144 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1145 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1146 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1147 goto ROOTCERT_ERROR;
1148 }
1149 }
1150
1151 # Sign the host certificate request
1152 system('/usr/bin/openssl', 'ca', '-days', '999999',
1153 '-batch', '-notext',
1154 '-in', "${General::swroot}/ovpn/certs/serverreq.pem",
1155 '-out', "${General::swroot}/ovpn/certs/servercert.pem",
1156 '-extensions', 'server',
1157 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf");
1158 if ($?) {
1159 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1160 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1161 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1162 unlink ("${General::swroot}/ovpn/serverkey.pem");
1163 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1164 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1165 &newcleanssldatabase();
1166 goto ROOTCERT_ERROR;
1167 } else {
1168 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1169 &deletebackupcert();
1170 }
1171
1172 # Create an empty CRL
1173 system('/usr/bin/openssl', 'ca', '-gencrl',
1174 '-out', "${General::swroot}/ovpn/crls/cacrl.pem",
1175 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
1176 if ($?) {
1177 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1178 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1179 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1180 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1181 unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
1182 &cleanssldatabase();
1183 goto ROOTCERT_ERROR;
1184 # } else {
1185 # &cleanssldatabase();
1186 }
1187 # Create Diffie Hellmann Parameter
1188 system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache',
1189 '-out', "${General::swroot}/ovpn/ca/dh1024.pem",
1190 '1024' );
1191 if ($?) {
1192 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1193 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1194 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1195 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1196 unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
1197 unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
1198 &cleanssldatabase();
1199 goto ROOTCERT_ERROR;
1200 # } else {
1201 # &cleanssldatabase();
1202 }
1203 goto ROOTCERT_SUCCESS;
1204 }
1205 ROOTCERT_ERROR:
1206 if ($cgiparams{'ACTION'} ne '') {
1207 &Header::showhttpheaders();
1208 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
1209 &Header::openbigbox('100%', 'LEFT', '', '');
1210 if ($errormessage) {
1211 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
1212 print "<class name='base'>$errormessage";
1213 print "&nbsp;</class>";
1214 &Header::closebox();
1215 }
1216 &Header::openbox('100%', 'LEFT', "$Lang::tr{'generate root/host certificates'}:");
1217 print <<END
1218 <form method='post' enctype='multipart/form-data'>
1219 <table width='100%' border='0' cellspacing='1' cellpadding='0'>
1220 <tr><td width='30%' class='base'>$Lang::tr{'organization name'}:</td>
1221 <td width='35%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td>
1222 <td width='35%' colspan='2'>&nbsp;</td></tr>
1223 <tr><td class='base'>$Lang::tr{'ipfires hostname'}:</td>
1224 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td>
1225 <td colspan='2'>&nbsp;</td></tr>
1226 <tr><td class='base'>$Lang::tr{'your e-mail'}:&nbsp;<img src='/blob.gif' alt'*' /></td>
1227 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td>
1228 <td colspan='2'>&nbsp;</td></tr>
1229 <tr><td class='base'>$Lang::tr{'your department'}:&nbsp;<img src='/blob.gif' alt'*' /></td>
1230 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td>
1231 <td colspan='2'>&nbsp;</td></tr>
1232 <tr><td class='base'>$Lang::tr{'city'}:&nbsp;<img src='/blob.gif' alt'*' /></td>
1233 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td>
1234 <td colspan='2'>&nbsp;</td></tr>
1235 <tr><td class='base'>$Lang::tr{'state or province'}:&nbsp;<img src='/blob.gif' alt'*' /></td>
1236 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td>
1237 <td colspan='2'>&nbsp;</td></tr>
1238 <tr><td class='base'>$Lang::tr{'country'}:</td>
1239 <td class='base'><select name='ROOTCERT_COUNTRY'>
1240
1241 END
1242 ;
1243 foreach my $country (sort keys %{Countries::countries}) {
1244 print "<option value='$Countries::countries{$country}'";
1245 if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) {
1246 print " selected='selected'";
1247 }
1248 print ">$country</option>";
1249 }
1250 print <<END
1251 </select></td>
1252 <td colspan='2'>&nbsp;</td></tr>
1253 <tr><td>&nbsp;</td>
1254 <td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td>
1255 <td>&nbsp;</td><td>&nbsp;</td></tr>
1256 <tr><td class='base' colspan='4' align='left'>
1257 <img src='/blob.gif' valign='top' alt='*' />&nbsp;$Lang::tr{'this field may be blank'}</td></tr>
1258 <tr><td class='base' colspan='4' align='left'>
1259 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:
1260 $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'}
1261 </td></tr>
1262 <tr><td colspan='4' bgcolor='#000000'><img src='/images/null.gif' width='1' height='1' border='0' /></td></tr>
1263 <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:</td>
1264 <td nowrap='nowrap'><input type='file' name='FH' size='32'></td>
1265 <td colspan='2'>&nbsp;</td></tr>
1266 <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:&nbsp;<img src='/blob.gif' alt='*' ></td>
1267 <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td>
1268 <td colspan='2'>&nbsp;</td></tr>
1269 <tr><td>&nbsp;</td>
1270 <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td>
1271 <td colspan='2'>&nbsp;</td></tr>
1272 <tr><td class='base' colspan='4' align='left'>
1273 <img src='/blob.gif' valign='top' al='*' >&nbsp;$Lang::tr{'this field may be blank'}</td></tr>
1274 </form></table>
1275 END
1276 ;
1277 &Header::closebox();
1278
1279 &Header::closebigbox();
1280 &Header::closepage();
1281 exit(0)
1282 }
1283
1284 ROOTCERT_SUCCESS:
1285 system ("chmod 600 ${General::swroot}/ovpn/certs/serverkey.pem");
1286 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1287 # $vpnsettings{'ENABLE_BLUE'} eq 'on') {
1288 # system('/usr/local/bin/ipsecctrl', 'S');
1289 # }
1290
1291 ###
1292 ### Enable/Disable connection
1293 ###
1294 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
1295
1296 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1297 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1298
1299 if ($confighash{$cgiparams{'KEY'}}) {
1300 if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
1301 $confighash{$cgiparams{'KEY'}}[0] = 'on';
1302 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1303 #&writeserverconf();
1304 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1305 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1306 # system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
1307 # }
1308 } else {
1309 $confighash{$cgiparams{'KEY'}}[0] = 'off';
1310 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1311 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1312 # system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
1313 # }
1314 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1315 #&writeserverconf();
1316 }
1317 } else {
1318 $errormessage = $Lang::tr{'invalid key'};
1319 }
1320
1321 ###
1322 ### Download OpenVPN client package
1323 ###
1324 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'dl client arch'}) {
1325 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1326 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1327 my $file = '';
1328 my $clientovpn = '';
1329 my @fileholder;
1330 my $tempdir = tempdir( CLEANUP => 1 );
1331 my $zippath = "$tempdir/";
1332 my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.zip";
1333 my $zippathname = "$zippath$zipname";
1334 $clientovpn = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.ovpn";
1335 open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!";
1336 flock CLIENTCONF, 2;
1337
1338 my $zip = Archive::Zip->new();
1339
1340 print CLIENTCONF "#OpenVPN Server conf\r\n";
1341 print CLIENTCONF "tls-client\r\n";
1342 print CLIENTCONF "client\r\n";
1343 print CLIENTCONF "dev $vpnsettings{'DDEVICE'}\r\n";
1344 print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
1345 print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu $vpnsettings{'DMTU'}\r\n";
1346 if ( $vpnsettings{'ENABLED'} eq 'on'){
1347 print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n";
1348 if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){
1349 print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Blue interface\r\n";
1350 print CLIENTCONF ";remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
1351 }
1352 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
1353 print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n";
1354 print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
1355 }
1356 } elsif ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){
1357 print CLIENTCONF "remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
1358 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
1359 print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n";
1360 print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
1361 }
1362 } elsif ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
1363 print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
1364 }
1365
1366 if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") {
1367 print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
1368 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
1369 } else {
1370 print CLIENTCONF "ca cacert.pem\r\n";
1371 print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n";
1372 print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
1373 $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
1374 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
1375 }
1376 print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
1377 if ($vpnsettings{DCOMPLZO} eq 'on') {
1378 print CLIENTCONF "comp-lzo\r\n";
1379 }
1380 print CLIENTCONF "verb 3\r\n";
1381 print CLIENTCONF "ns-cert-type server\r\n";
1382 print CLIENTCONF "tls-remote $vpnsettings{ROOTCERT_HOSTNAME}\r\n";
1383 close(CLIENTCONF);
1384 $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n";
1385 my $status = $zip->writeToFileNamed($zippathname);
1386
1387 open(DLFILE, "<$zippathname") or die "Unable to open $zippathname: $!";
1388 @fileholder = <DLFILE>;
1389 print "Content-Type:application/x-download\n";
1390 print "Content-Disposition:attachment;filename=$zipname\n\n";
1391 print @fileholder;
1392 exit (0);
1393
1394 ###
1395 ### Remove connection
1396 ###
1397 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
1398 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1399 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1400
1401 if ($confighash{$cgiparams{'KEY'}}) {
1402 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1403 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1404 # system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
1405 # }
1406 #
1407 my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
1408 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
1409 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
1410 delete $confighash{$cgiparams{'KEY'}};
1411 my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
1412 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1413 #&writeserverconf();
1414 } else {
1415 $errormessage = $Lang::tr{'invalid key'};
1416 }
1417 ###
1418 ### Download PKCS12 file
1419 ###
1420 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) {
1421 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1422
1423 print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";
1424 print "Content-Type: application/octet-stream\r\n\r\n";
1425 print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;
1426 exit (0);
1427
1428 ###
1429 ### Display certificate
1430 ###
1431 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) {
1432 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1433
1434 if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
1435 &Header::showhttpheaders();
1436 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
1437 &Header::openbigbox('100%', 'LEFT', '', '');
1438 &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:");
1439 my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
1440 $output = &Header::cleanhtml($output,"y");
1441 print "<pre>$output</pre>\n";
1442 &Header::closebox();
1443 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1444 &Header::closebigbox();
1445 &Header::closepage();
1446 exit(0);
1447 }
1448 ###
1449 ### Display Certificate Revoke List
1450 ###
1451 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show crl'}) {
1452 # &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1453
1454 if ( -f "${General::swroot}/ovpn/crls/cacrl.pem") {
1455 &Header::showhttpheaders();
1456 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
1457 &Header::openbigbox('100%', 'LEFT', '', '');
1458 &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:");
1459 my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`;
1460 $output = &Header::cleanhtml($output,"y");
1461 print "<pre>$output</pre>\n";
1462 &Header::closebox();
1463 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1464 &Header::closebigbox();
1465 &Header::closepage();
1466 exit(0);
1467 }
1468
1469 ###
1470 ### Advanced Server Settings
1471 ###
1472
1473 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'advanced server'}) {
1474 %cgiparams = ();
1475 %cahash = ();
1476 %confighash = ();
1477 &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
1478
1479 # if ($cgiparams{'CLIENT2CLIENT'} eq '') {
1480 # $cgiparams{'CLIENT2CLIENT'} = 'on';
1481 # }
1482 ADV_ERROR:
1483 if ($cgiparams{'MAX_CLIENTS'} eq '') {
1484 $cgiparams{'MAX_CLIENTS'} = '100';
1485 }
1486
1487 if ($cgiparams{'KEEPALIVE_1'} eq '') {
1488 $cgiparams{'KEEPALIVE_1'} = '10';
1489 }
1490 if ($cgiparams{'KEEPALIVE_2'} eq '') {
1491 $cgiparams{'KEEPALIVE_2'} = '60';
1492 }
1493 if ($cgiparams{'LOG_VERB'} eq '') {
1494 $cgiparams{'LOG_VERB'} = '3';
1495 }
1496 $checked{'CLIENT2CLIENT'}{'off'} = '';
1497 $checked{'CLIENT2CLIENT'}{'on'} = '';
1498 $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED';
1499 $checked{'REDIRECT_GW_DEF1'}{'off'} = '';
1500 $checked{'REDIRECT_GW_DEF1'}{'on'} = '';
1501 $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED';
1502 $selected{'LOG_VERB'}{'1'} = '';
1503 $selected{'LOG_VERB'}{'2'} = '';
1504 $selected{'LOG_VERB'}{'3'} = '';
1505 $selected{'LOG_VERB'}{'4'} = '';
1506 $selected{'LOG_VERB'}{'5'} = '';
1507 $selected{'LOG_VERB'}{'6'} = '';
1508 $selected{'LOG_VERB'}{'7'} = '';
1509 $selected{'LOG_VERB'}{'8'} = '';
1510 $selected{'LOG_VERB'}{'9'} = '';
1511 $selected{'LOG_VERB'}{'10'} = '';
1512 $selected{'LOG_VERB'}{'11'} = '';
1513 $selected{'LOG_VERB'}{'0'} = '';
1514 $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED';
1515
1516 &Header::showhttpheaders();
1517 &Header::openpage($Lang::tr{'status ovpn'}, 1, '');
1518 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
1519 if ($errormessage) {
1520 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
1521 print "<class name='base'>$errormessage\n";
1522 print "&nbsp;</class>\n";
1523 &Header::closebox();
1524 }
1525 &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'});
1526 print <<END
1527 <form method='post' enctype='multipart/form-data'>
1528 <table width='100%'>
1529 <tr>
1530 <td colspan='4'><b>$Lang::tr{'dhcp-options'}</b></td>
1531 </tr>
1532 <tr>
1533 <td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
1534 </tr>
1535 <tr>
1536 <td class='base'>Domain</td>
1537 <td><input type='TEXT' name='DHCP_DOMAIN' value='$cgiparams{'DHCP_DOMAIN'}' size='30' /></td>
1538 </tr>
1539 <tr>
1540 <td class='base'>DNS</td>
1541 <td><input type='TEXT' name='DHCP_DNS' value='$cgiparams{'DHCP_DNS'}' size='30' /></td>
1542 </tr>
1543 <tr>
1544 <td class='base'>WINS</td>
1545 <td><input type='TEXT' name='DHCP_WINS' value='$cgiparams{'DHCP_WINS'}' size='30' /></td>
1546 </tr>
1547 </table>
1548 <hr size='1'>
1549 <table width='100%'>
1550 <tr>
1551 <td class'base'><b>$Lang::tr{'misc-options'}</b></td>
1552 </tr>
1553 <tr>
1554 <td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
1555 </tr>
1556 <tr>
1557 <td class='base'>Client-To-Client</td>
1558 <td><input type='checkbox' name='CLIENT2CLIENT' $checked{'CLIENT2CLIENT'}{'on'} /></td>
1559 </tr>
1560 <tr>
1561 <td class='base'>Redirect-Gateway def1</td>
1562 <td><input type='checkbox' name='REDIRECT_GW_DEF1' $checked{'REDIRECT_GW_DEF1'}{'on'} /></td>
1563 </tr>
1564 <tr>
1565 <td class='base'>Max-Clients</td>
1566 <td><input type='text' name='MAX_CLIENTS' value='$cgiparams{'MAX_CLIENTS'}' size='30' /></td>
1567 </tr>
1568 <td class='base'>Keppalive (ping/ping-restart)</td>
1569 <td><input type='TEXT' name='KEEPALIVE_1' value='$cgiparams{'KEEPALIVE_1'}' size='30' /></td>
1570 <td><input type='TEXT' name='KEEPALIVE_2' value='$cgiparams{'KEEPALIVE_2'}' size='30' /></td>
1571 </tr>
1572 </table>
1573 <hr size='1'>
1574 <table width='100%'>
1575 <tr>
1576 <td class'base'><b>$Lang::tr{'log-options'}</b></td>
1577 </tr>
1578 <tr>
1579 <td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
1580 </tr>
1581
1582 <tr><td class='base'>VERB</td>
1583 <td><select name='LOG_VERB'><option value='1' $selected{'LOG_VERB'}{'1'}>1</option>
1584 <option value='2' $selected{'LOG_VERB'}{'2'}>2</option>
1585 <option value='3' $selected{'LOG_VERB'}{'3'}>3</option>
1586 <option value='4' $selected{'LOG_VERB'}{'4'}>4</option>
1587 <option value='5' $selected{'LOG_VERB'}{'5'}>5</option>
1588 <option value='6' $selected{'LOG_VERB'}{'6'}>6</option>
1589 <option value='7' $selected{'LOG_VERB'}{'7'}>7</option>
1590 <option value='8' $selected{'LOG_VERB'}{'8'}>8</option>
1591 <option value='9' $selected{'LOG_VERB'}{'9'}>9</option>
1592 <option value='10' $selected{'LOG_VERB'}{'10'}>10</option>
1593 <option value='11' $selected{'LOG_VERB'}{'11'}>11</option>
1594 <option value='0' $selected{'LOG_VERB'}{'0'}>0</option></select></td>
1595 </table>
1596 <hr size='1'>
1597 <table width='100%'>
1598 <tr>
1599 <td>&nbsp;</td>
1600 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-adv-options'}' /></td>
1601 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
1602 <td>&nbsp;</td>
1603 </tr>
1604 </table>
1605 </form>
1606 END
1607 ;
1608
1609 &Header::closebox();
1610 # print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1611 &Header::closebigbox();
1612 &Header::closepage();
1613 exit(0);
1614
1615 ###
1616 ### Openvpn Connections Statistics
1617 ###
1618 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ovpn con stat'}) {
1619 &Header::showhttpheaders();
1620 &Header::openpage($Lang::tr{'ovpn con stat'}, 1, '');
1621 &Header::openbigbox('100%', 'LEFT', '', '');
1622 &Header::openbox('100%', 'LEFT', $Lang::tr{'ovpn con stat'});
1623
1624 #
1625 # <td><b>$Lang::tr{'protocol'}</b></td>
1626 # protocol temp removed
1627 print <<END
1628 <table width='100%' border='0' cellpadding='2' cellspacing='0'>
1629 <tr>
1630 <td><b>$Lang::tr{'common name'}</b></td>
1631 <td><b>$Lang::tr{'real address'}</b></td>
1632 <td><b>$Lang::tr{'virtual address'}</b></td>
1633 <td><b>$Lang::tr{'loged in at'}</b></td>
1634 <td><b>$Lang::tr{'bytes sent'}</b></td>
1635 <td><b>$Lang::tr{'bytes received'}</b></td>
1636 <td><b>$Lang::tr{'last activity'}</b></td>
1637 </tr>
1638 END
1639 ;
1640 my $filename = "/var/log/ovpnserver.log";
1641 open(FILE, $filename) or die 'Unable to open config file.';
1642 my @current = <FILE>;
1643 close(FILE);
1644 my @users =();
1645 my $status;
1646 my $uid = 0;
1647 my $cn;
1648 my @match = ();
1649 my $proto = "udp";
1650 my $address;
1651 my %userlookup = ();
1652 foreach my $line (@current)
1653 {
1654 chomp($line);
1655 if ( $line =~ /^Updated,(.+)/){
1656 @match = split( /^Updated,(.+)/, $line);
1657 $status = $match[1];
1658 }
1659 #gian
1660 if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) {
1661 @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line);
1662 if ($match[1] ne "Common Name") {
1663 $cn = $match[1];
1664 $userlookup{$match[2]} = $uid;
1665 $users[$uid]{'CommonName'} = $match[1];
1666 $users[$uid]{'RealAddress'} = $match[2];
1667 $users[$uid]{'BytesReceived'} = &sizeformat($match[3]);
1668 $users[$uid]{'BytesSent'} = &sizeformat($match[4]);
1669 $users[$uid]{'Since'} = $match[5];
1670 $users[$uid]{'Proto'} = $proto;
1671 $uid++;
1672 }
1673 }
1674 if ( $line =~ /^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/) {
1675 @match = split(m/^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/, $line);
1676 if ($match[1] ne "Virtual Address") {
1677 $address = $match[3];
1678 #find the uid in the lookup table
1679 $uid = $userlookup{$address};
1680 $users[$uid]{'VirtualAddress'} = $match[1];
1681 $users[$uid]{'LastRef'} = $match[4];
1682 }
1683 }
1684 }
1685 my $user2 = @users;
1686 if ($user2 >= 1){
1687 for (my $idx = 1; $idx <= $user2; $idx++){
1688 if ($idx % 2) {
1689 print "<tr bgcolor='$color{'color20'}'>\n";
1690 } else {
1691 print "<tr bgcolor='$color{'color22'}'>\n";
1692 }
1693 print "<td align='left'>$users[$idx-1]{'CommonName'}</td>";
1694 print "<td align='left'>$users[$idx-1]{'RealAddress'}</td>";
1695 print "<td align='left'>$users[$idx-1]{'VirtualAddress'}</td>";
1696 print "<td align='left'>$users[$idx-1]{'Since'}</td>";
1697 print "<td align='left'>$users[$idx-1]{'BytesSent'}</td>";
1698 print "<td align='left'>$users[$idx-1]{'BytesReceived'}</td>";
1699 print "<td align='left'>$users[$idx-1]{'LastRef'}</td>";
1700 # print "<td align='left'>$users[$idx-1]{'Proto'}</td>";
1701 }
1702 }
1703
1704 print "</table>";
1705 print <<END
1706 <table width='100%' border='0' cellpadding='2' cellspacing='0'>
1707 <tr><td></td></tr>
1708 <tr><td></td></tr>
1709 <tr><td></td></tr>
1710 <tr><td></td></tr>
1711 <tr><td align='center' >$Lang::tr{'the statistics were last updated at'} <b>$status</b></td></tr>
1712 </table>
1713 END
1714 ;
1715 &Header::closebox();
1716 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1717 &Header::closebigbox();
1718 &Header::closepage();
1719 exit(0);
1720
1721 ###
1722 ### Download Certificate
1723 ###
1724 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) {
1725 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1726
1727 if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
1728 print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n";
1729 print "Content-Type: application/octet-stream\r\n\r\n";
1730 print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
1731 exit (0);
1732 }
1733
1734 ###
1735 ### Enable/Disable connection
1736 ###
1737 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
1738
1739 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1740 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1741
1742 if ($confighash{$cgiparams{'KEY'}}) {
1743 if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
1744 $confighash{$cgiparams{'KEY'}}[0] = 'on';
1745 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1746 #&writeserverconf();
1747 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1748 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1749 # system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
1750 # }
1751 } else {
1752 $confighash{$cgiparams{'KEY'}}[0] = 'off';
1753 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1754 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1755 # system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
1756 # }
1757 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1758 #&writeserverconf();
1759 }
1760 } else {
1761 $errormessage = $Lang::tr{'invalid key'};
1762 }
1763
1764 ###
1765 ### Restart connection
1766 ###
1767 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) {
1768 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1769 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1770
1771 if ($confighash{$cgiparams{'KEY'}}) {
1772 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1773 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1774 # system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
1775 # }
1776 } else {
1777 $errormessage = $Lang::tr{'invalid key'};
1778 }
1779
1780 ###
1781 ### Remove connection
1782 ###
1783 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
1784 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1785 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1786
1787 if ($confighash{$cgiparams{'KEY'}}) {
1788 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1789 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1790 # system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
1791 # }
1792 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
1793 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
1794 delete $confighash{$cgiparams{'KEY'}};
1795 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1796 #&writeserverconf();
1797 } else {
1798 $errormessage = $Lang::tr{'invalid key'};
1799 }
1800 #test33
1801
1802 ###
1803 ### Choose between adding a host-net or net-net connection
1804 ###
1805 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') {
1806 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1807 &Header::showhttpheaders();
1808 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
1809 &Header::openbigbox('100%', 'LEFT', '', '');
1810 &Header::openbox('100%', 'LEFT', $Lang::tr{'connection type'});
1811 print <<END
1812 <b>$Lang::tr{'connection type'}:</b><br />
1813 <table><form method='post'>
1814 <tr><td><input type='radio' name='TYPE' value='host' checked /></td>
1815 <td class='base'>$Lang::tr{'host to net vpn'}</td></tr>
1816 <tr><td><input type='radio' name='TYPE' value='net' disabled='disabled' /></td>
1817 <td class='base'>$Lang::tr{'net to net vpn'}</td></tr>
1818 <tr><td align='center' colspan='2'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
1819 </form></table>
1820 END
1821 ;
1822 &Header::closebox();
1823 &Header::closebigbox();
1824 &Header::closepage();
1825 exit (0);
1826 ###
1827 ### Adding a new connection
1828 ###
1829 } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) ||
1830 ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) ||
1831 ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) {
1832
1833 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1834 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1835 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1836
1837 if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
1838 if (! $confighash{$cgiparams{'KEY'}}[0]) {
1839 $errormessage = $Lang::tr{'invalid key'};
1840 goto VPNCONF_END;
1841 }
1842 $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0];
1843 $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1];
1844 $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3];
1845 $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4];
1846 $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5];
1847 $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6];
1848 $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8];
1849 $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];
1850 $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11];
1851 $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];
1852 $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26];
1853 #new fields
1854 $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[27];
1855 $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[28];
1856 $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[29];
1857 $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[30];
1858 $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[31];
1859 #new fields
1860 #ab hiere error uebernehmen
1861 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
1862 $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
1863 if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
1864 $errormessage = $Lang::tr{'connection type is invalid'};
1865 goto VPNCONF_ERROR;
1866 }
1867
1868
1869 if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {
1870 $errormessage = $Lang::tr{'name must only contain characters'};
1871 goto VPNCONF_ERROR;
1872 }
1873
1874 if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {
1875 $errormessage = $Lang::tr{'name is invalid'};
1876 goto VPNCONF_ERROR;
1877 }
1878
1879 if (length($cgiparams{'NAME'}) >60) {
1880 $errormessage = $Lang::tr{'name too long'};
1881 goto VPNCONF_ERROR;
1882 }
1883
1884 # if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) {
1885 # $errormessage = $Lang::tr{'ipfire side is invalid'};
1886 # goto VPNCONF_ERROR;
1887 # }
1888
1889 # Check if there is no other entry with this name
1890 if (! $cgiparams{'KEY'}) {
1891 foreach my $key (keys %confighash) {
1892 if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
1893 $errormessage = $Lang::tr{'a connection with this name already exists'};
1894 goto VPNCONF_ERROR;
1895 }
1896 }
1897 }
1898
1899 if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) {
1900 $errormessage = $Lang::tr{'invalid input for remote host/ip'};
1901 goto VPNCONF_ERROR;
1902 }
1903
1904 if ($cgiparams{'REMOTE'}) {
1905 if (! &General::validip($cgiparams{'REMOTE'})) {
1906 if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
1907 $errormessage = $Lang::tr{'invalid input for remote host/ip'};
1908 goto VPNCONF_ERROR;
1909 } else {
1910 if (&valid_dns_host($cgiparams{'REMOTE'})) {
1911 $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}";
1912 }
1913 }
1914 }
1915 }
1916 if ($cgiparams{'TYPE'} ne 'host') {
1917 unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) {
1918 $errormessage = $Lang::tr{'local subnet is invalid'};
1919 goto VPNCONF_ERROR;}
1920 }
1921 # Check if there is no other entry without IP-address and PSK
1922 if ($cgiparams{'REMOTE'} eq '') {
1923 foreach my $key (keys %confighash) {
1924 if(($cgiparams{'KEY'} ne $key) &&
1925 ($confighash{$key}[4] eq 'psk' || $cgiparams{'AUTH'} eq 'psk') &&
1926 $confighash{$key}[10] eq '') {
1927 $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'};
1928 goto VPNCONF_ERROR;
1929 }
1930 }
1931 }
1932 if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) {
1933 $errormessage = $Lang::tr{'remote subnet is invalid'};
1934 goto VPNCONF_ERROR;
1935 }
1936
1937 if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
1938 $errormessage = $Lang::tr{'invalid input'};
1939 goto VPNCONF_ERROR;
1940 }
1941 if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) {
1942 $errormessage = $Lang::tr{'invalid input'};
1943 goto VPNCONF_ERROR;
1944 }
1945
1946 #fixplausi
1947 if ($cgiparams{'AUTH'} eq 'psk') {
1948 # if (! length($cgiparams{'PSK'}) ) {
1949 # $errormessage = $Lang::tr{'pre-shared key is too short'};
1950 # goto VPNCONF_ERROR;
1951 # }
1952 # if ($cgiparams{'PSK'} =~ /['",&]/) {
1953 # $errormessage = $Lang::tr{'invalid characters found in pre-shared key'};
1954 # goto VPNCONF_ERROR;
1955 # }
1956 } elsif ($cgiparams{'AUTH'} eq 'certreq') {
1957 if ($cgiparams{'KEY'}) {
1958 $errormessage = $Lang::tr{'cant change certificates'};
1959 goto VPNCONF_ERROR;
1960 }
1961 if (ref ($cgiparams{'FH'}) ne 'Fh') {
1962 $errormessage = $Lang::tr{'there was no file upload'};
1963 goto VPNCONF_ERROR;
1964 }
1965
1966 # Move uploaded certificate request to a temporary file
1967 (my $fh, my $filename) = tempfile( );
1968 if (copy ($cgiparams{'FH'}, $fh) != 1) {
1969 $errormessage = $!;
1970 goto VPNCONF_ERROR;
1971 }
1972
1973 # Sign the certificate request and move it
1974 # Sign the host certificate request
1975 system('/usr/bin/openssl', 'ca', '-days', '999999',
1976 '-batch', '-notext',
1977 '-in', $filename,
1978 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
1979 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
1980 if ($?) {
1981 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1982 unlink ($filename);
1983 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
1984 &newcleanssldatabase();
1985 goto VPNCONF_ERROR;
1986 } else {
1987 unlink ($filename);
1988 &deletebackupcert();
1989 }
1990
1991 my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
1992 $temp =~ /Subject:.*CN=(.*)[\n]/;
1993 $temp = $1;
1994 $temp =~ s+/Email+, E+;
1995 $temp =~ s/ ST=/ S=/;
1996 $cgiparams{'CERT_NAME'} = $temp;
1997 $cgiparams{'CERT_NAME'} =~ s/,//g;
1998 $cgiparams{'CERT_NAME'} =~ s/\'//g;
1999 if ($cgiparams{'CERT_NAME'} eq '') {
2000 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
2001 goto VPNCONF_ERROR;
2002 }
2003 } elsif ($cgiparams{'AUTH'} eq 'certfile') {
2004 if ($cgiparams{'KEY'}) {
2005 $errormessage = $Lang::tr{'cant change certificates'};
2006 goto VPNCONF_ERROR;
2007 }
2008 if (ref ($cgiparams{'FH'}) ne 'Fh') {
2009 $errormessage = $Lang::tr{'there was no file upload'};
2010 goto VPNCONF_ERROR;
2011 }
2012 # Move uploaded certificate to a temporary file
2013 (my $fh, my $filename) = tempfile( );
2014 if (copy ($cgiparams{'FH'}, $fh) != 1) {
2015 $errormessage = $!;
2016 goto VPNCONF_ERROR;
2017 }
2018
2019 # Verify the certificate has a valid CA and move it
2020 my $validca = 0;
2021 my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/cacert.pem $filename`;
2022 if ($test =~ /: OK/) {
2023 $validca = 1;
2024 } else {
2025 foreach my $key (keys %cahash) {
2026 $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem $filename`;
2027 if ($test =~ /: OK/) {
2028 $validca = 1;
2029 }
2030 }
2031 }
2032 if (! $validca) {
2033 $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'};
2034 unlink ($filename);
2035 goto VPNCONF_ERROR;
2036 } else {
2037 move($filename, "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
2038 if ($? ne 0) {
2039 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
2040 unlink ($filename);
2041 goto VPNCONF_ERROR;
2042 }
2043 }
2044
2045 my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
2046 $temp =~ /Subject:.*CN=(.*)[\n]/;
2047 $temp = $1;
2048 $temp =~ s+/Email+, E+;
2049 $temp =~ s/ ST=/ S=/;
2050 $cgiparams{'CERT_NAME'} = $temp;
2051 $cgiparams{'CERT_NAME'} =~ s/,//g;
2052 $cgiparams{'CERT_NAME'} =~ s/\'//g;
2053 if ($cgiparams{'CERT_NAME'} eq '') {
2054 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
2055 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
2056 goto VPNCONF_ERROR;
2057 }
2058 } elsif ($cgiparams{'AUTH'} eq 'certgen') {
2059 if ($cgiparams{'KEY'}) {
2060 $errormessage = $Lang::tr{'cant change certificates'};
2061 goto VPNCONF_ERROR;
2062 }
2063 # Validate input since the form was submitted
2064 if (length($cgiparams{'CERT_NAME'}) >60) {
2065 $errormessage = $Lang::tr{'name too long'};
2066 goto VPNCONF_ERROR;
2067 }
2068 if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
2069 $errormessage = $Lang::tr{'invalid input for name'};
2070 goto VPNCONF_ERROR;
2071 }
2072 if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {
2073 $errormessage = $Lang::tr{'invalid input for e-mail address'};
2074 goto VPNCONF_ERROR;
2075 }
2076 if (length($cgiparams{'CERT_EMAIL'}) > 40) {
2077 $errormessage = $Lang::tr{'e-mail address too long'};
2078 goto VPNCONF_ERROR;
2079 }
2080 if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
2081 $errormessage = $Lang::tr{'invalid input for department'};
2082 goto VPNCONF_ERROR;
2083 }
2084 if (length($cgiparams{'CERT_ORGANIZATION'}) >60) {
2085 $errormessage = $Lang::tr{'organization too long'};
2086 goto VPNCONF_ERROR;
2087 }
2088 if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
2089 $errormessage = $Lang::tr{'invalid input for organization'};
2090 goto VPNCONF_ERROR;
2091 }
2092 if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
2093 $errormessage = $Lang::tr{'invalid input for city'};
2094 goto VPNCONF_ERROR;
2095 }
2096 if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
2097 $errormessage = $Lang::tr{'invalid input for state or province'};
2098 goto VPNCONF_ERROR;
2099 }
2100 if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) {
2101 $errormessage = $Lang::tr{'invalid input for country'};
2102 goto VPNCONF_ERROR;
2103 }
2104 if ($cgiparams{'CERT_PASS1'} ne '' && $cgiparams{'CERT_PASS2'} ne ''){
2105 if (length($cgiparams{'CERT_PASS1'}) < 5) {
2106 $errormessage = $Lang::tr{'password too short'};
2107 goto VPNCONF_ERROR;
2108 }
2109 }
2110 if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {
2111 $errormessage = $Lang::tr{'passwords do not match'};
2112 goto VPNCONF_ERROR;
2113 }
2114
2115 # Replace empty strings with a .
2116 (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
2117 (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
2118 (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
2119
2120 # Create the Host certificate request client
2121 my $pid = open(OPENSSL, "|-");
2122 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto VPNCONF_ERROR;};
2123 if ($pid) { # parent
2124 print OPENSSL "$cgiparams{'CERT_COUNTRY'}\n";
2125 print OPENSSL "$state\n";
2126 print OPENSSL "$city\n";
2127 print OPENSSL "$cgiparams{'CERT_ORGANIZATION'}\n";
2128 print OPENSSL "$ou\n";
2129 print OPENSSL "$cgiparams{'CERT_NAME'}\n";
2130 print OPENSSL "$cgiparams{'CERT_EMAIL'}\n";
2131 print OPENSSL ".\n";
2132 print OPENSSL ".\n";
2133 close (OPENSSL);
2134 if ($?) {
2135 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2136 unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}key.pem");
2137 unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}req.pem");
2138 goto VPNCONF_ERROR;
2139 }
2140 } else { # child
2141 unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
2142 '-newkey', 'rsa:1024',
2143 '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
2144 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
2145 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
2146 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
2147 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
2148 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
2149 goto VPNCONF_ERROR;
2150 }
2151 }
2152
2153 # Sign the host certificate request
2154 system('/usr/bin/openssl', 'ca', '-days', '999999',
2155 '-batch', '-notext',
2156 '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
2157 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
2158 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
2159 if ($?) {
2160 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2161 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
2162 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
2163 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
2164 &newcleanssldatabase();
2165 goto VPNCONF_ERROR;
2166 } else {
2167 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
2168 &deletebackupcert();
2169 }
2170
2171 # Create the pkcs12 file
2172 system('/usr/bin/openssl', 'pkcs12', '-export',
2173 '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
2174 '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
2175 '-name', $cgiparams{'NAME'},
2176 '-passout', "pass:$cgiparams{'CERT_PASS1'}",
2177 '-certfile', "${General::swroot}/ovpn/ca/cacert.pem",
2178 '-caname', "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA",
2179 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
2180 if ($?) {
2181 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2182 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
2183 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
2184 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
2185 goto VPNCONF_ERROR;
2186 } else {
2187 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
2188 }
2189 } elsif ($cgiparams{'AUTH'} eq 'cert') {
2190 ;# Nothing, just editing
2191 } else {
2192 $errormessage = $Lang::tr{'invalid input for authentication method'};
2193 goto VPNCONF_ERROR;
2194 }
2195
2196 # Check if there is no other entry with this common name
2197 if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) {
2198 foreach my $key (keys %confighash) {
2199 if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) {
2200 $errormessage = $Lang::tr{'a connection with this common name already exists'};
2201 goto VPNCONF_ERROR;
2202 }
2203 }
2204 }
2205
2206 # Save the config
2207 my $key = $cgiparams{'KEY'};
2208 if (! $key) {
2209 $key = &General::findhasharraykey (\%confighash);
2210 foreach my $i (0 .. 31) { $confighash{$key}[$i] = "";}
2211 }
2212 $confighash{$key}[0] = $cgiparams{'ENABLED'};
2213 $confighash{$key}[1] = $cgiparams{'NAME'};
2214 if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') {
2215 $confighash{$key}[2] = $cgiparams{'CERT_NAME'};
2216 }
2217 $confighash{$key}[3] = $cgiparams{'TYPE'};
2218 if ($cgiparams{'AUTH'} eq 'psk') {
2219 $confighash{$key}[4] = 'psk';
2220 $confighash{$key}[5] = $cgiparams{'PSK'};
2221 } else {
2222 $confighash{$key}[4] = 'cert';
2223 }
2224 if ($cgiparams{'TYPE'} eq 'net') {
2225 $confighash{$key}[6] = $cgiparams{'SIDE'};
2226 $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'};
2227 }
2228 $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'};
2229 $confighash{$key}[10] = $cgiparams{'REMOTE'};
2230 $confighash{$key}[25] = $cgiparams{'REMARK'};
2231 $confighash{$key}[26] = $cgiparams{'INTERFACE'};
2232 # new fields
2233 $confighash{$key}[27] = $cgiparams{'OVPN_SUBNET'};
2234 $confighash{$key}[28] = $cgiparams{'PROTOCOL'};
2235 $confighash{$key}[29] = $cgiparams{'DEST_PORT'};
2236 $confighash{$key}[30] = $cgiparams{'COMPLZO'};
2237 $confighash{$key}[31] = $cgiparams{'MTU'};
2238 # new fileds
2239 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2240 if ($cgiparams{'EDIT_ADVANCED'} eq 'on') {
2241 $cgiparams{'KEY'} = $key;
2242 $cgiparams{'ACTION'} = $Lang::tr{'advanced'};
2243 }
2244 goto VPNCONF_END;
2245 } else {
2246 $cgiparams{'ENABLED'} = 'on';
2247 $cgiparams{'SIDE'} = 'left';
2248 if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) {
2249 $cgiparams{'AUTH'} = 'psk';
2250 } elsif ( ! -f "${General::swroot}/ovpn/ca/cacert.pem") {
2251 $cgiparams{'AUTH'} = 'certfile';
2252 } else {
2253 $cgiparams{'AUTH'} = 'certgen';
2254 }
2255 $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
2256 $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
2257 $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'};
2258 $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'};
2259 $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};
2260 }
2261
2262 VPNCONF_ERROR:
2263 $checked{'ENABLED'}{'off'} = '';
2264 $checked{'ENABLED'}{'on'} = '';
2265 $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED';
2266 $checked{'ENABLED_BLUE'}{'off'} = '';
2267 $checked{'ENABLED_BLUE'}{'on'} = '';
2268 $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED';
2269 $checked{'ENABLED_ORANGE'}{'off'} = '';
2270 $checked{'ENABLED_ORANGE'}{'on'} = '';
2271 $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED';
2272
2273
2274 $checked{'EDIT_ADVANCED'}{'off'} = '';
2275 $checked{'EDIT_ADVANCED'}{'on'} = '';
2276 $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = 'CHECKED';
2277
2278 $selected{'SIDE'}{'server'} = '';
2279 $selected{'SIDE'}{'client'} = '';
2280 $selected{'SIDE'}{$cgiparams{'SIDE'}} = 'SELECTED';
2281
2282 $checked{'AUTH'}{'psk'} = '';
2283 $checked{'AUTH'}{'certreq'} = '';
2284 $checked{'AUTH'}{'certgen'} = '';
2285 $checked{'AUTH'}{'certfile'} = '';
2286 $checked{'AUTH'}{$cgiparams{'AUTH'}} = 'CHECKED';
2287
2288 $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = 'SELECTED';
2289
2290 $checked{'COMPLZO'}{'off'} = '';
2291 $checked{'COMPLZO'}{'on'} = '';
2292 $checked{'COMPLZO'}{$cgiparams{'COMPLZO'}} = 'CHECKED';
2293
2294
2295 if (1) {
2296 &Header::showhttpheaders();
2297 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
2298 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
2299 if ($errormessage) {
2300 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
2301 print "<class name='base'>$errormessage";
2302 print "&nbsp;</class>";
2303 &Header::closebox();
2304 }
2305
2306 if ($warnmessage) {
2307 &Header::openbox('100%', 'LEFT', "$Lang::tr{'warning messages'}:");
2308 print "<class name='base'>$warnmessage";
2309 print "&nbsp;</class>";
2310 &Header::closebox();
2311 }
2312
2313 print "<form method='post' enctype='multipart/form-data'>";
2314 print "<input type='hidden' name='TYPE' value='$cgiparams{'TYPE'}' />";
2315
2316 if ($cgiparams{'KEY'}) {
2317 print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />";
2318 print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />";
2319 }
2320
2321 &Header::openbox('100%', 'LEFT', "$Lang::tr{'connection'}:");
2322 print "<table width='100%'>\n";
2323 print "<tr><td width='25%' class='boldbase'>$Lang::tr{'name'}:</td>";
2324 if ($cgiparams{'TYPE'} eq 'host') {
2325 if ($cgiparams{'KEY'}) {
2326 print "<td width='35%' class='base'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />$cgiparams{'NAME'}</td>\n";
2327 } else {
2328 print "<td width='35%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' size='30' /></td>";
2329 }
2330 # print "<tr><td>$Lang::tr{'interface'}</td>";
2331 # print "<td><select name='INTERFACE'>";
2332 # print "<option value='RED' $selected{'INTERFACE'}{'RED'}>RED</option>";
2333 # if ($netsettings{'BLUE_DEV'} ne '') {
2334 # print "<option value='BLUE' $selected{'INTERFACE'}{'BLUE'}>BLUE</option>";
2335 # }
2336 # print "<option value='GREEN' $selected{'INTERFACE'}{'GREEN'}>GREEN</option>";
2337 # print "<option value='ORANGE' $selected{'INTERFACE'}{'ORANGE'}>ORANGE</option>";
2338 # print "</select></td></tr>";
2339 # print <<END
2340 } else {
2341 print "<input type='hidden' name='INTERFACE' value='red' />";
2342 if ($cgiparams{'KEY'}) {
2343 print "<td width='25%' class='base' nowrap='nowrap'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />$cgiparams{'NAME'}</td>";
2344 } else {
2345 print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' /></td>";
2346 }
2347 print <<END
2348 <td width='25%'>&nbsp;</td>
2349 <td width='25%'>&nbsp;</td></tr>
2350 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'Act as'}</td>
2351 <td><select name='SIDE'><option value='server' $selected{'SIDE'}{'server'}>OpenVPN Server</option>
2352 <option value='client' $selected{'SIDE'}{'client'}>OpenVPN Client</option></select></td>
2353 <td class='boldbase'>$Lang::tr{'remote host/ip'}:</td>
2354 <td><input type='TEXT' name='REMOTE' value='$cgiparams{'REMOTE'}' /></td></tr>
2355 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td>
2356 <td><input type='TEXT' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' /></td>
2357 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}</td>
2358 <td><input type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' /></td></tr>
2359 ttt
2360 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn subnet'}</td>
2361 <td><input type='TEXT' name='OVPN_SUBNET' value='$cgiparams{'OVPN_SUBNET'}' /></td></tr>
2362 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td>
2363 <td><select name='PROTOCOL'><option value='udp' $selected{'PROTOCOL'}{'udp'}>UDP</option>
2364 <option value='tcp' $selected{'PROTOCOL'}{'tcp'}>TCP</option></select></td>
2365 <td class='boldbase'>$Lang::tr{'destination port'}:</td>
2366 <td><input type='TEXT' name='DEST_PORT' value='$cgiparams{'DEST_PORT'}' size='5' /></td></tr>
2367 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
2368 <td><input type='checkbox' name='COMPLZO' $checked{'COMPLZO'}{'on'} /></td>
2369 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}&nbsp;<img src='/blob.gif' /></td>
2370 <td> <input type='TEXT' name='MTU' VALUE='$cgiparams{'MTU'}'size='5' /></TD>
2371
2372
2373 END
2374 ;
2375 }
2376 print "<tr><td class='boldbase'>$Lang::tr{'remark title'}&nbsp;<img src='/blob.gif' /></td>";
2377 print "<td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td></tr>";
2378
2379 # if ($cgiparams{'TYPE'} eq 'net') {
2380 print "<tr><td>$Lang::tr{'enabled'} <input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>\n";
2381
2382 # if ($cgiparams{'KEY'}) {
2383 # print "<td colspan='3'>&nbsp;</td></tr></table>";
2384 # } else {
2385 # print "<td colspan='3'><input type='checkbox' name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> $Lang::tr{'edit advanced settings when done'}</tr></table>";
2386 # }
2387 # }else{
2388 print "<td colspan='3'>&nbsp;</td></tr></table>";
2389 # }
2390
2391
2392
2393 &Header::closebox();
2394
2395 if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {
2396 # &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'});
2397 # print <<END
2398 # <table width='100%' cellpadding='0' cellspacing='5' border='0'>
2399 # <tr><td class='base' width='50%'>$Lang::tr{'use a pre-shared key'}</td>
2400 # <td class='base' width='50%'><input type='text' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr>
2401 # </table>
2402 END
2403 # ;
2404 # &Header::closebox();
2405 } elsif (! $cgiparams{'KEY'}) {
2406 my $disabled='';
2407 my $cakeydisabled='';
2408 my $cacrtdisabled='';
2409 if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) { $cakeydisabled = "disabled='disabled'" } else { $cakeydisabled = "" };
2410 if ( ! -f "${General::swroot}/ovpn/ca/cacert.pem" ) { $cacrtdisabled = "disabled='disabled'" } else { $cacrtdisabled = "" };
2411 &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'});
2412 print <<END
2413 <table width='100%' cellpadding='0' cellspacing='5' border='0'>
2414 <tr><td colspan='3' bgcolor='#000000'><img src='/images/null.gif' width='1' height='1' border='0' /></td></tr>
2415 <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td>
2416 <td class='base'>$Lang::tr{'upload a certificate request'}</td>
2417 <td class='base' rowspan='2'><input type='file' name='FH' size='30' $cacrtdisabled></td></tr>
2418 <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td>
2419 <td class='base'>$Lang::tr{'upload a certificate'}</td></tr>
2420 <tr><td colspan='3' bgcolor='#000000'><img src='/images/null.gif' width='1' height='1' BORDER='0' /></td></tr>
2421 <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td>
2422 <td class='base'>$Lang::tr{'generate a certificate'}</td><td>&nbsp;</td></tr>
2423 <tr><td>&nbsp;</td>
2424 <td class='base'>$Lang::tr{'users fullname or system hostname'}:</td>
2425 <td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' SIZE='32' $cakeydisabled /></td></tr>
2426 <tr><td>&nbsp;</td>
2427 <td class='base'>$Lang::tr{'users email'}:&nbsp;<img src='/blob.gif' /></td>
2428 <td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' SIZE='32' $cakeydisabled /></td></tr>
2429 <tr><td>&nbsp;</td>
2430 <td class='base'>$Lang::tr{'users department'}:&nbsp;<img src='/blob.gif' /></td>
2431 <td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' SIZE='32' $cakeydisabled /></td></tr>
2432 <tr><td>&nbsp;</td>
2433 <td class='base'>$Lang::tr{'organization name'}:&nbsp;<img src='/blob.gif' /></td>
2434 <td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' SIZE='32' $cakeydisabled /></td></tr>
2435 <tr><td>&nbsp;</td>
2436 <td class='base'>$Lang::tr{'city'}:&nbsp;<img src='/blob.gif'></td>
2437 <td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' SIZE='32' $cakeydisabled /></td></tr>
2438 <tr><td>&nbsp;</td>
2439 <td class='base'>$Lang::tr{'state or province'}:&nbsp;<img src='/blob.gif' /></td>
2440 <td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' SIZE='32' $cakeydisabled /></td></tr>
2441 <tr><td>&nbsp;</td>
2442 <td class='base'>$Lang::tr{'country'}:</td>
2443 <td class='base'><select name='CERT_COUNTRY' $cakeydisabled>
2444 END
2445
2446 ;
2447 foreach my $country (sort keys %{Countries::countries}) {
2448 print "<option value='$Countries::countries{$country}'";
2449 if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) {
2450 print " selected='selected'";
2451 }
2452 print ">$country</option>";
2453 }
2454 print <<END
2455 </select></td></tr>
2456 <tr><td>&nbsp;</td>
2457 <td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
2458 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr>
2459 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'pkcs12 file password'}:<BR>($Lang::tr{'confirmation'})</td>
2460 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr>
2461 </table>
2462 END
2463 ;
2464 &Header::closebox();
2465 }
2466
2467 print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
2468 if ($cgiparams{'KEY'}) {
2469 # print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />";
2470 }
2471 print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
2472 &Header::closebigbox();
2473 &Header::closepage();
2474 exit (0);
2475 }
2476 VPNCONF_END:
2477 }
2478
2479 # SETTINGS_ERROR:
2480 ###
2481 ### Default status page
2482 ###
2483 %cgiparams = ();
2484 %cahash = ();
2485 %confighash = ();
2486 &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
2487 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
2488 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2489
2490 my @status = `/bin/cat /var/log/ovpnserver.log`;
2491
2492 if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
2493 if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
2494 my $ipaddr = <IPADDR>;
2495 close IPADDR;
2496 chomp ($ipaddr);
2497 $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
2498 if ($cgiparams{'VPN_IP'} eq '') {
2499 $cgiparams{'VPN_IP'} = $ipaddr;
2500 }
2501 }
2502 }
2503
2504 #default setzen
2505 if ($cgiparams{'DCIPHER'} eq '') {
2506 $cgiparams{'DCIPHER'} = 'BF-CBC';
2507 }
2508 # if ($cgiparams{'DCOMPLZO'} eq '') {
2509 # $cgiparams{'DCOMPLZO'} = 'on';
2510 # }
2511 if ($cgiparams{'DDEST_PORT'} eq '') {
2512 $cgiparams{'DDEST_PORT'} = '1194';
2513 }
2514 if ($cgiparams{'DMTU'} eq '') {
2515 $cgiparams{'DMTU'} = '1400';
2516 }
2517 if ($cgiparams{'DOVPN_SUBNET'} eq '') {
2518 $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
2519 }
2520
2521 $checked{'ENABLED'}{'off'} = '';
2522 $checked{'ENABLED'}{'on'} = '';
2523 $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED';
2524 $checked{'ENABLED_BLUE'}{'off'} = '';
2525 $checked{'ENABLED_BLUE'}{'on'} = '';
2526 $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED';
2527 $checked{'ENABLED_ORANGE'}{'off'} = '';
2528 $checked{'ENABLED_ORANGE'}{'on'} = '';
2529 $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED';
2530
2531
2532 #new settings
2533 $selected{'DDEVICE'}{'tun'} = '';
2534 $selected{'DDEVICE'}{'tap'} = '';
2535 $selected{'DDEVICE'}{$cgiparams{'DDEVICE'}} = 'SELECTED';
2536
2537 $selected{'DPROTOCOL'}{'udp'} = '';
2538 $selected{'DPROTOCOL'}{'tcp'} = '';
2539 $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
2540
2541 $selected{'DCIPHER'}{'DES-CBC'} = '';
2542 $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
2543 $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
2544 $selected{'DCIPHER'}{'DESX-CBC'} = '';
2545 $selected{'DCIPHER'}{'RC2-CBC'} = '';
2546 $selected{'DCIPHER'}{'RC2-40-CBC'} = '';
2547 $selected{'DCIPHER'}{'RC2-64-CBC'} = '';
2548 $selected{'DCIPHER'}{'BF-CBC'} = '';
2549 $selected{'DCIPHER'}{'CAST5-CBC'} = '';
2550 $selected{'DCIPHER'}{'AES-128-CBC'} = '';
2551 $selected{'DCIPHER'}{'AES-192-CBC'} = '';
2552 $selected{'DCIPHER'}{'AES-256-CBC'} = '';
2553 $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
2554 $checked{'DCOMPLZO'}{'off'} = '';
2555 $checked{'DCOMPLZO'}{'on'} = '';
2556 $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
2557
2558 #new settings
2559 &Header::showhttpheaders();
2560 &Header::openpage($Lang::tr{'status ovpn'}, 1, '');
2561 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
2562
2563 if ($errormessage) {
2564 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
2565 print "<class name='base'>$errormessage\n";
2566 print "&nbsp;</class>\n";
2567 &Header::closebox();
2568 }
2569
2570 my $sactive = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourred}' width='50%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'stopped'}</font></b></td></tr></table>";
2571 my $srunning = "no";
2572 my $activeonrun = "";
2573 if ( -e "/var/run/openvpn.pid"){
2574 $sactive = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourgreen}' width='50%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'running'}</font></b></td></tr></table>";
2575 $srunning ="yes";
2576 $activeonrun = "";
2577 } else {
2578 $activeonrun = "disabled='disabled'";
2579 }
2580 &Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'});
2581 print <<END
2582 <table width='100%'>
2583 <form method='post'>
2584 <td width='25%'>&nbsp;</td>
2585 <td width='25%'>&nbsp;</td>
2586 <td width='25%'>&nbsp;</td></tr>
2587 <tr><td class='boldbase'>$Lang::tr{'ovpn server status'}</td>
2588 <td align='left'>$sactive</td>
2589 <tr><td class='boldbase'>$Lang::tr{'ovpn on red'}</td>
2590 <td><input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>
2591 END
2592 ;
2593 if (&haveBlueNet()) {
2594 print "<tr><td class='boldbase'>$Lang::tr{'ovpn on blue'}</td>";
2595 print "<td><input type='checkbox' name='ENABLED_BLUE' $checked{'ENABLED_BLUE'}{'on'} /></td>";
2596 }
2597 if (&haveOrangeNet()) {
2598 print "<tr><td class='boldbase'>$Lang::tr{'ovpn on orange'}</td>";
2599 print "<td><input type='checkbox' name='ENABLED_ORANGE' $checked{'ENABLED_ORANGE'}{'on'} /></td>";
2600 }
2601 print <<END
2602 <tr><td class='base' nowrap='nowrap' colspan='2'>$Lang::tr{'local vpn hostname/ip'}:<br /><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' size='30' /></td>
2603 <td class='boldbase' nowrap='nowrap' colspan='2'>$Lang::tr{'ovpn subnet'}<br /><input type='TEXT' name='DOVPN_SUBNET' value='$cgiparams{'DOVPN_SUBNET'}' size='30' /></td></tr>
2604 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn device'}</td>
2605 <td><select name='DDEVICE' ><option value='tun' $selected{'DDEVICE'}{'tun'}>TUN</option>
2606 <option value='tap' $selected{'DDEVICE'}{'tap'}>TAP</option></select></td>
2607 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td>
2608 <td><select name='DPROTOCOL'><option value='udp' $selected{'DPROTOCOL'}{'udp'}>UDP</option>
2609 <option value='tcp' $selected{'DPROTOCOL'}{'tcp'}>TCP</option></select></td>
2610 <td class='boldbase'>$Lang::tr{'destination port'}:</td>
2611 <td><input type='TEXT' name='DDEST_PORT' value='$cgiparams{'DDEST_PORT'}' size='5' /></td></tr>
2612 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}&nbsp;</td>
2613 <td> <input type='TEXT' name='DMTU' VALUE='$cgiparams{'DMTU'}'size='5' /></TD>
2614 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
2615 <td><input type='checkbox' name='DCOMPLZO' $checked{'DCOMPLZO'}{'on'} /></td>
2616 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
2617 <td><select name='DCIPHER'><option value='DES-CBC' $selected{'DCIPHER'}{'DES-CBC'}>DES-CBC</option>
2618 <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC</option>
2619 <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC</option>
2620 <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC</option>
2621 <option value='RC2-CBC' $selected{'DCIPHER'}{'RC2-CBC'}>RC2-CBC</option>
2622 <option value='RC2-40-CBC' $selected{'DCIPHER'}{'RC2-40-CBC'}>RC2-40-CBC</option>
2623 <option value='RC2-64-CBC' $selected{'DCIPHER'}{'RC2-64-CBC'}>RC2-64-CBC</option>
2624 <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC</option>
2625 <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC</option>
2626 <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-128-CBC</option>
2627 <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-192-CBC</option>
2628 <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-256-CBC</option></select></td>
2629 END
2630 ;
2631
2632 if ( $srunning eq "yes" ) {
2633 print "<tr><td align='left'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' disabled='disabled' /></td>";
2634 print "<td><input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' disabled='disabled'/></td>";
2635 print "<td><input type='submit' name='ACTION' value='$Lang::tr{'stop ovpn server'}' /></td>";
2636 print "<td><input type='submit' name='ACTION' value='$Lang::tr{'restart ovpn server'}' /></td></tr>";
2637 } else{
2638 print "<tr><td align='left'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>";
2639 print "<td><input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' /></td>";
2640 if (( -e "${General::swroot}/ovpn/ca/cacert.pem" &&
2641 -e "${General::swroot}/ovpn/ca/dh1024.pem" &&
2642 -e "${General::swroot}/ovpn/certs/servercert.pem" &&
2643 -e "${General::swroot}/ovpn/certs/serverkey.pem") &&
2644 (( $cgiparams{'ENABLED'} eq 'on') ||
2645 ( $cgiparams{'ENABLED_BLUE'} eq 'on') ||
2646 ( $cgiparams{'ENABLED_ORANGE'} eq 'on'))){
2647 print "<td><input type='submit' name='ACTION' value='$Lang::tr{'start ovpn server'}' /></td>";
2648 print "<td><input type='submit' name='ACTION' value='$Lang::tr{'restart ovpn server'}' /></td></tr>";
2649 } else {
2650 print "<td><input type='submit' name='ACTION' value='$Lang::tr{'start ovpn server'}' disabled='disabled' /></td>";
2651 print "<td><input type='submit' name='ACTION' value='$Lang::tr{'restart ovpn server'}' disabled='disabled' /></td></tr>";
2652 }
2653 }
2654 print "</form></table>";
2655 &Header::closebox();
2656 &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}:");
2657 print <<EOF#'
2658 <table width='100%' border='0' cellspacing='1' cellpadding='0'>
2659 <tr>
2660 <td width='25%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></td>
2661 <td width='65%' class='boldbase' align='center'><b>$Lang::tr{'subject'}</b></td>
2662 <td width='10%' class='boldbase' colspan='3' align='center'><b>$Lang::tr{'action'}</b></td>
2663 </tr>
2664 EOF
2665 ;
2666 if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
2667 my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`;
2668 $casubject =~ /Subject: (.*)[\n]/;
2669 $casubject = $1;
2670 $casubject =~ s+/Email+, E+;
2671 $casubject =~ s/ ST=/ S=/;
2672
2673 print <<END
2674 <tr bgcolor='$color{'color22'}'>
2675 <td class='base'>$Lang::tr{'root certificate'}</td>
2676 <td class='base'>$casubject</td>
2677 <form method='post' name='frmrootcrta'><td width='3%' align='center'>
2678 <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' />
2679 <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' width='20' height='20' border='0' />
2680 </td></form>
2681 <form method='post' name='frmrootcrtb'><td width='3%' align='center'>
2682 <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/media-floppy.png' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' border='0' />
2683 <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' />
2684 </td></form>
2685 <td width='4%'>&nbsp;</td></tr>
2686 END
2687 ;
2688 } else {
2689 # display rootcert generation buttons
2690 print <<END
2691 <tr bgcolor='$color{'color22'}'>
2692 <td class='base'>$Lang::tr{'root certificate'}:</td>
2693 <td class='base'>$Lang::tr{'not present'}</td>
2694 <td colspan='3'>&nbsp;</td></tr>
2695 END
2696 ;
2697 }
2698
2699 if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
2700 my $hostsubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
2701 $hostsubject =~ /Subject: (.*)[\n]/;
2702 $hostsubject = $1;
2703 $hostsubject =~ s+/Email+, E+;
2704 $hostsubject =~ s/ ST=/ S=/;
2705
2706 print <<END
2707 <tr bgcolor='$color{'color20'}'>
2708 <td class='base'>$Lang::tr{'host certificate'}</td>
2709 <td class='base'>$hostsubject</td>
2710 <form method='post' name='frmhostcrta'><td width='3%' align='center'>
2711 <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' />
2712 <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' width='20' height='20' border='0' />
2713 </td></form>
2714 <form method='post' name='frmhostcrtb'><td width='3%' align='center'>
2715 <input type='image' name='$Lang::tr{'download host certificate'}' src='/images/media-floppy.png' alt='$Lang::tr{'download host certificate'}' title='$Lang::tr{'download host certificate'}' border='0' />
2716 <input type='hidden' name='ACTION' value='$Lang::tr{'download host certificate'}' />
2717 </td></form>
2718 <td width='4%'>&nbsp;</td></tr>
2719 END
2720 ;
2721 } else {
2722 # Nothing
2723 print <<END
2724 <tr bgcolor='$color{'color20'}'>
2725 <td width='25%' class='base'>$Lang::tr{'host certificate'}:</td>
2726 <td class='base'>$Lang::tr{'not present'}</td>
2727 </td><td colspan='3'>&nbsp;</td></tr>
2728 END
2729 ;
2730 }
2731
2732 if (! -f "${General::swroot}/ovpn/ca/cacert.pem") {
2733 print "<tr><td colspan='5' align='center'><form method='post'>";
2734 print "<input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' />";
2735 print "</form></td></tr>\n";
2736 }
2737
2738 if (keys %cahash > 0) {
2739 foreach my $key (keys %cahash) {
2740 if (($key + 1) % 2) {
2741 print "<tr bgcolor='$color{'color20'}'>\n";
2742 } else {
2743 print "<tr bgcolor='$color{'color22'}'>\n";
2744 }
2745 print "<td class='base'>$cahash{$key}[0]</td>\n";
2746 print "<td class='base'>$cahash{$key}[1]</td>\n";
2747 print <<END
2748 <form method='post' name='cafrm${key}a'><td align='center'>
2749 <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' border='0' />
2750 <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' />
2751 <input type='hidden' name='KEY' value='$key' />
2752 </td></form>
2753 <form method='post' name='cafrm${key}b'><td align='center'>
2754 <input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/media-floppy.png' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' border='0' />
2755 <input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' />
2756 <input type='hidden' name='KEY' value='$key' />
2757 </td></form>
2758 <form method='post' name='cafrm${key}c'><td align='center'>
2759 <input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
2760 <input type='image' name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' width='20' height='20' border='0' />
2761 <input type='hidden' name='KEY' value='$key' />
2762 </td></form></tr>
2763 END
2764 ;
2765 }
2766 }
2767
2768 print "</table>";
2769
2770 # If the file contains entries, print Key to action icons
2771 if ( -f "${General::swroot}/ovpn/ca/cacert.pem") {
2772 print <<END
2773 <table>
2774 <tr>
2775 <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
2776 <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
2777 <td class='base'>$Lang::tr{'show certificate'}</td>
2778 <td>&nbsp; &nbsp; <img src='/images/media-floppy.png' alt='$Lang::tr{'download certificate'}' /></td>
2779 <td class='base'>$Lang::tr{'download certificate'}</td>
2780 </tr>
2781 </table>
2782 END
2783 ;
2784 }
2785 print <<END
2786 <form method='post' enctype='multipart/form-data'>
2787 <table width='100%' border='0' cellspacing='1' cellpadding='0'>
2788 <tr><td class='base' nowrap='nowrap'>$Lang::tr{'ca name'}:</td>
2789 <td nowrap='nowrap'><input type='text' name='CA_NAME' value='$cgiparams{'CA_NAME'}' size='15' />
2790 <td nowrap='nowrap'><input type='file' name='FH' size='30' /></td>
2791 <td nowrap='nowrap'><input type='submit' name='ACTION' value='$Lang::tr{'upload ca certificate'}' /><br /><input type='submit' name='ACTION' value='$Lang::tr{'show crl'}' /></td>
2792 </tr></table></form>
2793 END
2794 ;
2795
2796 &Header::closebox();
2797 if ( $srunning eq "yes" ) {
2798 print "<div align='center'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'reset'}' disabled='disabled' /></div></form>\n";
2799 }else{
2800 print "<div align='center'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /></div></form>\n";
2801 }
2802 if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) {
2803 &Header::openbox('100%', 'LEFT', $Lang::tr{'Client status and controlc' });
2804 print <<END
2805 <table width='100%' border='0' cellspacing='1' cellpadding='0'>
2806 <tr>
2807 <td width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></td>
2808 <td width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></td>
2809 <td width='18%' class='boldbase' align='center'><b>$Lang::tr{'common name'}</b></td>
2810 <td width='17%' class='boldbase' align='center'><b>$Lang::tr{'valid till'}</b></td>
2811 <td width='25%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b><br /><img src='/images/null.gif' width='125' height='1' border='0' alt='L2089' /></td>
2812 <td width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></td>
2813 <td width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></td>
2814 </tr>
2815 END
2816 ;
2817 my $id = 0;
2818 my $gif;
2819 foreach my $key (keys %confighash) {
2820 if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
2821
2822 if ($id % 2) {
2823 print "<tr bgcolor='$color{'color20'}'>\n";
2824 } else {
2825 print "<tr bgcolor='$color{'color22'}'>\n";
2826 }
2827 print "<td align='center' nowrap='nowrap'>$confighash{$key}[1]</td>";
2828 print "<td align='center' nowrap='nowrap'>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")</td>";
2829 if ($confighash{$key}[4] eq 'cert') {
2830 print "<td align='left' nowrap='nowrap'>$confighash{$key}[2]</td>";
2831 } else {
2832 print "<td align='left'>&nbsp;</td>";
2833 }
2834 my $cavalid = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`;
2835 $cavalid =~ /Not After : (.*)[\n]/;
2836 $cavalid = $1;
2837 print "<td align='center'>$cavalid</td>";
2838 print "<td align='center'>$confighash{$key}[25]</td>";
2839 my $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourred}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b></td></tr></table>";
2840 if ($confighash{$key}[0] eq 'off') {
2841 $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourblue}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b></td></tr></table>";
2842 } else {
2843 my $cn;
2844 my @match = ();
2845 foreach my $line (@status) {
2846 chomp($line);
2847 if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) {
2848 @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line);
2849 if ($match[1] ne "Common Name") {
2850 $cn = $match[1];
2851 }
2852 $cn =~ s/[_]/ /g;
2853 if ($cn eq "$confighash{$key}[2]") {
2854 $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourgreen}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b></td></tr></table>";
2855 }
2856 }
2857 }
2858 }
2859 my $disable_clientdl = "disabled='disabled'";
2860 if (( $cgiparams{'ENABLED'} eq 'on') ||
2861 ( $cgiparams{'ENABLED_BLUE'} eq 'on') ||
2862 ( $cgiparams{'ENABLED_ORANGE'} eq 'on')){
2863 $disable_clientdl = "";
2864 }
2865 print <<END
2866 <td align='center'>$active</td>
2867
2868 <form method='post' name='frm${key}a'><td align='center'>
2869 <input type='image' name='$Lang::tr{'dl client arch'}' $disable_clientdl src='/images/openvpn.png' alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' />
2870 <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' $disable_clientdl />
2871 <input type='hidden' name='KEY' value='$key' $disable_clientdl />
2872 </td></form>
2873 END
2874 ;
2875 if ($confighash{$key}[4] eq 'cert') {
2876 print <<END
2877 <form method='post' name='frm${key}b'><td align='center'>
2878 <input type='image' name='$Lang::tr{'show certificate'}' src='/images/info.gif' alt='$Lang::tr{'show certificate'}' title='$Lang::tr{'show certificate'}' border='0' />
2879 <input type='hidden' name='ACTION' value='$Lang::tr{'show certificate'}' />
2880 <input type='hidden' name='KEY' value='$key' />
2881 </td></form>
2882 END
2883 ; } else {
2884 print "<td>&nbsp;</td>";
2885 }
2886 if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$key}[1].p12") {
2887 print <<END
2888 <form method='post' name='frm${key}c'><td align='center'>
2889 <input type='image' name='$Lang::tr{'download pkcs12 file'}' src='/images/media-floppy.png' alt='$Lang::tr{'download pkcs12 file'}' title='$Lang::tr{'download pkcs12 file'}' border='0' />
2890 <input type='hidden' name='ACTION' value='$Lang::tr{'download pkcs12 file'}' />
2891 <input type='hidden' name='KEY' value='$key' />
2892 </td></form>
2893 END
2894 ; } elsif ($confighash{$key}[4] eq 'cert') {
2895 print <<END
2896 <form method='post' name='frm${key}c'><td align='center'>
2897 <input type='image' name='$Lang::tr{'download certificate'}' src='/images/media-floppy.png' alt='$Lang::tr{'download certificate'}' title='$Lang::tr{'download certificate'}' border='0' />
2898 <input type='hidden' name='ACTION' value='$Lang::tr{'download certificate'}' />
2899 <input type='hidden' name='KEY' value='$key' />
2900 </td></form>
2901 END
2902 ; } else {
2903 print "<td>&nbsp;</td>";
2904 }
2905 print <<END
2906 <form method='post' name='frm${key}d'><td align='center'>
2907 <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' border='0' />
2908 <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
2909 <input type='hidden' name='KEY' value='$key' />
2910 </td></form>
2911
2912 <form method='post' name='frm${key}e'><td align='center'>
2913 <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
2914 <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' width='20' height='20' border='0'/>
2915 <input type='hidden' name='KEY' value='$key' />
2916 </td></form>
2917 <form method='post' name='frm${key}f'><td align='center'>
2918 <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' />
2919 <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' width='20' height='20' border='0' />
2920 <input type='hidden' name='KEY' value='$key' />
2921 </td></form>
2922 </tr>
2923 END
2924 ;
2925 $id++;
2926 }
2927 ;
2928
2929 # If the config file contains entries, print Key to action icons
2930 if ( $id ) {
2931 print <<END
2932 <table>
2933 <tr>
2934 <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
2935 <td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
2936 <td class='base'>$Lang::tr{'click to disable'}</td>
2937 <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
2938 <td class='base'>$Lang::tr{'show certificate'}</td>
2939 <td>&nbsp; &nbsp; <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
2940 <td class='base'>$Lang::tr{'edit'}</td>
2941 <td>&nbsp; &nbsp; <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
2942 <td class='base'>$Lang::tr{'remove'}</td>
2943 </tr>
2944 <tr>
2945 <td>&nbsp; </td>
2946 <td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td>
2947 <td class='base'>$Lang::tr{'click to enable'}</td>
2948 <td> <img src='/images/media-floppy.png' alt='?FLOPPY' /></td>
2949 <td class='base'>$Lang::tr{'download certificate'}</td>
2950 <td> <img src='/images/openvpn.png' alt='?RELOAD'/></td>
2951 <td class='base'>$Lang::tr{'dl client arch'}</td>
2952 </tr>
2953 </table>
2954 END
2955 ;
2956 }
2957
2958 print <<END
2959 <table width='100%'>
2960 <form method='post'>
2961 <tr><td width='50%' ><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td>
2962 <td width='50%' ><input type='submit' name='ACTION' value='$Lang::tr{'ovpn con stat'}' $activeonrun /></td></tr>
2963 </form>
2964 </table>
2965 END
2966 ;
2967 &Header::closebox();
2968 }
2969 &Header::closepage();
Peter's tree of IPFire 2.x