]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - html/cgi-bin/ovpnmain.cgi
projects / people / pmueller / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Erstmal ein Commit:
[people/pmueller/ipfire-2.x.git] / html / cgi-bin / ovpnmain.cgi
1 #!/usr/bin/perl
2 # based on SmoothWall and IPCop CGIs
3 #
4 # This code is distributed under the terms of the GPL
5 # Main idea from zeroconcept
6 # ZERNINA-VERSION:0.9.4i
7 # (c) 2007 Ufuk Altinkaynak
8 #
9
10 use CGI;
11 use CGI qw/:standard/;
12 use Net::DNS;
13 use File::Copy;
14 use File::Temp qw/ tempfile tempdir /;
15 use strict;
16 use Archive::Zip qw(:ERROR_CODES :CONSTANTS);
17 require '/var/ipfire/general-functions.pl';
18 require "${General::swroot}/lang.pl";
19 require "${General::swroot}/header.pl";
20 require "${General::swroot}/countries.pl";
21
22 # enable only the following on debugging purpose
23 #use warnings;
24 #use CGI::Carp 'fatalsToBrowser';
25 #workaround to suppress a warning when a variable is used only once
26 my @dummy = ( ${Header::colourgreen} );
27 undef (@dummy);
28
29 my %color = ();
30 my %mainsettings = ();
31 &General::readhash("${General::swroot}/main/settings", \%mainsettings);
32 &General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
33
34
35
36 ###
37 ### Initialize variables
38 ###
39 my %netsettings=();
40 my %cgiparams=();
41 my %vpnsettings=();
42 my %checked=();
43 my %confighash=();
44 my %cahash=();
45 my %selected=();
46 my $warnmessage = '';
47 my $errormessage = '';
48 my %settings=();
49 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
50 $cgiparams{'ENABLED'} = 'off';
51 $cgiparams{'ENABLED_BLUE'} = 'off';
52 $cgiparams{'ENABLED_ORANGE'} = 'off';
53 $cgiparams{'EDIT_ADVANCED'} = 'off';
54 $cgiparams{'NAT'} = 'off';
55 $cgiparams{'COMPRESSION'} = 'off';
56 $cgiparams{'ONLY_PROPOSED'} = 'off';
57 $cgiparams{'ACTION'} = '';
58 $cgiparams{'CA_NAME'} = '';
59 $cgiparams{'DHCP_DOMAIN'} = '';
60 $cgiparams{'DHCP_DNS'} = '';
61 $cgiparams{'DHCP_WINS'} = '';
62 $cgiparams{'DCOMPLZO'} = 'off';
63 &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
64
65 # prepare openvpn config file
66 ###
67 ### Useful functions
68 ###
69 sub haveOrangeNet
70 {
71 if ($netsettings{'CONFIG_TYPE'} == 1) {return 1;}
72 if ($netsettings{'CONFIG_TYPE'} == 3) {return 1;}
73 if ($netsettings{'CONFIG_TYPE'} == 5) {return 1;}
74 if ($netsettings{'CONFIG_TYPE'} == 7) {return 1;}
75 return 0;
76 }
77
78 sub haveBlueNet
79 {
80 if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
81 if ($netsettings{'CONFIG_TYPE'} == 5) {return 1;}
82 if ($netsettings{'CONFIG_TYPE'} == 6) {return 1;}
83 if ($netsettings{'CONFIG_TYPE'} == 7) {return 1;}
84 return 0;
85 }
86
87 sub sizeformat{
88 my $bytesize = shift;
89 my $i = 0;
90
91 while(abs($bytesize) >= 1024){
92 $bytesize=$bytesize/1024;
93 $i++;
94 last if($i==6);
95 }
96
97 my @units = ("Bytes","KB","MB","GB","TB","PB","EB");
98 my $newsize=(int($bytesize*100 +0.5))/100;
99 return("$newsize $units[$i]");
100 }
101
102 sub valid_dns_host {
103 my $hostname = $_[0];
104 unless ($hostname) { return "No hostname"};
105 my $res = new Net::DNS::Resolver;
106 my $query = $res->search("$hostname");
107 if ($query) {
108 foreach my $rr ($query->answer) {
109 ## Potential bug - we are only looking at A records:
110 return 0 if $rr->type eq "A";
111 }
112 } else {
113 return $res->errorstring;
114 }
115 }
116
117 sub cleanssldatabase
118 {
119 if (open(FILE, ">${General::swroot}/ovpn/certs/serial")) {
120 print FILE "01";
121 close FILE;
122 }
123 if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt")) {
124 print FILE "";
125 close FILE;
126 }
127 unlink ("${General::swroot}/ovpn/certs/index.txt.old");
128 unlink ("${General::swroot}/ovpn/certs/serial.old");
129 unlink ("${General::swroot}/ovpn/certs/01.pem");
130 }
131
132 sub newcleanssldatabase
133 {
134 if (! -s "${General::swroot}/ovpn/certs/serial" ) {
135 open(FILE, ">${General::swroot}(ovpn/certs/serial");
136 print FILE "01";
137 close FILE;
138 }
139 if (! -s ">${General::swroot}/ovpn/certs/index.txt") {
140 system ("touch ${General::swroot}/ovpn/certs/index.txt");
141 }
142 unlink ("${General::swroot}/ovpn/certs/index.txt.old");
143 unlink ("${General::swroot}/ovpn/certs/serial.old");
144 }
145
146 sub deletebackupcert
147 {
148 if (open(FILE, "${General::swroot}/ovpn/certs/serial.old")) {
149 my $hexvalue = <FILE>;
150 chomp $hexvalue;
151 close FILE;
152 unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem");
153 }
154 }
155
156 sub checkportfw {
157 my $KEY2 = $_[0]; # key2
158 my $SRC_PORT = $_[1]; # src_port
159 my $PROTOCOL = $_[2]; # protocol
160 my $SRC_IP = $_[3]; # sourceip
161
162 my $pfwfilename = "${General::swroot}/portfw/config";
163 open(FILE, $pfwfilename) or die 'Unable to open config file.';
164 my @pfwcurrent = <FILE>;
165 close(FILE);
166 my $pfwkey1 = 0; # used for finding last sequence number used
167 foreach my $pfwline (@pfwcurrent)
168 {
169 my @pfwtemp = split(/\,/,$pfwline);
170
171 chomp ($pfwtemp[8]);
172 if ($KEY2 eq "0"){ # if key2 is 0 then it is a portfw addition
173 if ( $SRC_PORT eq $pfwtemp[3] &&
174 $PROTOCOL eq $pfwtemp[2] &&
175 $SRC_IP eq $pfwtemp[7])
176 {
177 $errormessage = "$Lang::tr{'source port in use'} $SRC_PORT";
178 }
179 # Check if key2 = 0, if it is then it is a port forward entry and we want the sequence number
180 if ( $pfwtemp[1] eq "0") {
181 $pfwkey1=$pfwtemp[0];
182 }
183 # Darren Critchley - Duplicate or overlapping Port range check
184 if ($pfwtemp[1] eq "0" &&
185 $PROTOCOL eq $pfwtemp[2] &&
186 $SRC_IP eq $pfwtemp[7] &&
187 $errormessage eq '')
188 {
189 &portchecks($SRC_PORT, $pfwtemp[5]);
190 # &portchecks($pfwtemp[3], $pfwtemp[5]);
191 # &portchecks($pfwtemp[3], $SRC_IP);
192 }
193 }
194 }
195 # $errormessage="$KEY2 $SRC_PORT $PROTOCOL $SRC_IP";
196
197 return;
198 }
199
200 sub checkportoverlap
201 {
202 my $portrange1 = $_[0]; # New port range
203 my $portrange2 = $_[1]; # existing port range
204 my @tempr1 = split(/\:/,$portrange1);
205 my @tempr2 = split(/\:/,$portrange2);
206
207 unless (&checkportinc($tempr1[0], $portrange2)){ return 0;}
208 unless (&checkportinc($tempr1[1], $portrange2)){ return 0;}
209
210 unless (&checkportinc($tempr2[0], $portrange1)){ return 0;}
211 unless (&checkportinc($tempr2[1], $portrange1)){ return 0;}
212
213 return 1; # Everything checks out!
214 }
215
216 # Darren Critchley - we want to make sure that a port entry is not within an already existing range
217 sub checkportinc
218 {
219 my $port1 = $_[0]; # Port
220 my $portrange2 = $_[1]; # Port range
221 my @tempr1 = split(/\:/,$portrange2);
222
223 if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) {
224 return 1;
225 } else {
226 return 0;
227 }
228 }
229 # Darren Critchley - Duplicate or overlapping Port range check
230 sub portchecks
231 {
232 my $p1 = $_[0]; # New port range
233 my $p2 = $_[1]; # existing port range
234 # $_ = $_[0];
235 our ($prtrange1, $prtrange2);
236 $prtrange1 = 0;
237 # if (m/:/ && $prtrange1 == 1) { # comparing two port ranges
238 # unless (&checkportoverlap($p1,$p2)) {
239 # $errormessage = "$Lang::tr{'source port overlaps'} $p1";
240 # }
241 # }
242 if (m/:/ && $prtrange1 == 0 && $errormessage eq '') { # compare one port to a range
243 unless (&checkportinc($p2,$p1)) {
244 $errormessage = "$Lang::tr{'srcprt within existing'} $p1";
245 }
246 }
247 $prtrange1 = 1;
248 if (! m/:/ && $prtrange1 == 1 && $errormessage eq '') { # compare one port to a range
249 unless (&checkportinc($p1,$p2)) {
250 $errormessage = "$Lang::tr{'srcprt range overlaps'} $p2";
251 }
252 }
253 return;
254 }
255
256 # Darren Critchley - certain ports are reserved for IPFire
257 # TCP 67,68,81,222,445
258 # UDP 67,68
259 # Params passed in -> port, rangeyn, protocol
260 sub disallowreserved
261 {
262 # port 67 and 68 same for tcp and udp, don't bother putting in an array
263 my $msg = "";
264 my @tcp_reserved = (81,222,445);
265 my $prt = $_[0]; # the port or range
266 my $ryn = $_[1]; # tells us whether or not it is a port range
267 my $prot = $_[2]; # protocol
268 my $srcdst = $_[3]; # source or destination
269 if ($ryn) { # disect port range
270 if ($srcdst eq "src") {
271 $msg = "$Lang::tr{'rsvd src port overlap'}";
272 } else {
273 $msg = "$Lang::tr{'rsvd dst port overlap'}";
274 }
275 my @tmprng = split(/\:/,$prt);
276 unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; }
277 unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; }
278 if ($prot eq "tcp") {
279 foreach my $prange (@tcp_reserved) {
280 unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; }
281 }
282 }
283 } else {
284 if ($srcdst eq "src") {
285 $msg = "$Lang::tr{'reserved src port'}";
286 } else {
287 $msg = "$Lang::tr{'reserved dst port'}";
288 }
289 if ($prt == 67) { $errormessage="$msg 67"; return; }
290 if ($prt == 68) { $errormessage="$msg 68"; return; }
291 if ($prot eq "tcp") {
292 foreach my $prange (@tcp_reserved) {
293 if ($prange == $prt) { $errormessage="$msg $prange"; return; }
294 }
295 }
296 }
297 return;
298 }
299
300 sub writeserverconf {
301 my %sovpnsettings = ();
302 &General::readhash("${General::swroot}/ovpn/settings", \%sovpnsettings);
303
304 open(CONF, ">${General::swroot}/ovpn/server.conf") or die "Unable to open ${General::swroot}/ovpn/server.conf: $!";
305 flock CONF, 2;
306 print CONF "#OpenVPN Server conf\n";
307 print CONF "\n";
308 print CONF "daemon openvpnserver\n";
309 print CONF "writepid /var/run/openvpn.pid\n";
310 print CONF "#DAN prepare ZERINA for listening on blue and orange\n";
311 print CONF ";local $sovpnsettings{'VPN_IP'}\n";
312 print CONF "dev $sovpnsettings{'DDEVICE'}\n";
313 print CONF "$sovpnsettings{'DDEVICE'}-mtu $sovpnsettings{'DMTU'}\n";
314 print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
315 print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
316 print CONF "tls-server\n";
317 print CONF "ca /var/ipfire/ovpn/ca/cacert.pem\n";
318 print CONF "cert /var/ipfire/ovpn/certs/servercert.pem\n";
319 print CONF "key /var/ipfire/ovpn/certs/serverkey.pem\n";
320 print CONF "dh /var/ipfire/ovpn/ca/dh1024.pem\n";
321 my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'});
322 print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
323 print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
324 if ($sovpnsettings{CLIENT2CLIENT} eq 'on') {
325 print CONF "client-to-client\n";
326 }
327 if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) {
328 print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n";
329 }
330 print CONF "status-version 1\n";
331 print CONF "status /var/ipfire/ovpn/server.log 30\n";
332 print CONF "cipher $sovpnsettings{DCIPHER}\n";
333 if ($sovpnsettings{DCOMPLZO} eq 'on') {
334 print CONF "comp-lzo\n";
335 }
336 if ($sovpnsettings{REDIRECT_GW_DEF1} eq 'on') {
337 print CONF "push \"redirect-gateway def1\"\n";
338 }
339 if ($sovpnsettings{DHCP_DOMAIN} ne '') {
340 print CONF "push \"dhcp-option DOMAIN $sovpnsettings{DHCP_DOMAIN}\"\n";
341 }
342
343 if ($sovpnsettings{DHCP_DNS} ne '') {
344 print CONF "push \"dhcp-option DNS $sovpnsettings{DHCP_DNS}\"\n";
345 }
346
347 if ($sovpnsettings{DHCP_WINS} ne '') {
348 print CONF "push \"dhcp-option WINS $sovpnsettings{DHCP_WINS}\"\n";
349 }
350
351 if ($sovpnsettings{DHCP_WINS} eq '') {
352 print CONF "max-clients 100\n";
353 }
354
355 if ($sovpnsettings{DHCP_WINS} ne '') {
356 print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n";
357 }
358 print CONF "tls-verify /var/ipfire/ovpn/verify\n";
359 print CONF "crl-verify /var/ipfire/ovpn/crls/cacrl.pem\n";
360 print CONF "user nobody\n";
361 print CONF "group nobody\n";
362 print CONF "persist-key\n";
363 print CONF "persist-tun\n";
364 if ($sovpnsettings{LOG_VERB} ne '') {
365 print CONF "verb $sovpnsettings{LOG_VERB}\n";
366 } else {
367 print CONF "verb 3\n";
368 }
369 print CONF "\n";
370
371 close(CONF);
372 }
373 #
374 sub emptyserverlog{
375 if (open(FILE, ">${General::swroot}/ovpn/server.log")) {
376 flock FILE, 2;
377 print FILE "";
378 close FILE;
379 }
380
381 }
382
383 #hier die refresh page
384 if ( -e "${General::swroot}/ovpn/gencanow") {
385 my $refresh = '';
386 $refresh = "<meta http-equiv='refresh' content='15;' />";
387 &Header::showhttpheaders();
388 &Header::openpage($Lang::tr{'OVPN'}, 1, $refresh);
389 &Header::openbigbox('100%', 'center');
390 &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:");
391 print "<tr>\n<td align='center'><img src='/images/clock.gif' alt='' /></td>\n";
392 print "<td colspan='2'><font color='red'>Please be patient this realy can take some time on older hardware...</font></td></tr>\n";
393 &Header::closebox();
394 &Header::closebigbox();
395 &Header::closepage();
396 exit (0);
397 }
398 ##hier die refresh page
399
400
401 ###
402 ### OpenVPN Server Control
403 ###
404 if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'} ||
405 $cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'} ||
406 $cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}) {
407 #start openvpn server
408 if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'}){
409 &emptyserverlog();
410 system('/usr/local/bin/openvpnctrl', '-s');
411 }
412 #stop openvpn server
413 if ($cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'}){
414 system('/usr/local/bin/openvpnctrl', '-k');
415 &emptyserverlog();
416 }
417 # #restart openvpn server
418 if ($cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}){
419 #workarund, till SIGHUP also works when running as nobody
420 system('/usr/local/bin/openvpnctrl', '-r');
421 &emptyserverlog();
422 }
423 }
424
425 ###
426 ### Save Advanced options
427 ###
428
429 if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
430 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
431 #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
432 #DAN this value has to leave.
433 #new settings for daemon
434 $vpnsettings{'LOG_VERB'} = $cgiparams{'LOG_VERB'};
435 $vpnsettings{'KEEPALIVE_1'} = $cgiparams{'KEEPALIVE_1'};
436 $vpnsettings{'KEEPALIVE_2'} = $cgiparams{'KEEPALIVE_2'};
437 $vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'};
438 $vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'};
439 $vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'};
440 $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'};
441 $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'};
442 $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
443
444 if ($cgiparams{'DHCP_DOMAIN'} ne ''){
445 unless (&General::validfqdn($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) {
446 $errormessage = $Lang::tr{'invalid input for dhcp domain'};
447 goto ADV_ERROR;
448 }
449 }
450 if ($cgiparams{'DHCP_DNS'} ne ''){
451 unless (&General::validfqdn($cgiparams{'DHCP_DNS'}) || &General::validip($cgiparams{'DHCP_DNS'})) {
452 $errormessage = $Lang::tr{'invalid input for dhcp dns'};
453 goto ADV_ERROR;
454 }
455 }
456 if ($cgiparams{'DHCP_WINS'} ne ''){
457 unless (&General::validfqdn($cgiparams{'DHCP_WINS'}) || &General::validip($cgiparams{'DHCP_WINS'})) {
458 $errormessage = $Lang::tr{'invalid input for dhcp wins'};
459 goto ADV_ERROR;
460 }
461 }
462 if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 255 )) {
463 $errormessage = $Lang::tr{'invalid input for max clients'};
464 goto ADV_ERROR;
465 }
466 if ($cgiparams{'KEEPALIVE_1'} ne '') {
467 if ($cgiparams{'KEEPALIVE_1'} !~ /^[0-9]+$/) {
468 $errormessage = $Lang::tr{'invalid input for keepalive 1'};
469 goto ADV_ERROR;
470 }
471 }
472 if ($cgiparams{'KEEPALIVE_2'} ne ''){
473 if ($cgiparams{'KEEPALIVE_2'} !~ /^[0-9]+$/) {
474 $errormessage = $Lang::tr{'invalid input for keepalive 2'};
475 goto ADV_ERROR;
476 }
477 }
478 if ($cgiparams{'KEEPALIVE_2'} < ($cgiparams{'KEEPALIVE_1'} * 2)){
479 $errormessage = $Lang::tr{'invalid input for keepalive 1:2'};
480 goto ADV_ERROR;
481 }
482
483 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
484 &writeserverconf();#hier ok
485 }
486
487
488
489
490 ###
491 ### Save main settings
492 ###
493 if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') {
494 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
495 #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
496 #DAN this value has to leave.
497 if ($cgiparams{'ENABLED'} eq 'on'){
498 unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})) {
499 $errormessage = $Lang::tr{'invalid input for hostname'};
500 goto SETTINGS_ERROR;
501 }
502 }
503 if ($cgiparams{'ENABLED'} eq 'on'){
504 &disallowreserved($cgiparams{'DDEST_PORT'},0,$cgiparams{'DPROTOCOL'},"dest");
505 }
506 if ($errormessage) { goto SETTINGS_ERROR; }
507
508
509 if ($cgiparams{'ENABLED'} eq 'on'){
510 &checkportfw(0,$cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'},'0.0.0.0');
511 }
512
513 if ($errormessage) { goto SETTINGS_ERROR; }
514
515 if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) {
516 $errormessage = $Lang::tr{'ovpn subnet is invalid'};
517 goto SETTINGS_ERROR;
518 }
519 my @tmpovpnsubnet = split("\/",$cgiparams{'DOVPN_SUBNET'});
520
521 if (&General::IpInSubnet ( $netsettings{'RED_ADDRESS'},
522 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
523 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire RED Network $netsettings{'RED_ADDRESS'}";
524 goto SETTINGS_ERROR;
525 }
526
527 if (&General::IpInSubnet ( $netsettings{'GREEN_ADDRESS'},
528 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
529 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Green Network $netsettings{'GREEN_ADDRESS'}";
530 goto SETTINGS_ERROR;
531 }
532
533 if (&General::IpInSubnet ( $netsettings{'BLUE_ADDRESS'},
534 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
535 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Blue Network $netsettings{'BLUE_ADDRESS'}";
536 goto SETTINGS_ERROR;
537 }
538
539 if (&General::IpInSubnet ( $netsettings{'ORANGE_ADDRESS'},
540 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
541 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Orange Network $netsettings{'ORANGE_ADDRESS'}";
542 goto SETTINGS_ERROR;
543 }
544 open(ALIASES, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
545 while (<ALIASES>)
546 {
547 chomp($_);
548 my @tempalias = split(/\,/,$_);
549 if ($tempalias[1] eq 'on') {
550 if (&General::IpInSubnet ($tempalias[0] ,
551 $tmpovpnsubnet[0], $tmpovpnsubnet[1])) {
552 $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire alias entry $tempalias[0]";
553 }
554 }
555 }
556 close(ALIASES);
557 if ($errormessage ne ''){
558 goto SETTINGS_ERROR;
559 }
560 if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
561 $errormessage = $Lang::tr{'invalid input'};
562 goto SETTINGS_ERROR;
563 }
564 if ((length($cgiparams{'DMTU'})==0) || (($cgiparams{'DMTU'}) < 1000 )) {
565 $errormessage = $Lang::tr{'invalid mtu input'};
566 goto SETTINGS_ERROR;
567 }
568
569 unless (&General::validport($cgiparams{'DDEST_PORT'})) {
570 $errormessage = $Lang::tr{'invalid port'};
571 goto SETTINGS_ERROR;
572 }
573 $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'};
574 $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'};
575 $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
576 $vpnsettings{'VPN_IP'} = $cgiparams{'VPN_IP'};
577 #new settings for daemon
578 $vpnsettings{'DOVPN_SUBNET'} = $cgiparams{'DOVPN_SUBNET'};
579 $vpnsettings{'DDEVICE'} = $cgiparams{'DDEVICE'};
580 $vpnsettings{'DPROTOCOL'} = $cgiparams{'DPROTOCOL'};
581 $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
582 $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
583 $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
584 $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
585 #new settings for daemon
586 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
587 &writeserverconf();#hier ok
588 SETTINGS_ERROR:
589 ###
590 ### Reset all step 2
591 ###
592 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'} && $cgiparams{'AREUSURE'} eq 'yes') {
593 my $file = '';
594 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
595
596 foreach my $key (keys %confighash) {
597 if ($confighash{$key}[4] eq 'cert') {
598 delete $confighash{$cgiparams{'$key'}};
599 }
600 }
601 while ($file = glob("${General::swroot}/ovpn/ca/*")) {
602 unlink $file
603 }
604 while ($file = glob("${General::swroot}/ovpn/certs/*")) {
605 unlink $file
606 }
607 while ($file = glob("${General::swroot}/ovpn/crls/*")) {
608 unlink $file
609 }
610 &cleanssldatabase();
611 if (open(FILE, ">${General::swroot}/ovpn/caconfig")) {
612 print FILE "";
613 close FILE;
614 }
615 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
616 #&writeserverconf();
617 ###
618 ### Reset all step 1
619 ###
620 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'}) {
621 &Header::showhttpheaders();
622 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
623 &Header::openbigbox('100%', 'LEFT', '', '');
624 &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'});
625 print <<END
626 <table><form method='post'><input type='hidden' name='AREUSURE' value='yes' />
627 <tr><td align='center'>
628 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:
629 $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}
630 <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'reset'}' />
631 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td></tr>
632 </form></table>
633 END
634 ;
635 &Header::closebox();
636 &Header::closebigbox();
637 &Header::closepage();
638 exit (0);
639
640 ###
641 ### Upload CA Certificate
642 ###
643 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) {
644 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
645
646 if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) {
647 $errormessage = $Lang::tr{'name must only contain characters'};
648 goto UPLOADCA_ERROR;
649 }
650
651 if (length($cgiparams{'CA_NAME'}) >60) {
652 $errormessage = $Lang::tr{'name too long'};
653 goto VPNCONF_ERROR;
654 }
655
656 if ($cgiparams{'CA_NAME'} eq 'ca') {
657 $errormessage = $Lang::tr{'name is invalid'};
658 goto UPLOAD_CA_ERROR;
659 }
660
661 # Check if there is no other entry with this name
662 foreach my $key (keys %cahash) {
663 if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) {
664 $errormessage = $Lang::tr{'a ca certificate with this name already exists'};
665 goto UPLOADCA_ERROR;
666 }
667 }
668
669 if (ref ($cgiparams{'FH'}) ne 'Fh') {
670 $errormessage = $Lang::tr{'there was no file upload'};
671 goto UPLOADCA_ERROR;
672 }
673 # Move uploaded ca to a temporary file
674 (my $fh, my $filename) = tempfile( );
675 if (copy ($cgiparams{'FH'}, $fh) != 1) {
676 $errormessage = $!;
677 goto UPLOADCA_ERROR;
678 }
679 my $temp = `/usr/bin/openssl x509 -text -in $filename`;
680 if ($temp !~ /CA:TRUE/i) {
681 $errormessage = $Lang::tr{'not a valid ca certificate'};
682 unlink ($filename);
683 goto UPLOADCA_ERROR;
684 } else {
685 move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem");
686 if ($? ne 0) {
687 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
688 unlink ($filename);
689 goto UPLOADCA_ERROR;
690 }
691 }
692
693 my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem`;
694 $casubject =~ /Subject: (.*)[\n]/;
695 $casubject = $1;
696 $casubject =~ s+/Email+, E+;
697 $casubject =~ s/ ST=/ S=/;
698 $casubject = &Header::cleanhtml($casubject);
699
700 my $key = &General::findhasharraykey (\%cahash);
701 $cahash{$key}[0] = $cgiparams{'CA_NAME'};
702 $cahash{$key}[1] = $casubject;
703 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
704 # system('/usr/local/bin/ipsecctrl', 'R');
705
706 UPLOADCA_ERROR:
707
708 ###
709 ### Display ca certificate
710 ###
711 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) {
712 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
713
714 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") {
715 &Header::showhttpheaders();
716 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
717 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
718 &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:");
719 my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
720 $output = &Header::cleanhtml($output,"y");
721 print "<pre>$output</pre>\n";
722 &Header::closebox();
723 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
724 &Header::closebigbox();
725 &Header::closepage();
726 exit(0);
727 } else {
728 $errormessage = $Lang::tr{'invalid key'};
729 }
730
731 ###
732 ### Download ca certificate
733 ###
734 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download ca certificate'}) {
735 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
736
737 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
738 print "Content-Type: application/octet-stream\r\n";
739 print "Content-Disposition: filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";
740 print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
741 exit(0);
742 } else {
743 $errormessage = $Lang::tr{'invalid key'};
744 }
745
746 ###
747 ### Remove ca certificate (step 2)
748 ###
749 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'} && $cgiparams{'AREUSURE'} eq 'yes') {
750 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
751 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
752
753 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
754 foreach my $key (keys %confighash) {
755 my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`;
756 if ($test =~ /: OK/) {
757 # Delete connection
758 # if ($vpnsettings{'ENABLED'} eq 'on' ||
759 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
760 # system('/usr/local/bin/ipsecctrl', 'D', $key);
761 # }
762 unlink ("${General::swroot}/ovpn//certs/$confighash{$key}[1]cert.pem");
763 unlink ("${General::swroot}/ovpn/certs/$confighash{$key}[1].p12");
764 delete $confighash{$key};
765 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
766 # &writeipsecfiles();
767 }
768 }
769 unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
770 delete $cahash{$cgiparams{'KEY'}};
771 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
772 # system('/usr/local/bin/ipsecctrl', 'R');
773 } else {
774 $errormessage = $Lang::tr{'invalid key'};
775 }
776 ###
777 ### Remove ca certificate (step 1)
778 ###
779 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove ca certificate'}) {
780 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
781 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
782
783 my $assignedcerts = 0;
784 if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
785 foreach my $key (keys %confighash) {
786 my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`;
787 if ($test =~ /: OK/) {
788 $assignedcerts++;
789 }
790 }
791 if ($assignedcerts) {
792 &Header::showhttpheaders();
793 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
794 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
795 &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'});
796 print <<END
797 <table><form method='post'><input type='hidden' name='AREUSURE' value='yes' />
798 <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
799 <tr><td align='center'>
800 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>: $assignedcerts
801 $Lang::tr{'connections are associated with this ca. deleting the ca will delete these connections as well.'}
802 <tr><td align='center'><input type='submit' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
803 <input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></td></tr>
804 </form></table>
805 END
806 ;
807 &Header::closebox();
808 &Header::closebigbox();
809 &Header::closepage();
810 exit (0);
811 } else {
812 unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
813 delete $cahash{$cgiparams{'KEY'}};
814 &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash);
815 # system('/usr/local/bin/ipsecctrl', 'R');
816 }
817 } else {
818 $errormessage = $Lang::tr{'invalid key'};
819 }
820
821 ###
822 ### Display root certificate
823 ###
824 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||
825 $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {
826 my $output;
827 &Header::showhttpheaders();
828 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
829 &Header::openbigbox('100%', 'LEFT', '', '');
830 if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
831 &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:");
832 $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`;
833 } else {
834 &Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:");
835 $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
836 }
837 $output = &Header::cleanhtml($output,"y");
838 print "<pre>$output</pre>\n";
839 &Header::closebox();
840 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
841 &Header::closebigbox();
842 &Header::closepage();
843 exit(0);
844
845 ###
846 ### Download root certificate
847 ###
848 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download root certificate'}) {
849 if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) {
850 print "Content-Type: application/octet-stream\r\n";
851 print "Content-Disposition: filename=cacert.pem\r\n\r\n";
852 print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/ca/cacert.pem`;
853 exit(0);
854 }
855
856 ###
857 ### Download host certificate
858 ###
859 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download host certificate'}) {
860 if ( -f "${General::swroot}/ovpn/certs/servercert.pem" ) {
861 print "Content-Type: application/octet-stream\r\n";
862 print "Content-Disposition: filename=servercert.pem\r\n\r\n";
863 print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/certs/servercert.pem`;
864 exit(0);
865 }
866 ###
867 ### Form for generating a root certificate
868 ###
869 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} ||
870 $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
871
872 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
873 if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
874 $errormessage = $Lang::tr{'valid root certificate already exists'};
875 $cgiparams{'ACTION'} = '';
876 goto ROOTCERT_ERROR;
877 }
878
879 if (($cgiparams{'ROOTCERT_HOSTNAME'} eq '') && -e "${General::swroot}/red/active") {
880 if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
881 my $ipaddr = <IPADDR>;
882 close IPADDR;
883 chomp ($ipaddr);
884 $cgiparams{'ROOTCERT_HOSTNAME'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
885 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq '') {
886 $cgiparams{'ROOTCERT_HOSTNAME'} = $ipaddr;
887 }
888 }
889 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) {
890
891 if (ref ($cgiparams{'FH'}) ne 'Fh') {
892 $errormessage = $Lang::tr{'there was no file upload'};
893 goto ROOTCERT_ERROR;
894 }
895
896 # Move uploaded certificate request to a temporary file
897 (my $fh, my $filename) = tempfile( );
898 if (copy ($cgiparams{'FH'}, $fh) != 1) {
899 $errormessage = $!;
900 goto ROOTCERT_ERROR;
901 }
902
903 # Create a temporary dirctory
904 my $tempdir = tempdir( CLEANUP => 1 );
905
906 # Extract the CA certificate from the file
907 my $pid = open(OPENSSL, "|-");
908 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
909 if ($pid) { # parent
910 if ($cgiparams{'P12_PASS'} ne '') {
911 print OPENSSL "$cgiparams{'P12_PASS'}\n";
912 }
913 close (OPENSSL);
914 if ($?) {
915 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
916 unlink ($filename);
917 goto ROOTCERT_ERROR;
918 }
919 } else { # child
920 unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys',
921 '-in', $filename,
922 '-out', "$tempdir/cacert.pem")) {
923 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
924 unlink ($filename);
925 goto ROOTCERT_ERROR;
926 }
927 }
928
929 # Extract the Host certificate from the file
930 $pid = open(OPENSSL, "|-");
931 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
932 if ($pid) { # parent
933 if ($cgiparams{'P12_PASS'} ne '') {
934 print OPENSSL "$cgiparams{'P12_PASS'}\n";
935 }
936 close (OPENSSL);
937 if ($?) {
938 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
939 unlink ($filename);
940 goto ROOTCERT_ERROR;
941 }
942 } else { # child
943 unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys',
944 '-in', $filename,
945 '-out', "$tempdir/hostcert.pem")) {
946 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
947 unlink ($filename);
948 goto ROOTCERT_ERROR;
949 }
950 }
951
952 # Extract the Host key from the file
953 $pid = open(OPENSSL, "|-");
954 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
955 if ($pid) { # parent
956 if ($cgiparams{'P12_PASS'} ne '') {
957 print OPENSSL "$cgiparams{'P12_PASS'}\n";
958 }
959 close (OPENSSL);
960 if ($?) {
961 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
962 unlink ($filename);
963 goto ROOTCERT_ERROR;
964 }
965 } else { # child
966 unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts',
967 '-nodes',
968 '-in', $filename,
969 '-out', "$tempdir/serverkey.pem")) {
970 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
971 unlink ($filename);
972 goto ROOTCERT_ERROR;
973 }
974 }
975
976 move("$tempdir/cacert.pem", "${General::swroot}/ovpn/ca/cacert.pem");
977 if ($? ne 0) {
978 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
979 unlink ($filename);
980 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
981 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
982 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
983 goto ROOTCERT_ERROR;
984 }
985
986 move("$tempdir/hostcert.pem", "${General::swroot}/ovpn/certs/servercert.pem");
987 if ($? ne 0) {
988 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
989 unlink ($filename);
990 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
991 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
992 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
993 goto ROOTCERT_ERROR;
994 }
995
996 move("$tempdir/serverkey.pem", "${General::swroot}/ovpn/certs/serverkey.pem");
997 if ($? ne 0) {
998 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
999 unlink ($filename);
1000 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1001 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1002 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1003 goto ROOTCERT_ERROR;
1004 }
1005
1006 goto ROOTCERT_SUCCESS;
1007
1008 } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') {
1009
1010 # Validate input since the form was submitted
1011 if ($cgiparams{'ROOTCERT_ORGANIZATION'} eq ''){
1012 $errormessage = $Lang::tr{'organization cant be empty'};
1013 goto ROOTCERT_ERROR;
1014 }
1015 if (length($cgiparams{'ROOTCERT_ORGANIZATION'}) >60) {
1016 $errormessage = $Lang::tr{'organization too long'};
1017 goto ROOTCERT_ERROR;
1018 }
1019 if ($cgiparams{'ROOTCERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1020 $errormessage = $Lang::tr{'invalid input for organization'};
1021 goto ROOTCERT_ERROR;
1022 }
1023 if ($cgiparams{'ROOTCERT_HOSTNAME'} eq ''){
1024 $errormessage = $Lang::tr{'hostname cant be empty'};
1025 goto ROOTCERT_ERROR;
1026 }
1027 unless (&General::validfqdn($cgiparams{'ROOTCERT_HOSTNAME'}) || &General::validip($cgiparams{'ROOTCERT_HOSTNAME'})) {
1028 $errormessage = $Lang::tr{'invalid input for hostname'};
1029 goto ROOTCERT_ERROR;
1030 }
1031 if ($cgiparams{'ROOTCERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'ROOTCERT_EMAIL'}))) {
1032 $errormessage = $Lang::tr{'invalid input for e-mail address'};
1033 goto ROOTCERT_ERROR;
1034 }
1035 if (length($cgiparams{'ROOTCERT_EMAIL'}) > 40) {
1036 $errormessage = $Lang::tr{'e-mail address too long'};
1037 goto ROOTCERT_ERROR;
1038 }
1039 if ($cgiparams{'ROOTCERT_OU'} ne '' && $cgiparams{'ROOTCERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1040 $errormessage = $Lang::tr{'invalid input for department'};
1041 goto ROOTCERT_ERROR;
1042 }
1043 if ($cgiparams{'ROOTCERT_CITY'} ne '' && $cgiparams{'ROOTCERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1044 $errormessage = $Lang::tr{'invalid input for city'};
1045 goto ROOTCERT_ERROR;
1046 }
1047 if ($cgiparams{'ROOTCERT_STATE'} ne '' && $cgiparams{'ROOTCERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
1048 $errormessage = $Lang::tr{'invalid input for state or province'};
1049 goto ROOTCERT_ERROR;
1050 }
1051 if ($cgiparams{'ROOTCERT_COUNTRY'} !~ /^[A-Z]*$/) {
1052 $errormessage = $Lang::tr{'invalid input for country'};
1053 goto ROOTCERT_ERROR;
1054 }
1055
1056 # Copy the cgisettings to vpnsettings and save the configfile
1057 $vpnsettings{'ROOTCERT_ORGANIZATION'} = $cgiparams{'ROOTCERT_ORGANIZATION'};
1058 $vpnsettings{'ROOTCERT_HOSTNAME'} = $cgiparams{'ROOTCERT_HOSTNAME'};
1059 $vpnsettings{'ROOTCERT_EMAIL'} = $cgiparams{'ROOTCERT_EMAIL'};
1060 $vpnsettings{'ROOTCERT_OU'} = $cgiparams{'ROOTCERT_OU'};
1061 $vpnsettings{'ROOTCERT_CITY'} = $cgiparams{'ROOTCERT_CITY'};
1062 $vpnsettings{'ROOTCERT_STATE'} = $cgiparams{'ROOTCERT_STATE'};
1063 $vpnsettings{'ROOTCERT_COUNTRY'} = $cgiparams{'ROOTCERT_COUNTRY'};
1064 &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
1065
1066 # Replace empty strings with a .
1067 (my $ou = $cgiparams{'ROOTCERT_OU'}) =~ s/^\s*$/\./;
1068 (my $city = $cgiparams{'ROOTCERT_CITY'}) =~ s/^\s*$/\./;
1069 (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./;
1070
1071 # refresh
1072 #system ('/bin/touch', "${General::swroot}/ovpn/gencanow");
1073
1074 # Create the CA certificate
1075 my $pid = open(OPENSSL, "|-");
1076 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1077 if ($pid) { # parent
1078 print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1079 print OPENSSL "$state\n";
1080 print OPENSSL "$city\n";
1081 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1082 print OPENSSL "$ou\n";
1083 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'} CA\n";
1084 print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
1085 close (OPENSSL);
1086 if ($?) {
1087 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1088 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1089 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1090 goto ROOTCERT_ERROR;
1091 }
1092 } else { # child
1093 unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
1094 '-days', '999999', '-newkey', 'rsa:2048',
1095 '-keyout', "${General::swroot}/ovpn/ca/cakey.pem",
1096 '-out', "${General::swroot}/ovpn/ca/cacert.pem",
1097 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
1098 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1099 goto ROOTCERT_ERROR;
1100 }
1101 }
1102
1103 # Create the Host certificate request
1104 $pid = open(OPENSSL, "|-");
1105 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto ROOTCERT_ERROR;};
1106 if ($pid) { # parent
1107 print OPENSSL "$cgiparams{'ROOTCERT_COUNTRY'}\n";
1108 print OPENSSL "$state\n";
1109 print OPENSSL "$city\n";
1110 print OPENSSL "$cgiparams{'ROOTCERT_ORGANIZATION'}\n";
1111 print OPENSSL "$ou\n";
1112 print OPENSSL "$cgiparams{'ROOTCERT_HOSTNAME'}\n";
1113 print OPENSSL "$cgiparams{'ROOTCERT_EMAIL'}\n";
1114 print OPENSSL ".\n";
1115 print OPENSSL ".\n";
1116 close (OPENSSL);
1117 if ($?) {
1118 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1119 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1120 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1121 goto ROOTCERT_ERROR;
1122 }
1123 } else { # child
1124 unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
1125 '-newkey', 'rsa:1024',
1126 '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
1127 '-out', "${General::swroot}/ovpn/certs/serverreq.pem",
1128 '-extensions', 'server',
1129 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) {
1130 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
1131 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1132 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1133 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1134 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1135 goto ROOTCERT_ERROR;
1136 }
1137 }
1138
1139 # Sign the host certificate request
1140 system('/usr/bin/openssl', 'ca', '-days', '999999',
1141 '-batch', '-notext',
1142 '-in', "${General::swroot}/ovpn/certs/serverreq.pem",
1143 '-out', "${General::swroot}/ovpn/certs/servercert.pem",
1144 '-extensions', 'server',
1145 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf");
1146 if ($?) {
1147 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1148 unlink ("${General::swroot}/ovpn/ca/cakey.pem");
1149 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1150 unlink ("${General::swroot}/ovpn/serverkey.pem");
1151 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1152 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1153 &newcleanssldatabase();
1154 goto ROOTCERT_ERROR;
1155 } else {
1156 unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
1157 &deletebackupcert();
1158 }
1159
1160 # Create an empty CRL
1161 system('/usr/bin/openssl', 'ca', '-gencrl',
1162 '-out', "${General::swroot}/ovpn/crls/cacrl.pem",
1163 '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
1164 if ($?) {
1165 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1166 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1167 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1168 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1169 unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
1170 &cleanssldatabase();
1171 goto ROOTCERT_ERROR;
1172 # } else {
1173 # &cleanssldatabase();
1174 }
1175 # Create Diffie Hellmann Parameter
1176 system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache',
1177 '-out', "${General::swroot}/ovpn/ca/dh1024.pem",
1178 '1024' );
1179 if ($?) {
1180 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1181 unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
1182 unlink ("${General::swroot}/ovpn/certs/servercert.pem");
1183 unlink ("${General::swroot}/ovpn/ca/cacert.pem");
1184 unlink ("${General::swroot}/ovpn/crls/cacrl.pem");
1185 unlink ("${General::swroot}/ovpn/ca/dh1024.pem");
1186 &cleanssldatabase();
1187 goto ROOTCERT_ERROR;
1188 # } else {
1189 # &cleanssldatabase();
1190 }
1191 goto ROOTCERT_SUCCESS;
1192 }
1193 ROOTCERT_ERROR:
1194 if ($cgiparams{'ACTION'} ne '') {
1195 &Header::showhttpheaders();
1196 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
1197 &Header::openbigbox('100%', 'LEFT', '', '');
1198 if ($errormessage) {
1199 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
1200 print "<class name='base'>$errormessage";
1201 print "&nbsp;</class>";
1202 &Header::closebox();
1203 }
1204 &Header::openbox('100%', 'LEFT', "$Lang::tr{'generate root/host certificates'}:");
1205 print <<END
1206 <form method='post' enctype='multipart/form-data'>
1207 <table width='100%' border='0' cellspacing='1' cellpadding='0'>
1208 <tr><td width='30%' class='base'>$Lang::tr{'organization name'}:</td>
1209 <td width='35%' class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_ORGANIZATION' value='$cgiparams{'ROOTCERT_ORGANIZATION'}' size='32' /></td>
1210 <td width='35%' colspan='2'>&nbsp;</td></tr>
1211 <tr><td class='base'>$Lang::tr{'ipfires hostname'}:</td>
1212 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_HOSTNAME' value='$cgiparams{'ROOTCERT_HOSTNAME'}' size='32' /></td>
1213 <td colspan='2'>&nbsp;</td></tr>
1214 <tr><td class='base'>$Lang::tr{'your e-mail'}:&nbsp;<img src='/blob.gif' alt'*' /></td>
1215 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_EMAIL' value='$cgiparams{'ROOTCERT_EMAIL'}' size='32' /></td>
1216 <td colspan='2'>&nbsp;</td></tr>
1217 <tr><td class='base'>$Lang::tr{'your department'}:&nbsp;<img src='/blob.gif' alt'*' /></td>
1218 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_OU' value='$cgiparams{'ROOTCERT_OU'}' size='32' /></td>
1219 <td colspan='2'>&nbsp;</td></tr>
1220 <tr><td class='base'>$Lang::tr{'city'}:&nbsp;<img src='/blob.gif' alt'*' /></td>
1221 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_CITY' value='$cgiparams{'ROOTCERT_CITY'}' size='32' /></td>
1222 <td colspan='2'>&nbsp;</td></tr>
1223 <tr><td class='base'>$Lang::tr{'state or province'}:&nbsp;<img src='/blob.gif' alt'*' /></td>
1224 <td class='base' nowrap='nowrap'><input type='text' name='ROOTCERT_STATE' value='$cgiparams{'ROOTCERT_STATE'}' size='32' /></td>
1225 <td colspan='2'>&nbsp;</td></tr>
1226 <tr><td class='base'>$Lang::tr{'country'}:</td>
1227 <td class='base'><select name='ROOTCERT_COUNTRY'>
1228
1229 END
1230 ;
1231 foreach my $country (sort keys %{Countries::countries}) {
1232 print "<option value='$Countries::countries{$country}'";
1233 if ( $Countries::countries{$country} eq $cgiparams{'ROOTCERT_COUNTRY'} ) {
1234 print " selected='selected'";
1235 }
1236 print ">$country</option>";
1237 }
1238 print <<END
1239 </select></td>
1240 <td colspan='2'>&nbsp;</td></tr>
1241 <tr><td>&nbsp;</td>
1242 <td><input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' /></td>
1243 <td>&nbsp;</td><td>&nbsp;</td></tr>
1244 <tr><td class='base' colspan='4' align='left'>
1245 <img src='/blob.gif' valign='top' alt='*' />&nbsp;$Lang::tr{'this field may be blank'}</td></tr>
1246 <tr><td class='base' colspan='4' align='left'>
1247 <b><font color='${Header::colourred}'>$Lang::tr{'capswarning'}</font></b>:
1248 $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'}
1249 </td></tr>
1250 <tr><td colspan='4' bgcolor='#000000'><img src='/images/null.gif' width='1' height='1' border='0' /></td></tr>
1251 <tr><td class='base' nowrap='nowrap'>$Lang::tr{'upload p12 file'}:</td>
1252 <td nowrap='nowrap'><input type='file' name='FH' size='32'></td>
1253 <td colspan='2'>&nbsp;</td></tr>
1254 <tr><td class='base'>$Lang::tr{'pkcs12 file password'}:&nbsp;<img src='/blob.gif' alt='*' ></td>
1255 <td class='base' nowrap='nowrap'><input type='password' name='P12_PASS' value='$cgiparams{'P12_PASS'}' size='32' /></td>
1256 <td colspan='2'>&nbsp;</td></tr>
1257 <tr><td>&nbsp;</td>
1258 <td><input type='submit' name='ACTION' value='$Lang::tr{'upload p12 file'}' /></td>
1259 <td colspan='2'>&nbsp;</td></tr>
1260 <tr><td class='base' colspan='4' align='left'>
1261 <img src='/blob.gif' valign='top' al='*' >&nbsp;$Lang::tr{'this field may be blank'}</td></tr>
1262 </form></table>
1263 END
1264 ;
1265 &Header::closebox();
1266
1267 &Header::closebigbox();
1268 &Header::closepage();
1269 exit(0)
1270 }
1271
1272 ROOTCERT_SUCCESS:
1273 system ("chmod 600 ${General::swroot}/ovpn/certs/serverkey.pem");
1274 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1275 # $vpnsettings{'ENABLE_BLUE'} eq 'on') {
1276 # system('/usr/local/bin/ipsecctrl', 'S');
1277 # }
1278
1279 ###
1280 ### Enable/Disable connection
1281 ###
1282 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
1283
1284 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1285 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1286
1287 if ($confighash{$cgiparams{'KEY'}}) {
1288 if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
1289 $confighash{$cgiparams{'KEY'}}[0] = 'on';
1290 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1291 #&writeserverconf();
1292 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1293 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1294 # system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
1295 # }
1296 } else {
1297 $confighash{$cgiparams{'KEY'}}[0] = 'off';
1298 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1299 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1300 # system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
1301 # }
1302 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1303 #&writeserverconf();
1304 }
1305 } else {
1306 $errormessage = $Lang::tr{'invalid key'};
1307 }
1308
1309 ###
1310 ### Download OpenVPN client package
1311 ###
1312 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'dl client arch'}) {
1313 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1314 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1315 my $file = '';
1316 my $clientovpn = '';
1317 my @fileholder;
1318 my $tempdir = tempdir( CLEANUP => 1 );
1319 my $zippath = "$tempdir/";
1320 my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.zip";
1321 my $zippathname = "$zippath$zipname";
1322 $clientovpn = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.ovpn";
1323 open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!";
1324 flock CLIENTCONF, 2;
1325
1326 my $zip = Archive::Zip->new();
1327
1328 print CLIENTCONF "#OpenVPN Server conf\r\n";
1329 print CLIENTCONF "tls-client\r\n";
1330 print CLIENTCONF "client\r\n";
1331 print CLIENTCONF "dev $vpnsettings{'DDEVICE'}\r\n";
1332 print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n";
1333 print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu $vpnsettings{'DMTU'}\r\n";
1334 if ( $vpnsettings{'ENABLED'} eq 'on'){
1335 print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n";
1336 if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){
1337 print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Blue interface\r\n";
1338 print CLIENTCONF ";remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
1339 }
1340 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
1341 print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n";
1342 print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
1343 }
1344 } elsif ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){
1345 print CLIENTCONF "remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
1346 if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
1347 print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n";
1348 print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
1349 }
1350 } elsif ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){
1351 print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n";
1352 }
1353
1354 if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") {
1355 print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
1356 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
1357 } else {
1358 print CLIENTCONF "ca cacert.pem\r\n";
1359 print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n";
1360 print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n";
1361 $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
1362 $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
1363 }
1364 print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
1365 if ($vpnsettings{DCOMPLZO} eq 'on') {
1366 print CLIENTCONF "comp-lzo\r\n";
1367 }
1368 print CLIENTCONF "verb 3\r\n";
1369 print CLIENTCONF "ns-cert-type server\r\n";
1370 close(CLIENTCONF);
1371 $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n";
1372 my $status = $zip->writeToFileNamed($zippathname);
1373
1374 open(DLFILE, "<$zippathname") or die "Unable to open $zippathname: $!";
1375 @fileholder = <DLFILE>;
1376 print "Content-Type:application/x-download\n";
1377 print "Content-Disposition:attachment;filename=$zipname\n\n";
1378 print @fileholder;
1379 exit (0);
1380
1381 ###
1382 ### Remove connection
1383 ###
1384 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
1385 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1386 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1387
1388 if ($confighash{$cgiparams{'KEY'}}) {
1389 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1390 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1391 # system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
1392 # }
1393 #
1394 my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
1395 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
1396 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
1397 delete $confighash{$cgiparams{'KEY'}};
1398 my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`;
1399 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1400 #&writeserverconf();
1401 } else {
1402 $errormessage = $Lang::tr{'invalid key'};
1403 }
1404 ###
1405 ### Download PKCS12 file
1406 ###
1407 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download pkcs12 file'}) {
1408 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1409
1410 print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";
1411 print "Content-Type: application/octet-stream\r\n\r\n";
1412 print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;
1413 exit (0);
1414
1415 ###
1416 ### Display certificate
1417 ###
1418 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show certificate'}) {
1419 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1420
1421 if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
1422 &Header::showhttpheaders();
1423 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
1424 &Header::openbigbox('100%', 'LEFT', '', '');
1425 &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:");
1426 my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
1427 $output = &Header::cleanhtml($output,"y");
1428 print "<pre>$output</pre>\n";
1429 &Header::closebox();
1430 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1431 &Header::closebigbox();
1432 &Header::closepage();
1433 exit(0);
1434 }
1435 ###
1436 ### Display Certificate Revoke List
1437 ###
1438 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show crl'}) {
1439 # &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1440
1441 if ( -f "${General::swroot}/ovpn/crls/cacrl.pem") {
1442 &Header::showhttpheaders();
1443 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
1444 &Header::openbigbox('100%', 'LEFT', '', '');
1445 &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:");
1446 my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`;
1447 $output = &Header::cleanhtml($output,"y");
1448 print "<pre>$output</pre>\n";
1449 &Header::closebox();
1450 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1451 &Header::closebigbox();
1452 &Header::closepage();
1453 exit(0);
1454 }
1455
1456 ###
1457 ### Advanced Server Settings
1458 ###
1459
1460 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'advanced server'}) {
1461 %cgiparams = ();
1462 %cahash = ();
1463 %confighash = ();
1464 &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
1465
1466 # if ($cgiparams{'CLIENT2CLIENT'} eq '') {
1467 # $cgiparams{'CLIENT2CLIENT'} = 'on';
1468 # }
1469 ADV_ERROR:
1470 if ($cgiparams{'MAX_CLIENTS'} eq '') {
1471 $cgiparams{'MAX_CLIENTS'} = '100';
1472 }
1473
1474 if ($cgiparams{'KEEPALIVE_1'} eq '') {
1475 $cgiparams{'KEEPALIVE_1'} = '10';
1476 }
1477 if ($cgiparams{'KEEPALIVE_2'} eq '') {
1478 $cgiparams{'KEEPALIVE_2'} = '60';
1479 }
1480 if ($cgiparams{'LOG_VERB'} eq '') {
1481 $cgiparams{'LOG_VERB'} = '3';
1482 }
1483 $checked{'CLIENT2CLIENT'}{'off'} = '';
1484 $checked{'CLIENT2CLIENT'}{'on'} = '';
1485 $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED';
1486 $checked{'REDIRECT_GW_DEF1'}{'off'} = '';
1487 $checked{'REDIRECT_GW_DEF1'}{'on'} = '';
1488 $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED';
1489 $selected{'LOG_VERB'}{'1'} = '';
1490 $selected{'LOG_VERB'}{'2'} = '';
1491 $selected{'LOG_VERB'}{'3'} = '';
1492 $selected{'LOG_VERB'}{'4'} = '';
1493 $selected{'LOG_VERB'}{'5'} = '';
1494 $selected{'LOG_VERB'}{'6'} = '';
1495 $selected{'LOG_VERB'}{'7'} = '';
1496 $selected{'LOG_VERB'}{'8'} = '';
1497 $selected{'LOG_VERB'}{'9'} = '';
1498 $selected{'LOG_VERB'}{'10'} = '';
1499 $selected{'LOG_VERB'}{'11'} = '';
1500 $selected{'LOG_VERB'}{'0'} = '';
1501 $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED';
1502
1503 &Header::showhttpheaders();
1504 &Header::openpage($Lang::tr{'status ovpn'}, 1, '');
1505 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
1506 if ($errormessage) {
1507 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
1508 print "<class name='base'>$errormessage\n";
1509 print "&nbsp;</class>\n";
1510 &Header::closebox();
1511 }
1512 &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'});
1513 print <<END
1514 <form method='post' enctype='multipart/form-data'>
1515 <table width='100%'>
1516 <tr>
1517 <td colspan='4'><b>$Lang::tr{'dhcp-options'}</b></td>
1518 </tr>
1519 <tr>
1520 <td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
1521 </tr>
1522 <tr>
1523 <td class='base'>Domain</td>
1524 <td><input type='TEXT' name='DHCP_DOMAIN' value='$cgiparams{'DHCP_DOMAIN'}' size='30' /></td>
1525 </tr>
1526 <tr>
1527 <td class='base'>DNS</td>
1528 <td><input type='TEXT' name='DHCP_DNS' value='$cgiparams{'DHCP_DNS'}' size='30' /></td>
1529 </tr>
1530 <tr>
1531 <td class='base'>WINS</td>
1532 <td><input type='TEXT' name='DHCP_WINS' value='$cgiparams{'DHCP_WINS'}' size='30' /></td>
1533 </tr>
1534 </table>
1535 <hr size='1'>
1536 <table width='100%'>
1537 <tr>
1538 <td class'base'><b>$Lang::tr{'misc-options'}</b></td>
1539 </tr>
1540 <tr>
1541 <td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
1542 </tr>
1543 <tr>
1544 <td class='base'>Client-To-Client</td>
1545 <td><input type='checkbox' name='CLIENT2CLIENT' $checked{'CLIENT2CLIENT'}{'on'} /></td>
1546 </tr>
1547 <tr>
1548 <td class='base'>Redirect-Gateway def1</td>
1549 <td><input type='checkbox' name='REDIRECT_GW_DEF1' $checked{'REDIRECT_GW_DEF1'}{'on'} /></td>
1550 </tr>
1551 <tr>
1552 <td class='base'>Max-Clients</td>
1553 <td><input type='text' name='MAX_CLIENTS' value='$cgiparams{'MAX_CLIENTS'}' size='30' /></td>
1554 </tr>
1555 <td class='base'>Keppalive (ping/ping-restart)</td>
1556 <td><input type='TEXT' name='KEEPALIVE_1' value='$cgiparams{'KEEPALIVE_1'}' size='30' /></td>
1557 <td><input type='TEXT' name='KEEPALIVE_2' value='$cgiparams{'KEEPALIVE_2'}' size='30' /></td>
1558 </tr>
1559 </table>
1560 <hr size='1'>
1561 <table width='100%'>
1562 <tr>
1563 <td class'base'><b>$Lang::tr{'log-options'}</b></td>
1564 </tr>
1565 <tr>
1566 <td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
1567 </tr>
1568
1569 <tr><td class='base'>VERB</td>
1570 <td><select name='LOG_VERB'><option value='1' $selected{'LOG_VERB'}{'1'}>1</option>
1571 <option value='2' $selected{'LOG_VERB'}{'2'}>2</option>
1572 <option value='3' $selected{'LOG_VERB'}{'3'}>3</option>
1573 <option value='4' $selected{'LOG_VERB'}{'4'}>4</option>
1574 <option value='5' $selected{'LOG_VERB'}{'5'}>5</option>
1575 <option value='6' $selected{'LOG_VERB'}{'6'}>6</option>
1576 <option value='7' $selected{'LOG_VERB'}{'7'}>7</option>
1577 <option value='8' $selected{'LOG_VERB'}{'8'}>8</option>
1578 <option value='9' $selected{'LOG_VERB'}{'9'}>9</option>
1579 <option value='10' $selected{'LOG_VERB'}{'10'}>10</option>
1580 <option value='11' $selected{'LOG_VERB'}{'11'}>11</option>
1581 <option value='0' $selected{'LOG_VERB'}{'0'}>0</option></select></td>
1582 </table>
1583 <hr size='1'>
1584 <table width='100%'>
1585 <tr>
1586 <td>&nbsp;</td>
1587 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-adv-options'}' /></td>
1588 <td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
1589 <td>&nbsp;</td>
1590 </tr>
1591 </table>
1592 </form>
1593 END
1594 ;
1595
1596 &Header::closebox();
1597 # print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1598 &Header::closebigbox();
1599 &Header::closepage();
1600 exit(0);
1601
1602 ###
1603 ### Openvpn Connections Statistics
1604 ###
1605 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ovpn con stat'}) {
1606 &Header::showhttpheaders();
1607 &Header::openpage($Lang::tr{'ovpn con stat'}, 1, '');
1608 &Header::openbigbox('100%', 'LEFT', '', '');
1609 &Header::openbox('100%', 'LEFT', $Lang::tr{'ovpn con stat'});
1610
1611 #
1612 # <td><b>$Lang::tr{'protocol'}</b></td>
1613 # protocol temp removed
1614 print <<END
1615 <table width='100%' border='0' cellpadding='2' cellspacing='0'>
1616 <tr>
1617 <td><b>$Lang::tr{'common name'}</b></td>
1618 <td><b>$Lang::tr{'real address'}</b></td>
1619 <td><b>$Lang::tr{'virtual address'}</b></td>
1620 <td><b>$Lang::tr{'loged in at'}</b></td>
1621 <td><b>$Lang::tr{'bytes sent'}</b></td>
1622 <td><b>$Lang::tr{'bytes received'}</b></td>
1623 <td><b>$Lang::tr{'last activity'}</b></td>
1624 </tr>
1625 END
1626 ;
1627 my $filename = "${General::swroot}/ovpn/server.log";
1628 open(FILE, $filename) or die 'Unable to open config file.';
1629 my @current = <FILE>;
1630 close(FILE);
1631 my @users =();
1632 my $status;
1633 my $uid = 0;
1634 my $cn;
1635 my @match = ();
1636 my $proto = "udp";
1637 my $address;
1638 my %userlookup = ();
1639 foreach my $line (@current)
1640 {
1641 chomp($line);
1642 if ( $line =~ /^Updated,(.+)/){
1643 @match = split( /^Updated,(.+)/, $line);
1644 $status = $match[1];
1645 }
1646 #gian
1647 if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) {
1648 @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line);
1649 if ($match[1] ne "Common Name") {
1650 $cn = $match[1];
1651 $userlookup{$match[2]} = $uid;
1652 $users[$uid]{'CommonName'} = $match[1];
1653 $users[$uid]{'RealAddress'} = $match[2];
1654 $users[$uid]{'BytesReceived'} = &sizeformat($match[3]);
1655 $users[$uid]{'BytesSent'} = &sizeformat($match[4]);
1656 $users[$uid]{'Since'} = $match[5];
1657 $users[$uid]{'Proto'} = $proto;
1658 $uid++;
1659 }
1660 }
1661 if ( $line =~ /^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/) {
1662 @match = split(m/^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/, $line);
1663 if ($match[1] ne "Virtual Address") {
1664 $address = $match[3];
1665 #find the uid in the lookup table
1666 $uid = $userlookup{$address};
1667 $users[$uid]{'VirtualAddress'} = $match[1];
1668 $users[$uid]{'LastRef'} = $match[4];
1669 }
1670 }
1671 }
1672 my $user2 = @users;
1673 if ($user2 >= 1){
1674 for (my $idx = 1; $idx <= $user2; $idx++){
1675 if ($idx % 2) {
1676 print "<tr bgcolor='${Header::table1colour}'>\n";
1677 } else {
1678 print "<tr bgcolor='${Header::table2colour}'>\n";
1679 }
1680 print "<td align='left'>$users[$idx-1]{'CommonName'}</td>";
1681 print "<td align='left'>$users[$idx-1]{'RealAddress'}</td>";
1682 print "<td align='left'>$users[$idx-1]{'VirtualAddress'}</td>";
1683 print "<td align='left'>$users[$idx-1]{'Since'}</td>";
1684 print "<td align='left'>$users[$idx-1]{'BytesSent'}</td>";
1685 print "<td align='left'>$users[$idx-1]{'BytesReceived'}</td>";
1686 print "<td align='left'>$users[$idx-1]{'LastRef'}</td>";
1687 # print "<td align='left'>$users[$idx-1]{'Proto'}</td>";
1688 }
1689 }
1690
1691 print "</table>";
1692 print <<END
1693 <table width='100%' border='0' cellpadding='2' cellspacing='0'>
1694 <tr><td></td></tr>
1695 <tr><td></td></tr>
1696 <tr><td></td></tr>
1697 <tr><td></td></tr>
1698 <tr><td align='center' >$Lang::tr{'the statistics were last updated at'} <b>$status</b></td></tr>
1699 </table>
1700 END
1701 ;
1702 &Header::closebox();
1703 print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
1704 &Header::closebigbox();
1705 &Header::closepage();
1706 exit(0);
1707
1708 ###
1709 ### Download Certificate
1710 ###
1711 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) {
1712 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1713
1714 if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
1715 print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n";
1716 print "Content-Type: application/octet-stream\r\n\r\n";
1717 print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
1718 exit (0);
1719 }
1720
1721 ###
1722 ### Enable/Disable connection
1723 ###
1724 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
1725
1726 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1727 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1728
1729 if ($confighash{$cgiparams{'KEY'}}) {
1730 if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
1731 $confighash{$cgiparams{'KEY'}}[0] = 'on';
1732 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1733 #&writeserverconf();
1734 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1735 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1736 # system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
1737 # }
1738 } else {
1739 $confighash{$cgiparams{'KEY'}}[0] = 'off';
1740 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1741 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1742 # system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
1743 # }
1744 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1745 #&writeserverconf();
1746 }
1747 } else {
1748 $errormessage = $Lang::tr{'invalid key'};
1749 }
1750
1751 ###
1752 ### Restart connection
1753 ###
1754 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'restart'}) {
1755 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1756 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1757
1758 if ($confighash{$cgiparams{'KEY'}}) {
1759 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1760 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1761 # system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
1762 # }
1763 } else {
1764 $errormessage = $Lang::tr{'invalid key'};
1765 }
1766
1767 ###
1768 ### Remove connection
1769 ###
1770 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
1771 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1772 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1773
1774 if ($confighash{$cgiparams{'KEY'}}) {
1775 # if ($vpnsettings{'ENABLED'} eq 'on' ||
1776 # $vpnsettings{'ENABLED_BLUE'} eq 'on') {
1777 # system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
1778 # }
1779 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
1780 unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
1781 delete $confighash{$cgiparams{'KEY'}};
1782 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1783 #&writeserverconf();
1784 } else {
1785 $errormessage = $Lang::tr{'invalid key'};
1786 }
1787 #test33
1788
1789 ###
1790 ### Choose between adding a host-net or net-net connection
1791 ###
1792 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') {
1793 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1794 &Header::showhttpheaders();
1795 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
1796 &Header::openbigbox('100%', 'LEFT', '', '');
1797 &Header::openbox('100%', 'LEFT', $Lang::tr{'connection type'});
1798 print <<END
1799 <b>$Lang::tr{'connection type'}:</b><br />
1800 <table><form method='post'>
1801 <tr><td><input type='radio' name='TYPE' value='host' checked /></td>
1802 <td class='base'>$Lang::tr{'host to net vpn'}</td></tr>
1803 <tr><td><input type='radio' name='TYPE' value='net' disabled='disabled' /></td>
1804 <td class='base'>$Lang::tr{'net to net vpn'}</td></tr>
1805 <tr><td align='center' colspan='2'><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td></tr>
1806 </form></table>
1807 END
1808 ;
1809 &Header::closebox();
1810 &Header::closebigbox();
1811 &Header::closepage();
1812 exit (0);
1813 ###
1814 ### Adding a new connection
1815 ###
1816 } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) ||
1817 ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) ||
1818 ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) {
1819
1820 &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
1821 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
1822 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
1823
1824 if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
1825 if (! $confighash{$cgiparams{'KEY'}}[0]) {
1826 $errormessage = $Lang::tr{'invalid key'};
1827 goto VPNCONF_END;
1828 }
1829 $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0];
1830 $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1];
1831 $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3];
1832 $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4];
1833 $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5];
1834 $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6];
1835 $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8];
1836 $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];
1837 $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11];
1838 $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];
1839 $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26];
1840 #new fields
1841 $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[27];
1842 $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[28];
1843 $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[29];
1844 $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[30];
1845 $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[31];
1846 #new fields
1847 #ab hiere error uebernehmen
1848 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
1849 $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
1850 if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
1851 $errormessage = $Lang::tr{'connection type is invalid'};
1852 goto VPNCONF_ERROR;
1853 }
1854
1855
1856 if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {
1857 $errormessage = $Lang::tr{'name must only contain characters'};
1858 goto VPNCONF_ERROR;
1859 }
1860
1861 if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {
1862 $errormessage = $Lang::tr{'name is invalid'};
1863 goto VPNCONF_ERROR;
1864 }
1865
1866 if (length($cgiparams{'NAME'}) >60) {
1867 $errormessage = $Lang::tr{'name too long'};
1868 goto VPNCONF_ERROR;
1869 }
1870
1871 # if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) {
1872 # $errormessage = $Lang::tr{'ipfire side is invalid'};
1873 # goto VPNCONF_ERROR;
1874 # }
1875
1876 # Check if there is no other entry with this name
1877 if (! $cgiparams{'KEY'}) {
1878 foreach my $key (keys %confighash) {
1879 if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
1880 $errormessage = $Lang::tr{'a connection with this name already exists'};
1881 goto VPNCONF_ERROR;
1882 }
1883 }
1884 }
1885
1886 if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) {
1887 $errormessage = $Lang::tr{'invalid input for remote host/ip'};
1888 goto VPNCONF_ERROR;
1889 }
1890
1891 if ($cgiparams{'REMOTE'}) {
1892 if (! &General::validip($cgiparams{'REMOTE'})) {
1893 if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
1894 $errormessage = $Lang::tr{'invalid input for remote host/ip'};
1895 goto VPNCONF_ERROR;
1896 } else {
1897 if (&valid_dns_host($cgiparams{'REMOTE'})) {
1898 $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}";
1899 }
1900 }
1901 }
1902 }
1903 if ($cgiparams{'TYPE'} ne 'host') {
1904 unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) {
1905 $errormessage = $Lang::tr{'local subnet is invalid'};
1906 goto VPNCONF_ERROR;}
1907 }
1908 # Check if there is no other entry without IP-address and PSK
1909 if ($cgiparams{'REMOTE'} eq '') {
1910 foreach my $key (keys %confighash) {
1911 if(($cgiparams{'KEY'} ne $key) &&
1912 ($confighash{$key}[4] eq 'psk' || $cgiparams{'AUTH'} eq 'psk') &&
1913 $confighash{$key}[10] eq '') {
1914 $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'};
1915 goto VPNCONF_ERROR;
1916 }
1917 }
1918 }
1919 if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) {
1920 $errormessage = $Lang::tr{'remote subnet is invalid'};
1921 goto VPNCONF_ERROR;
1922 }
1923
1924 if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
1925 $errormessage = $Lang::tr{'invalid input'};
1926 goto VPNCONF_ERROR;
1927 }
1928 if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) {
1929 $errormessage = $Lang::tr{'invalid input'};
1930 goto VPNCONF_ERROR;
1931 }
1932
1933 #fixplausi
1934 if ($cgiparams{'AUTH'} eq 'psk') {
1935 # if (! length($cgiparams{'PSK'}) ) {
1936 # $errormessage = $Lang::tr{'pre-shared key is too short'};
1937 # goto VPNCONF_ERROR;
1938 # }
1939 # if ($cgiparams{'PSK'} =~ /['",&]/) {
1940 # $errormessage = $Lang::tr{'invalid characters found in pre-shared key'};
1941 # goto VPNCONF_ERROR;
1942 # }
1943 } elsif ($cgiparams{'AUTH'} eq 'certreq') {
1944 if ($cgiparams{'KEY'}) {
1945 $errormessage = $Lang::tr{'cant change certificates'};
1946 goto VPNCONF_ERROR;
1947 }
1948 if (ref ($cgiparams{'FH'}) ne 'Fh') {
1949 $errormessage = $Lang::tr{'there was no file upload'};
1950 goto VPNCONF_ERROR;
1951 }
1952
1953 # Move uploaded certificate request to a temporary file
1954 (my $fh, my $filename) = tempfile( );
1955 if (copy ($cgiparams{'FH'}, $fh) != 1) {
1956 $errormessage = $!;
1957 goto VPNCONF_ERROR;
1958 }
1959
1960 # Sign the certificate request and move it
1961 # Sign the host certificate request
1962 system('/usr/bin/openssl', 'ca', '-days', '999999',
1963 '-batch', '-notext',
1964 '-in', $filename,
1965 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
1966 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
1967 if ($?) {
1968 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
1969 unlink ($filename);
1970 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
1971 &newcleanssldatabase();
1972 goto VPNCONF_ERROR;
1973 } else {
1974 unlink ($filename);
1975 &deletebackupcert();
1976 }
1977
1978 my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
1979 $temp =~ /Subject:.*CN=(.*)[\n]/;
1980 $temp = $1;
1981 $temp =~ s+/Email+, E+;
1982 $temp =~ s/ ST=/ S=/;
1983 $cgiparams{'CERT_NAME'} = $temp;
1984 $cgiparams{'CERT_NAME'} =~ s/,//g;
1985 $cgiparams{'CERT_NAME'} =~ s/\'//g;
1986 if ($cgiparams{'CERT_NAME'} eq '') {
1987 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
1988 goto VPNCONF_ERROR;
1989 }
1990 } elsif ($cgiparams{'AUTH'} eq 'certfile') {
1991 if ($cgiparams{'KEY'}) {
1992 $errormessage = $Lang::tr{'cant change certificates'};
1993 goto VPNCONF_ERROR;
1994 }
1995 if (ref ($cgiparams{'FH'}) ne 'Fh') {
1996 $errormessage = $Lang::tr{'there was no file upload'};
1997 goto VPNCONF_ERROR;
1998 }
1999 # Move uploaded certificate to a temporary file
2000 (my $fh, my $filename) = tempfile( );
2001 if (copy ($cgiparams{'FH'}, $fh) != 1) {
2002 $errormessage = $!;
2003 goto VPNCONF_ERROR;
2004 }
2005
2006 # Verify the certificate has a valid CA and move it
2007 my $validca = 0;
2008 my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/cacert.pem $filename`;
2009 if ($test =~ /: OK/) {
2010 $validca = 1;
2011 } else {
2012 foreach my $key (keys %cahash) {
2013 $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem $filename`;
2014 if ($test =~ /: OK/) {
2015 $validca = 1;
2016 }
2017 }
2018 }
2019 if (! $validca) {
2020 $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'};
2021 unlink ($filename);
2022 goto VPNCONF_ERROR;
2023 } else {
2024 move($filename, "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
2025 if ($? ne 0) {
2026 $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
2027 unlink ($filename);
2028 goto VPNCONF_ERROR;
2029 }
2030 }
2031
2032 my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
2033 $temp =~ /Subject:.*CN=(.*)[\n]/;
2034 $temp = $1;
2035 $temp =~ s+/Email+, E+;
2036 $temp =~ s/ ST=/ S=/;
2037 $cgiparams{'CERT_NAME'} = $temp;
2038 $cgiparams{'CERT_NAME'} =~ s/,//g;
2039 $cgiparams{'CERT_NAME'} =~ s/\'//g;
2040 if ($cgiparams{'CERT_NAME'} eq '') {
2041 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
2042 $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
2043 goto VPNCONF_ERROR;
2044 }
2045 } elsif ($cgiparams{'AUTH'} eq 'certgen') {
2046 if ($cgiparams{'KEY'}) {
2047 $errormessage = $Lang::tr{'cant change certificates'};
2048 goto VPNCONF_ERROR;
2049 }
2050 # Validate input since the form was submitted
2051 if (length($cgiparams{'CERT_NAME'}) >60) {
2052 $errormessage = $Lang::tr{'name too long'};
2053 goto VPNCONF_ERROR;
2054 }
2055 if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
2056 $errormessage = $Lang::tr{'invalid input for name'};
2057 goto VPNCONF_ERROR;
2058 }
2059 if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {
2060 $errormessage = $Lang::tr{'invalid input for e-mail address'};
2061 goto VPNCONF_ERROR;
2062 }
2063 if (length($cgiparams{'CERT_EMAIL'}) > 40) {
2064 $errormessage = $Lang::tr{'e-mail address too long'};
2065 goto VPNCONF_ERROR;
2066 }
2067 if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
2068 $errormessage = $Lang::tr{'invalid input for department'};
2069 goto VPNCONF_ERROR;
2070 }
2071 if (length($cgiparams{'CERT_ORGANIZATION'}) >60) {
2072 $errormessage = $Lang::tr{'organization too long'};
2073 goto VPNCONF_ERROR;
2074 }
2075 if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
2076 $errormessage = $Lang::tr{'invalid input for organization'};
2077 goto VPNCONF_ERROR;
2078 }
2079 if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
2080 $errormessage = $Lang::tr{'invalid input for city'};
2081 goto VPNCONF_ERROR;
2082 }
2083 if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
2084 $errormessage = $Lang::tr{'invalid input for state or province'};
2085 goto VPNCONF_ERROR;
2086 }
2087 if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) {
2088 $errormessage = $Lang::tr{'invalid input for country'};
2089 goto VPNCONF_ERROR;
2090 }
2091 if ($cgiparams{'CERT_PASS1'} ne '' && $cgiparams{'CERT_PASS2'} ne ''){
2092 if (length($cgiparams{'CERT_PASS1'}) < 5) {
2093 $errormessage = $Lang::tr{'password too short'};
2094 goto VPNCONF_ERROR;
2095 }
2096 }
2097 if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {
2098 $errormessage = $Lang::tr{'passwords do not match'};
2099 goto VPNCONF_ERROR;
2100 }
2101
2102 # Replace empty strings with a .
2103 (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
2104 (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
2105 (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
2106
2107 # Create the Host certificate request client
2108 my $pid = open(OPENSSL, "|-");
2109 $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto VPNCONF_ERROR;};
2110 if ($pid) { # parent
2111 print OPENSSL "$cgiparams{'CERT_COUNTRY'}\n";
2112 print OPENSSL "$state\n";
2113 print OPENSSL "$city\n";
2114 print OPENSSL "$cgiparams{'CERT_ORGANIZATION'}\n";
2115 print OPENSSL "$ou\n";
2116 print OPENSSL "$cgiparams{'CERT_NAME'}\n";
2117 print OPENSSL "$cgiparams{'CERT_EMAIL'}\n";
2118 print OPENSSL ".\n";
2119 print OPENSSL ".\n";
2120 close (OPENSSL);
2121 if ($?) {
2122 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2123 unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}key.pem");
2124 unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}req.pem");
2125 goto VPNCONF_ERROR;
2126 }
2127 } else { # child
2128 unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
2129 '-newkey', 'rsa:1024',
2130 '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
2131 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
2132 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
2133 $errormessage = "$Lang::tr{'cant start openssl'}: $!";
2134 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
2135 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
2136 goto VPNCONF_ERROR;
2137 }
2138 }
2139
2140 # Sign the host certificate request
2141 system('/usr/bin/openssl', 'ca', '-days', '999999',
2142 '-batch', '-notext',
2143 '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
2144 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
2145 '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
2146 if ($?) {
2147 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2148 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
2149 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
2150 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
2151 &newcleanssldatabase();
2152 goto VPNCONF_ERROR;
2153 } else {
2154 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
2155 &deletebackupcert();
2156 }
2157
2158 # Create the pkcs12 file
2159 system('/usr/bin/openssl', 'pkcs12', '-export',
2160 '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
2161 '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
2162 '-name', $cgiparams{'NAME'},
2163 '-passout', "pass:$cgiparams{'CERT_PASS1'}",
2164 '-certfile', "${General::swroot}/ovpn/ca/cacert.pem",
2165 '-caname', "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA",
2166 '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
2167 if ($?) {
2168 $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
2169 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
2170 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
2171 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
2172 goto VPNCONF_ERROR;
2173 } else {
2174 unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
2175 }
2176 } elsif ($cgiparams{'AUTH'} eq 'cert') {
2177 ;# Nothing, just editing
2178 } else {
2179 $errormessage = $Lang::tr{'invalid input for authentication method'};
2180 goto VPNCONF_ERROR;
2181 }
2182
2183 # Check if there is no other entry with this common name
2184 if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) {
2185 foreach my $key (keys %confighash) {
2186 if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) {
2187 $errormessage = $Lang::tr{'a connection with this common name already exists'};
2188 goto VPNCONF_ERROR;
2189 }
2190 }
2191 }
2192
2193 # Save the config
2194 my $key = $cgiparams{'KEY'};
2195 if (! $key) {
2196 $key = &General::findhasharraykey (\%confighash);
2197 foreach my $i (0 .. 31) { $confighash{$key}[$i] = "";}
2198 }
2199 $confighash{$key}[0] = $cgiparams{'ENABLED'};
2200 $confighash{$key}[1] = $cgiparams{'NAME'};
2201 if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') {
2202 $confighash{$key}[2] = $cgiparams{'CERT_NAME'};
2203 }
2204 $confighash{$key}[3] = $cgiparams{'TYPE'};
2205 if ($cgiparams{'AUTH'} eq 'psk') {
2206 $confighash{$key}[4] = 'psk';
2207 $confighash{$key}[5] = $cgiparams{'PSK'};
2208 } else {
2209 $confighash{$key}[4] = 'cert';
2210 }
2211 if ($cgiparams{'TYPE'} eq 'net') {
2212 $confighash{$key}[6] = $cgiparams{'SIDE'};
2213 $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'};
2214 }
2215 $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'};
2216 $confighash{$key}[10] = $cgiparams{'REMOTE'};
2217 $confighash{$key}[25] = $cgiparams{'REMARK'};
2218 $confighash{$key}[26] = $cgiparams{'INTERFACE'};
2219 # new fields
2220 $confighash{$key}[27] = $cgiparams{'OVPN_SUBNET'};
2221 $confighash{$key}[28] = $cgiparams{'PROTOCOL'};
2222 $confighash{$key}[29] = $cgiparams{'DEST_PORT'};
2223 $confighash{$key}[30] = $cgiparams{'COMPLZO'};
2224 $confighash{$key}[31] = $cgiparams{'MTU'};
2225 # new fileds
2226 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2227 if ($cgiparams{'EDIT_ADVANCED'} eq 'on') {
2228 $cgiparams{'KEY'} = $key;
2229 $cgiparams{'ACTION'} = $Lang::tr{'advanced'};
2230 }
2231 goto VPNCONF_END;
2232 } else {
2233 $cgiparams{'ENABLED'} = 'on';
2234 $cgiparams{'SIDE'} = 'left';
2235 if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) {
2236 $cgiparams{'AUTH'} = 'psk';
2237 } elsif ( ! -f "${General::swroot}/ovpn/ca/cacert.pem") {
2238 $cgiparams{'AUTH'} = 'certfile';
2239 } else {
2240 $cgiparams{'AUTH'} = 'certgen';
2241 }
2242 $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
2243 $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
2244 $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'};
2245 $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'};
2246 $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};
2247 }
2248
2249 VPNCONF_ERROR:
2250 $checked{'ENABLED'}{'off'} = '';
2251 $checked{'ENABLED'}{'on'} = '';
2252 $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED';
2253 $checked{'ENABLED_BLUE'}{'off'} = '';
2254 $checked{'ENABLED_BLUE'}{'on'} = '';
2255 $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED';
2256 $checked{'ENABLED_ORANGE'}{'off'} = '';
2257 $checked{'ENABLED_ORANGE'}{'on'} = '';
2258 $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED';
2259
2260
2261 $checked{'EDIT_ADVANCED'}{'off'} = '';
2262 $checked{'EDIT_ADVANCED'}{'on'} = '';
2263 $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = 'CHECKED';
2264
2265 $selected{'SIDE'}{'server'} = '';
2266 $selected{'SIDE'}{'client'} = '';
2267 $selected{'SIDE'}{$cgiparams{'SIDE'}} = 'SELECTED';
2268
2269 $checked{'AUTH'}{'psk'} = '';
2270 $checked{'AUTH'}{'certreq'} = '';
2271 $checked{'AUTH'}{'certgen'} = '';
2272 $checked{'AUTH'}{'certfile'} = '';
2273 $checked{'AUTH'}{$cgiparams{'AUTH'}} = 'CHECKED';
2274
2275 $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = 'SELECTED';
2276
2277 $checked{'COMPLZO'}{'off'} = '';
2278 $checked{'COMPLZO'}{'on'} = '';
2279 $checked{'COMPLZO'}{$cgiparams{'COMPLZO'}} = 'CHECKED';
2280
2281
2282 if (1) {
2283 &Header::showhttpheaders();
2284 &Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
2285 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
2286 if ($errormessage) {
2287 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
2288 print "<class name='base'>$errormessage";
2289 print "&nbsp;</class>";
2290 &Header::closebox();
2291 }
2292
2293 if ($warnmessage) {
2294 &Header::openbox('100%', 'LEFT', "$Lang::tr{'warning messages'}:");
2295 print "<class name='base'>$warnmessage";
2296 print "&nbsp;</class>";
2297 &Header::closebox();
2298 }
2299
2300 print "<form method='post' enctype='multipart/form-data'>";
2301 print "<input type='hidden' name='TYPE' value='$cgiparams{'TYPE'}' />";
2302
2303 if ($cgiparams{'KEY'}) {
2304 print "<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />";
2305 print "<input type='hidden' name='AUTH' value='$cgiparams{'AUTH'}' />";
2306 }
2307
2308 &Header::openbox('100%', 'LEFT', "$Lang::tr{'connection'}:");
2309 print "<table width='100%'>\n";
2310 print "<tr><td width='25%' class='boldbase'>$Lang::tr{'name'}:</td>";
2311 if ($cgiparams{'TYPE'} eq 'host') {
2312 if ($cgiparams{'KEY'}) {
2313 print "<td width='35%' class='base'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />$cgiparams{'NAME'}</td>\n";
2314 } else {
2315 print "<td width='35%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' size='30' /></td>";
2316 }
2317 # print "<tr><td>$Lang::tr{'interface'}</td>";
2318 # print "<td><select name='INTERFACE'>";
2319 # print "<option value='RED' $selected{'INTERFACE'}{'RED'}>RED</option>";
2320 # if ($netsettings{'BLUE_DEV'} ne '') {
2321 # print "<option value='BLUE' $selected{'INTERFACE'}{'BLUE'}>BLUE</option>";
2322 # }
2323 # print "<option value='GREEN' $selected{'INTERFACE'}{'GREEN'}>GREEN</option>";
2324 # print "<option value='ORANGE' $selected{'INTERFACE'}{'ORANGE'}>ORANGE</option>";
2325 # print "</select></td></tr>";
2326 # print <<END
2327 } else {
2328 print "<input type='hidden' name='INTERFACE' value='red' />";
2329 if ($cgiparams{'KEY'}) {
2330 print "<td width='25%' class='base' nowrap='nowrap'><input type='hidden' name='NAME' value='$cgiparams{'NAME'}' />$cgiparams{'NAME'}</td>";
2331 } else {
2332 print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' /></td>";
2333 }
2334 print <<END
2335 <td width='25%'>&nbsp;</td>
2336 <td width='25%'>&nbsp;</td></tr>
2337 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'Act as'}</td>
2338 <td><select name='SIDE'><option value='server' $selected{'SIDE'}{'server'}>OpenVPN Server</option>
2339 <option value='client' $selected{'SIDE'}{'client'}>OpenVPN Client</option></select></td>
2340 <td class='boldbase'>$Lang::tr{'remote host/ip'}:</td>
2341 <td><input type='TEXT' name='REMOTE' value='$cgiparams{'REMOTE'}' /></td></tr>
2342 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'local subnet'}</td>
2343 <td><input type='TEXT' name='LOCAL_SUBNET' value='$cgiparams{'LOCAL_SUBNET'}' /></td>
2344 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'remote subnet'}</td>
2345 <td><input type='text' name='REMOTE_SUBNET' value='$cgiparams{'REMOTE_SUBNET'}' /></td></tr>
2346 ttt
2347 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn subnet'}</td>
2348 <td><input type='TEXT' name='OVPN_SUBNET' value='$cgiparams{'OVPN_SUBNET'}' /></td></tr>
2349 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td>
2350 <td><select name='PROTOCOL'><option value='udp' $selected{'PROTOCOL'}{'udp'}>UDP</option>
2351 <option value='tcp' $selected{'PROTOCOL'}{'tcp'}>TCP</option></select></td>
2352 <td class='boldbase'>$Lang::tr{'destination port'}:</td>
2353 <td><input type='TEXT' name='DEST_PORT' value='$cgiparams{'DEST_PORT'}' size='5' /></td></tr>
2354 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
2355 <td><input type='checkbox' name='COMPLZO' $checked{'COMPLZO'}{'on'} /></td>
2356 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}&nbsp;<img src='/blob.gif' /></td>
2357 <td> <input type='TEXT' name='MTU' VALUE='$cgiparams{'MTU'}'size='5' /></TD>
2358
2359
2360 END
2361 ;
2362 }
2363 print "<tr><td class='boldbase'>$Lang::tr{'remark title'}&nbsp;<img src='/blob.gif' /></td>";
2364 print "<td colspan='3'><input type='text' name='REMARK' value='$cgiparams{'REMARK'}' size='55' maxlength='50' /></td></tr>";
2365
2366 # if ($cgiparams{'TYPE'} eq 'net') {
2367 print "<tr><td>$Lang::tr{'enabled'} <input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>\n";
2368
2369 # if ($cgiparams{'KEY'}) {
2370 # print "<td colspan='3'>&nbsp;</td></tr></table>";
2371 # } else {
2372 # print "<td colspan='3'><input type='checkbox' name='EDIT_ADVANCED' $checked{'EDIT_ADVANCED'}{'on'} /> $Lang::tr{'edit advanced settings when done'}</tr></table>";
2373 # }
2374 # }else{
2375 print "<td colspan='3'>&nbsp;</td></tr></table>";
2376 # }
2377
2378
2379
2380 &Header::closebox();
2381
2382 if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {
2383 # &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'});
2384 # print <<END
2385 # <table width='100%' cellpadding='0' cellspacing='5' border='0'>
2386 # <tr><td class='base' width='50%'>$Lang::tr{'use a pre-shared key'}</td>
2387 # <td class='base' width='50%'><input type='text' name='PSK' size='30' value='$cgiparams{'PSK'}' /></td></tr>
2388 # </table>
2389 END
2390 # ;
2391 # &Header::closebox();
2392 } elsif (! $cgiparams{'KEY'}) {
2393 my $disabled='';
2394 my $cakeydisabled='';
2395 my $cacrtdisabled='';
2396 if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) { $cakeydisabled = "disabled='disabled'" } else { $cakeydisabled = "" };
2397 if ( ! -f "${General::swroot}/ovpn/ca/cacert.pem" ) { $cacrtdisabled = "disabled='disabled'" } else { $cacrtdisabled = "" };
2398 &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'});
2399 print <<END
2400 <table width='100%' cellpadding='0' cellspacing='5' border='0'>
2401 <tr><td colspan='3' bgcolor='#000000'><img src='/images/null.gif' width='1' height='1' border='0' /></td></tr>
2402 <tr><td><input type='radio' name='AUTH' value='certreq' $checked{'AUTH'}{'certreq'} $cakeydisabled /></td>
2403 <td class='base'>$Lang::tr{'upload a certificate request'}</td>
2404 <td class='base' rowspan='2'><input type='file' name='FH' size='30' $cacrtdisabled></td></tr>
2405 <tr><td><input type='radio' name='AUTH' value='certfile' $checked{'AUTH'}{'certfile'} $cacrtdisabled /></td>
2406 <td class='base'>$Lang::tr{'upload a certificate'}</td></tr>
2407 <tr><td colspan='3' bgcolor='#000000'><img src='/images/null.gif' width='1' height='1' BORDER='0' /></td></tr>
2408 <tr><td><input type='radio' name='AUTH' value='certgen' $checked{'AUTH'}{'certgen'} $cakeydisabled /></td>
2409 <td class='base'>$Lang::tr{'generate a certificate'}</td><td>&nbsp;</td></tr>
2410 <tr><td>&nbsp;</td>
2411 <td class='base'>$Lang::tr{'users fullname or system hostname'}:</td>
2412 <td class='base' nowrap='nowrap'><input type='text' name='CERT_NAME' value='$cgiparams{'CERT_NAME'}' SIZE='32' $cakeydisabled /></td></tr>
2413 <tr><td>&nbsp;</td>
2414 <td class='base'>$Lang::tr{'users email'}:&nbsp;<img src='/blob.gif' /></td>
2415 <td class='base' nowrap='nowrap'><input type='text' name='CERT_EMAIL' value='$cgiparams{'CERT_EMAIL'}' SIZE='32' $cakeydisabled /></td></tr>
2416 <tr><td>&nbsp;</td>
2417 <td class='base'>$Lang::tr{'users department'}:&nbsp;<img src='/blob.gif' /></td>
2418 <td class='base' nowrap='nowrap'><input type='text' name='CERT_OU' value='$cgiparams{'CERT_OU'}' SIZE='32' $cakeydisabled /></td></tr>
2419 <tr><td>&nbsp;</td>
2420 <td class='base'>$Lang::tr{'organization name'}:&nbsp;<img src='/blob.gif' /></td>
2421 <td class='base' nowrap='nowrap'><input type='text' name='CERT_ORGANIZATION' value='$cgiparams{'CERT_ORGANIZATION'}' SIZE='32' $cakeydisabled /></td></tr>
2422 <tr><td>&nbsp;</td>
2423 <td class='base'>$Lang::tr{'city'}:&nbsp;<img src='/blob.gif'></td>
2424 <td class='base' nowrap='nowrap'><input type='text' name='CERT_CITY' value='$cgiparams{'CERT_CITY'}' SIZE='32' $cakeydisabled /></td></tr>
2425 <tr><td>&nbsp;</td>
2426 <td class='base'>$Lang::tr{'state or province'}:&nbsp;<img src='/blob.gif' /></td>
2427 <td class='base' nowrap='nowrap'><input type='text' name='CERT_STATE' value='$cgiparams{'CERT_STATE'}' SIZE='32' $cakeydisabled /></td></tr>
2428 <tr><td>&nbsp;</td>
2429 <td class='base'>$Lang::tr{'country'}:</td>
2430 <td class='base'><select name='CERT_COUNTRY' $cakeydisabled>
2431 END
2432
2433 ;
2434 foreach my $country (sort keys %{Countries::countries}) {
2435 print "<option value='$Countries::countries{$country}'";
2436 if ( $Countries::countries{$country} eq $cgiparams{'CERT_COUNTRY'} ) {
2437 print " selected='selected'";
2438 }
2439 print ">$country</option>";
2440 }
2441 print <<END
2442 </select></td></tr>
2443 <tr><td>&nbsp;</td>
2444 <td class='base'>$Lang::tr{'pkcs12 file password'}:</td>
2445 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS1' value='$cgiparams{'CERT_PASS1'}' size='32' $cakeydisabled /></td></tr>
2446 <tr><td>&nbsp;</td><td class='base'>$Lang::tr{'pkcs12 file password'}:<BR>($Lang::tr{'confirmation'})</td>
2447 <td class='base' nowrap='nowrap'><input type='password' name='CERT_PASS2' value='$cgiparams{'CERT_PASS2'}' size='32' $cakeydisabled /></td></tr>
2448 </table>
2449 END
2450 ;
2451 &Header::closebox();
2452 }
2453
2454 print "<div align='center'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
2455 if ($cgiparams{'KEY'}) {
2456 # print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced'}' />";
2457 }
2458 print "<input type='submit' name='ACTION' value='$Lang::tr{'cancel'}' /></div></form>";
2459 &Header::closebigbox();
2460 &Header::closepage();
2461 exit (0);
2462 }
2463 VPNCONF_END:
2464 }
2465
2466 # SETTINGS_ERROR:
2467 ###
2468 ### Default status page
2469 ###
2470 %cgiparams = ();
2471 %cahash = ();
2472 %confighash = ();
2473 &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
2474 &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
2475 &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
2476
2477 my @status = `/bin/cat /var/ipfire/ovpn/server.log`;
2478
2479 if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
2480 if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
2481 my $ipaddr = <IPADDR>;
2482 close IPADDR;
2483 chomp ($ipaddr);
2484 $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0];
2485 if ($cgiparams{'VPN_IP'} eq '') {
2486 $cgiparams{'VPN_IP'} = $ipaddr;
2487 }
2488 }
2489 }
2490
2491 #default setzen
2492 if ($cgiparams{'DCIPHER'} eq '') {
2493 $cgiparams{'DCIPHER'} = 'BF-CBC';
2494 }
2495 # if ($cgiparams{'DCOMPLZO'} eq '') {
2496 # $cgiparams{'DCOMPLZO'} = 'on';
2497 # }
2498 if ($cgiparams{'DDEST_PORT'} eq '') {
2499 $cgiparams{'DDEST_PORT'} = '1194';
2500 }
2501 if ($cgiparams{'DMTU'} eq '') {
2502 $cgiparams{'DMTU'} = '1400';
2503 }
2504 if ($cgiparams{'DOVPN_SUBNET'} eq '') {
2505 $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
2506 }
2507
2508 $checked{'ENABLED'}{'off'} = '';
2509 $checked{'ENABLED'}{'on'} = '';
2510 $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED';
2511 $checked{'ENABLED_BLUE'}{'off'} = '';
2512 $checked{'ENABLED_BLUE'}{'on'} = '';
2513 $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED';
2514 $checked{'ENABLED_ORANGE'}{'off'} = '';
2515 $checked{'ENABLED_ORANGE'}{'on'} = '';
2516 $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED';
2517
2518
2519 #new settings
2520 $selected{'DDEVICE'}{'tun'} = '';
2521 $selected{'DDEVICE'}{'tap'} = '';
2522 $selected{'DDEVICE'}{$cgiparams{'DDEVICE'}} = 'SELECTED';
2523
2524 $selected{'DPROTOCOL'}{'udp'} = '';
2525 $selected{'DPROTOCOL'}{'tcp'} = '';
2526 $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
2527
2528 $selected{'DCIPHER'}{'DES-CBC'} = '';
2529 $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
2530 $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
2531 $selected{'DCIPHER'}{'DESX-CBC'} = '';
2532 $selected{'DCIPHER'}{'RC2-CBC'} = '';
2533 $selected{'DCIPHER'}{'RC2-40-CBC'} = '';
2534 $selected{'DCIPHER'}{'RC2-64-CBC'} = '';
2535 $selected{'DCIPHER'}{'BF-CBC'} = '';
2536 $selected{'DCIPHER'}{'CAST5-CBC'} = '';
2537 $selected{'DCIPHER'}{'AES-128-CBC'} = '';
2538 $selected{'DCIPHER'}{'AES-192-CBC'} = '';
2539 $selected{'DCIPHER'}{'AES-256-CBC'} = '';
2540 $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
2541 $checked{'DCOMPLZO'}{'off'} = '';
2542 $checked{'DCOMPLZO'}{'on'} = '';
2543 $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
2544
2545 #new settings
2546 &Header::showhttpheaders();
2547 &Header::openpage($Lang::tr{'status ovpn'}, 1, '');
2548 &Header::openbigbox('100%', 'LEFT', '', $errormessage);
2549
2550 if ($errormessage) {
2551 &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'});
2552 print "<class name='base'>$errormessage\n";
2553 print "&nbsp;</class>\n";
2554 &Header::closebox();
2555 }
2556
2557 my $sactive = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourred}' width='50%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'stopped'}</font></b></td></tr></table>";
2558 my $srunning = "no";
2559 my $activeonrun = "";
2560 if ( -e "/var/run/openvpn.pid"){
2561 $sactive = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourgreen}' width='50%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'running'}</font></b></td></tr></table>";
2562 $srunning ="yes";
2563 $activeonrun = "";
2564 } else {
2565 $activeonrun = "disabled='disabled'";
2566 }
2567 &Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'});
2568 print "<div align='center'><strong>ZERINA-0.9.4i</strong></div>";
2569 print <<END
2570 <table width='100%'>
2571 <form method='post'>
2572 <td width='25%'>&nbsp;</td>
2573 <td width='25%'>&nbsp;</td>
2574 <td width='25%'>&nbsp;</td></tr>
2575 <tr><td class='boldbase'>$Lang::tr{'ovpn server status'}</td>
2576 <td align='left'>$sactive</td>
2577 <tr><td class='boldbase'>$Lang::tr{'ovpn on red'}</td>
2578 <td><input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>
2579 END
2580 ;
2581 if (&haveBlueNet()) {
2582 print "<tr><td class='boldbase'>$Lang::tr{'ovpn on blue'}</td>";
2583 print "<td><input type='checkbox' name='ENABLED_BLUE' $checked{'ENABLED_BLUE'}{'on'} /></td>";
2584 }
2585 if (&haveOrangeNet()) {
2586 print "<tr><td class='boldbase'>$Lang::tr{'ovpn on orange'}</td>";
2587 print "<td><input type='checkbox' name='ENABLED_ORANGE' $checked{'ENABLED_ORANGE'}{'on'} /></td>";
2588 }
2589 print <<END
2590 <tr><td class='base' nowrap='nowrap'>$Lang::tr{'local vpn hostname/ip'}:</td>
2591 <td><input type='text' name='VPN_IP' value='$cgiparams{'VPN_IP'}' size='30' /></td>
2592 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn subnet'}</td>
2593 <td><input type='TEXT' name='DOVPN_SUBNET' value='$cgiparams{'DOVPN_SUBNET'}' size='30' /></td></tr>
2594 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn device'}</td>
2595 <td><select name='DDEVICE' ><option value='tun' $selected{'DDEVICE'}{'tun'}>TUN</option>
2596 <option value='tap' $selected{'DDEVICE'}{'tap'}>TAP</option></select></td>
2597 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'protocol'}</td>
2598 <td><select name='DPROTOCOL'><option value='udp' $selected{'DPROTOCOL'}{'udp'}>UDP</option>
2599 <option value='tcp' $selected{'DPROTOCOL'}{'tcp'}>TCP</option></select></td>
2600 <td class='boldbase'>$Lang::tr{'destination port'}:</td>
2601 <td><input type='TEXT' name='DDEST_PORT' value='$cgiparams{'DDEST_PORT'}' size='5' /></td></tr>
2602 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'MTU'}&nbsp;</td>
2603 <td> <input type='TEXT' name='DMTU' VALUE='$cgiparams{'DMTU'}'size='5' /></TD>
2604 <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'comp-lzo'}</td>
2605 <td><input type='checkbox' name='DCOMPLZO' $checked{'DCOMPLZO'}{'on'} /></td>
2606 <td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
2607 <td><select name='DCIPHER'><option value='DES-CBC' $selected{'DCIPHER'}{'DES-CBC'}>DES-CBC</option>
2608 <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC</option>
2609 <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC</option>
2610 <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC</option>
2611 <option value='RC2-CBC' $selected{'DCIPHER'}{'RC2-CBC'}>RC2-CBC</option>
2612 <option value='RC2-40-CBC' $selected{'DCIPHER'}{'RC2-40-CBC'}>RC2-40-CBC</option>
2613 <option value='RC2-64-CBC' $selected{'DCIPHER'}{'RC2-64-CBC'}>RC2-64-CBC</option>
2614 <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC</option>
2615 <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC</option>
2616 <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-128-CBC</option>
2617 <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-192-CBC</option>
2618 <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-256-CBC</option></select></td>
2619 END
2620 ;
2621
2622 if ( $srunning eq "yes" ) {
2623 print "<tr><td align='left'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' disabled='disabled' /></td>";
2624 print "<td><input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' disabled='disabled'/></td>";
2625 print "<td><input type='submit' name='ACTION' value='$Lang::tr{'stop ovpn server'}' /></td>";
2626 print "<td><input type='submit' name='ACTION' value='$Lang::tr{'restart ovpn server'}' /></td></tr>";
2627 } else{
2628 print "<tr><td align='left'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>";
2629 print "<td><input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' /></td>";
2630 if (( -e "${General::swroot}/ovpn/ca/cacert.pem" &&
2631 -e "${General::swroot}/ovpn/ca/dh1024.pem" &&
2632 -e "${General::swroot}/ovpn/certs/servercert.pem" &&
2633 -e "${General::swroot}/ovpn/certs/serverkey.pem") &&
2634 (( $cgiparams{'ENABLED'} eq 'on') ||
2635 ( $cgiparams{'ENABLED_BLUE'} eq 'on') ||
2636 ( $cgiparams{'ENABLED_ORANGE'} eq 'on'))){
2637 print "<td><input type='submit' name='ACTION' value='$Lang::tr{'start ovpn server'}' /></td>";
2638 print "<td><input type='submit' name='ACTION' value='$Lang::tr{'restart ovpn server'}' /></td></tr>";
2639 } else {
2640 print "<td><input type='submit' name='ACTION' value='$Lang::tr{'start ovpn server'}' disabled='disabled' /></td>";
2641 print "<td><input type='submit' name='ACTION' value='$Lang::tr{'restart ovpn server'}' disabled='disabled' /></td></tr>";
2642 }
2643 }
2644 print "</form></table>";
2645 &Header::closebox();
2646 &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}:");
2647 print <<EOF#'
2648 <table width='100%' border='0' cellspacing='1' cellpadding='0'>
2649 <tr>
2650 <td width='25%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></td>
2651 <td width='65%' class='boldbase' align='center'><b>$Lang::tr{'subject'}</b></td>
2652 <td width='10%' class='boldbase' colspan='3' align='center'><b>$Lang::tr{'action'}</b></td>
2653 </tr>
2654 EOF
2655 ;
2656 if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
2657 my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`;
2658 $casubject =~ /Subject: (.*)[\n]/;
2659 $casubject = $1;
2660 $casubject =~ s+/Email+, E+;
2661 $casubject =~ s/ ST=/ S=/;
2662
2663 print <<END
2664 <tr bgcolor='${Header::table2colour}'>
2665 <td class='base'>$Lang::tr{'root certificate'}</td>
2666 <td class='base'>$casubject</td>
2667 <form method='post' name='frmrootcrta'><td width='3%' align='center'>
2668 <input type='hidden' name='ACTION' value='$Lang::tr{'show root certificate'}' />
2669 <input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show root certificate'}' title='$Lang::tr{'show root certificate'}' width='20' height='20' border='0' />
2670 </td></form>
2671 <form method='post' name='frmrootcrtb'><td width='3%' align='center'>
2672 <input type='image' name='$Lang::tr{'download root certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download root certificate'}' title='$Lang::tr{'download root certificate'}' border='0' />
2673 <input type='hidden' name='ACTION' value='$Lang::tr{'download root certificate'}' />
2674 </td></form>
2675 <td width='4%'>&nbsp;</td></tr>
2676 END
2677 ;
2678 } else {
2679 # display rootcert generation buttons
2680 print <<END
2681 <tr bgcolor='${Header::table2colour}'>
2682 <td class='base'>$Lang::tr{'root certificate'}:</td>
2683 <td class='base'>$Lang::tr{'not present'}</td>
2684 <td colspan='3'>&nbsp;</td></tr>
2685 END
2686 ;
2687 }
2688
2689 if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
2690 my $hostsubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
2691 $hostsubject =~ /Subject: (.*)[\n]/;
2692 $hostsubject = $1;
2693 $hostsubject =~ s+/Email+, E+;
2694 $hostsubject =~ s/ ST=/ S=/;
2695
2696 print <<END
2697 <tr bgcolor='${Header::table1colour}'>
2698 <td class='base'>$Lang::tr{'host certificate'}</td>
2699 <td class='base'>$hostsubject</td>
2700 <form method='post' name='frmhostcrta'><td width='3%' align='center'>
2701 <input type='hidden' name='ACTION' value='$Lang::tr{'show host certificate'}' />
2702 <input type='image' name='$Lang::tr{'show host certificate'}' src='/images/info.gif' alt='$Lang::tr{'show host certificate'}' title='$Lang::tr{'show host certificate'}' width='20' height='20' border='0' />
2703 </td></form>
2704 <form method='post' name='frmhostcrtb'><td width='3%' align='center'>
2705 <input type='image' name='$Lang::tr{'download host certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download host certificate'}' title='$Lang::tr{'download host certificate'}' border='0' />
2706 <input type='hidden' name='ACTION' value='$Lang::tr{'download host certificate'}' />
2707 </td></form>
2708 <td width='4%'>&nbsp;</td></tr>
2709 END
2710 ;
2711 } else {
2712 # Nothing
2713 print <<END
2714 <tr bgcolor='${Header::table1colour}'>
2715 <td width='25%' class='base'>$Lang::tr{'host certificate'}:</td>
2716 <td class='base'>$Lang::tr{'not present'}</td>
2717 </td><td colspan='3'>&nbsp;</td></tr>
2718 END
2719 ;
2720 }
2721
2722 if (! -f "${General::swroot}/ovpn/ca/cacert.pem") {
2723 print "<tr><td colspan='5' align='center'><form method='post'>";
2724 print "<input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' />";
2725 print "</form></td></tr>\n";
2726 }
2727
2728 if (keys %cahash > 0) {
2729 foreach my $key (keys %cahash) {
2730 if (($key + 1) % 2) {
2731 print "<tr bgcolor='${Header::table1colour}'>\n";
2732 } else {
2733 print "<tr bgcolor='${Header::table2colour}'>\n";
2734 }
2735 print "<td class='base'>$cahash{$key}[0]</td>\n";
2736 print "<td class='base'>$cahash{$key}[1]</td>\n";
2737 print <<END
2738 <form method='post' name='cafrm${key}a'><td align='center'>
2739 <input type='image' name='$Lang::tr{'show ca certificate'}' src='/images/info.gif' alt='$Lang::tr{'show ca certificate'}' title='$Lang::tr{'show ca certificate'}' border='0' />
2740 <input type='hidden' name='ACTION' value='$Lang::tr{'show ca certificate'}' />
2741 <input type='hidden' name='KEY' value='$key' />
2742 </td></form>
2743 <form method='post' name='cafrm${key}b'><td align='center'>
2744 <input type='image' name='$Lang::tr{'download ca certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download ca certificate'}' title='$Lang::tr{'download ca certificate'}' border='0' />
2745 <input type='hidden' name='ACTION' value='$Lang::tr{'download ca certificate'}' />
2746 <input type='hidden' name='KEY' value='$key' />
2747 </td></form>
2748 <form method='post' name='cafrm${key}c'><td align='center'>
2749 <input type='hidden' name='ACTION' value='$Lang::tr{'remove ca certificate'}' />
2750 <input type='image' name='$Lang::tr{'remove ca certificate'}' src='/images/delete.gif' alt='$Lang::tr{'remove ca certificate'}' title='$Lang::tr{'remove ca certificate'}' width='20' height='20' border='0' />
2751 <input type='hidden' name='KEY' value='$key' />
2752 </td></form></tr>
2753 END
2754 ;
2755 }
2756 }
2757
2758 print "</table>";
2759
2760 # If the file contains entries, print Key to action icons
2761 if ( -f "${General::swroot}/ovpn/ca/cacert.pem") {
2762 print <<END
2763 <table>
2764 <tr>
2765 <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
2766 <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
2767 <td class='base'>$Lang::tr{'show certificate'}</td>
2768 <td>&nbsp; &nbsp; <img src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' /></td>
2769 <td class='base'>$Lang::tr{'download certificate'}</td>
2770 </tr>
2771 </table>
2772 END
2773 ;
2774 }
2775 print <<END
2776 <form method='post' enctype='multipart/form-data'>
2777 <table width='100%' border='0' cellspacing='1' cellpadding='0'>
2778 <tr><td class='base' nowrap='nowrap'>$Lang::tr{'ca name'}:</td>
2779 <td nowrap='nowrap'><input type='text' name='CA_NAME' value='$cgiparams{'CA_NAME'}' size='15' />
2780 <td nowrap='nowrap'><input type='file' name='FH' size='30' /></td>
2781 <td nowrap='nowrap'><input type='submit' name='ACTION' value='$Lang::tr{'upload ca certificate'}' /></td>
2782 <td nowrap='nowrap'><input type='submit' name='ACTION' value='$Lang::tr{'show crl'}' /></td>
2783 </tr></table></form>
2784 END
2785 ;
2786
2787 &Header::closebox();
2788 if ( $srunning eq "yes" ) {
2789 print "<div align='center'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'reset'}' disabled='disabled' /></div></form>\n";
2790 }else{
2791 print "<div align='center'><form method='post'><input type='submit' name='ACTION' value='$Lang::tr{'reset'}' /></div></form>\n";
2792 }
2793 if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) {
2794 &Header::openbox('100%', 'LEFT', $Lang::tr{'Client status and controlc' });
2795 print <<END
2796 <table width='100%' border='0' cellspacing='1' cellpadding='0'>
2797 <tr>
2798 <td width='10%' class='boldbase' align='center'><b>$Lang::tr{'name'}</b></td>
2799 <td width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></td>
2800 <td width='18%' class='boldbase' align='center'><b>$Lang::tr{'common name'}</b></td>
2801 <td width='17%' class='boldbase' align='center'><b>$Lang::tr{'valid till'}</b></td>
2802 <td width='25%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b><br /><img src='/images/null.gif' width='125' height='1' border='0' alt='L2089' /></td>
2803 <td width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></td>
2804 <td width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></td>
2805 </tr>
2806 END
2807 ;
2808 my $id = 0;
2809 my $gif;
2810 foreach my $key (keys %confighash) {
2811 if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
2812
2813 if ($id % 2) {
2814 print "<tr bgcolor='${Header::table1colour}'>\n";
2815 } else {
2816 print "<tr bgcolor='${Header::table2colour}'>\n";
2817 }
2818 print "<td align='center' nowrap='nowrap'>$confighash{$key}[1]</td>";
2819 print "<td align='center' nowrap='nowrap'>" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")</td>";
2820 if ($confighash{$key}[4] eq 'cert') {
2821 print "<td align='left' nowrap='nowrap'>$confighash{$key}[2]</td>";
2822 } else {
2823 print "<td align='left'>&nbsp;</td>";
2824 }
2825 my $cavalid = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`;
2826 $cavalid =~ /Not After : (.*)[\n]/;
2827 $cavalid = $1;
2828 print "<td align='center'>$cavalid</td>";
2829 print "<td align='center'>$confighash{$key}[25]</td>";
2830 my $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourred}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b></td></tr></table>";
2831 if ($confighash{$key}[0] eq 'off') {
2832 $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourblue}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsclosed'}</font></b></td></tr></table>";
2833 } else {
2834 my $cn;
2835 my @match = ();
2836 foreach my $line (@status) {
2837 chomp($line);
2838 if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) {
2839 @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line);
2840 if ($match[1] ne "Common Name") {
2841 $cn = $match[1];
2842 }
2843 $cn =~ s/[_]/ /g;
2844 if ($cn eq "$confighash{$key}[2]") {
2845 $active = "<table cellpadding='2' cellspacing='0' bgcolor='${Header::colourgreen}' width='100%'><tr><td align='center'><b><font color='#FFFFFF'>$Lang::tr{'capsopen'}</font></b></td></tr></table>";
2846 }
2847 }
2848 }
2849 }
2850 my $disable_clientdl = "disabled='disabled'";
2851 if (( $cgiparams{'ENABLED'} eq 'on') ||
2852 ( $cgiparams{'ENABLED_BLUE'} eq 'on') ||
2853 ( $cgiparams{'ENABLED_ORANGE'} eq 'on')){
2854 $disable_clientdl = "";
2855 }
2856 print <<END
2857 <td align='center'>$active</td>
2858
2859 <form method='post' name='frm${key}a'><td align='center'>
2860 <input type='image' name='$Lang::tr{'dl client arch'}' $disable_clientdl src='/images/openvpn.png' alt='$Lang::tr{'dl client arch'}' title='$Lang::tr{'dl client arch'}' border='0' />
2861 <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' $disable_clientdl />
2862 <input type='hidden' name='KEY' value='$key' $disable_clientdl />
2863 </td></form>
2864 END
2865 ;
2866 if ($confighash{$key}[4] eq 'cert') {
2867 print <<END
2868 <form method='post' name='frm${key}b'><td align='center'>
2869 <input type='image' name='$Lang::tr{'show certificate'}' src='/images/info.gif' alt='$Lang::tr{'show certificate'}' title='$Lang::tr{'show certificate'}' border='0' />
2870 <input type='hidden' name='ACTION' value='$Lang::tr{'show certificate'}' />
2871 <input type='hidden' name='KEY' value='$key' />
2872 </td></form>
2873 END
2874 ; } else {
2875 print "<td>&nbsp;</td>";
2876 }
2877 if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$key}[1].p12") {
2878 print <<END
2879 <form method='post' name='frm${key}c'><td align='center'>
2880 <input type='image' name='$Lang::tr{'download pkcs12 file'}' src='/images/floppy.gif' alt='$Lang::tr{'download pkcs12 file'}' title='$Lang::tr{'download pkcs12 file'}' border='0' />
2881 <input type='hidden' name='ACTION' value='$Lang::tr{'download pkcs12 file'}' />
2882 <input type='hidden' name='KEY' value='$key' />
2883 </td></form>
2884 END
2885 ; } elsif ($confighash{$key}[4] eq 'cert') {
2886 print <<END
2887 <form method='post' name='frm${key}c'><td align='center'>
2888 <input type='image' name='$Lang::tr{'download certificate'}' src='/images/floppy.gif' alt='$Lang::tr{'download certificate'}' title='$Lang::tr{'download certificate'}' border='0' />
2889 <input type='hidden' name='ACTION' value='$Lang::tr{'download certificate'}' />
2890 <input type='hidden' name='KEY' value='$key' />
2891 </td></form>
2892 END
2893 ; } else {
2894 print "<td>&nbsp;</td>";
2895 }
2896 print <<END
2897 <form method='post' name='frm${key}d'><td align='center'>
2898 <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$Lang::tr{'toggle enable disable'}' title='$Lang::tr{'toggle enable disable'}' border='0' />
2899 <input type='hidden' name='ACTION' value='$Lang::tr{'toggle enable disable'}' />
2900 <input type='hidden' name='KEY' value='$key' />
2901 </td></form>
2902
2903 <form method='post' name='frm${key}e'><td align='center'>
2904 <input type='hidden' name='ACTION' value='$Lang::tr{'edit'}' />
2905 <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' width='20' height='20' border='0'/>
2906 <input type='hidden' name='KEY' value='$key' />
2907 </td></form>
2908 <form method='post' name='frm${key}f'><td align='center'>
2909 <input type='hidden' name='ACTION' value='$Lang::tr{'remove'}' />
2910 <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' alt='$Lang::tr{'remove'}' title='$Lang::tr{'remove'}' width='20' height='20' border='0' />
2911 <input type='hidden' name='KEY' value='$key' />
2912 </td></form>
2913 </tr>
2914 END
2915 ;
2916 $id++;
2917 }
2918 ;
2919
2920 # If the config file contains entries, print Key to action icons
2921 if ( $id ) {
2922 print <<END
2923 <table>
2924 <tr>
2925 <td class='boldbase'>&nbsp; <b>$Lang::tr{'legend'}:</b></td>
2926 <td>&nbsp; <img src='/images/on.gif' alt='$Lang::tr{'click to disable'}' /></td>
2927 <td class='base'>$Lang::tr{'click to disable'}</td>
2928 <td>&nbsp; &nbsp; <img src='/images/info.gif' alt='$Lang::tr{'show certificate'}' /></td>
2929 <td class='base'>$Lang::tr{'show certificate'}</td>
2930 <td>&nbsp; &nbsp; <img src='/images/edit.gif' alt='$Lang::tr{'edit'}' /></td>
2931 <td class='base'>$Lang::tr{'edit'}</td>
2932 <td>&nbsp; &nbsp; <img src='/images/delete.gif' alt='$Lang::tr{'remove'}' /></td>
2933 <td class='base'>$Lang::tr{'remove'}</td>
2934 </tr>
2935 <tr>
2936 <td>&nbsp; </td>
2937 <td>&nbsp; <img src='/images/off.gif' alt='?OFF' /></td>
2938 <td class='base'>$Lang::tr{'click to enable'}</td>
2939 <td>&nbsp; &nbsp; <img src='/images/floppy.gif' alt='?FLOPPY' /></td>
2940 <td class='base'>$Lang::tr{'download certificate'}</td>
2941 <td>&nbsp; &nbsp; <img src='/images/openvpn.png' alt='?RELOAD'/></td>
2942 <td class='base'>$Lang::tr{'dl client arch'}</td>
2943 </tr>
2944 </table>
2945 END
2946 ;
2947 }
2948
2949 print <<END
2950 <table width='100%'>
2951 <form method='post'>
2952 <tr><td width='50%' ><input type='submit' name='ACTION' value='$Lang::tr{'add'}' /></td>
2953 <td width='50%' ><input type='submit' name='ACTION' value='$Lang::tr{'ovpn con stat'}' $activeonrun /></td></tr>
2954 </form>
2955 </table>
2956 END
2957 ;
2958 &Header::closebox();
2959 }
2960 print "$Lang::tr{'this feature has been sponsored by'} : ";
2961 print "<a href='http://www.stareventsgroup.com/' target='_blank'>Star Events Group Ltd</a>.\n";
2962 print "<a href='http://www.ibdozing.com/' target='_blank'>IBDOZING</a>.\n";
2963 print "<a href='http://www.xencon.net/' target='_blank'>Xen by x|encon</a>.\n";
2964 print "<a href='http://www.savatec.de/' target='_blank'>SAVATEC e.K.</a>.\n";
2965 &Header::closepage();
Peter's tree of IPFire 2.x