X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=7727333b90c338308ae5be0786af7a88b3c99b94;hp=a051b5d83249cfed71e3c32fa08ec05722d284f8;hb=1450cfebdee10c0ff79335a4d06e42e378338c9b;hpb=a50dadc229a4ad34be60e9fa24cf20c33e9d96c2 diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index a051b5d832..7727333b90 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -172,105 +172,6 @@ sub deletebackupcert unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem"); } } -sub checkportfw { - my $DPORT = shift; - my $DPROT = shift; - my %natconfig =(); - my $confignat = "${General::swroot}/firewall/config"; - $DPROT= uc ($DPROT); - &General::readhasharray($confignat, \%natconfig); - foreach my $key (sort keys %natconfig){ - my @portarray = split (/\|/,$natconfig{$key}[30]); - foreach my $value (@portarray){ - if ($value =~ /:/i){ - my ($a,$b) = split (":",$value); - if ($DPROT eq $natconfig{$key}[12] && $DPORT gt $a && $DPORT lt $b){ - $errormessage= "$Lang::tr{'source port in use'} $DPORT"; - } - }else{ - if ($DPROT eq $natconfig{$key}[12] && $DPORT eq $value){ - $errormessage= "$Lang::tr{'source port in use'} $DPORT"; - } - } - } - } - return; -} - -sub checkportoverlap -{ - my $portrange1 = $_[0]; # New port range - my $portrange2 = $_[1]; # existing port range - my @tempr1 = split(/\:/,$portrange1); - my @tempr2 = split(/\:/,$portrange2); - - unless (&checkportinc($tempr1[0], $portrange2)){ return 0;} - unless (&checkportinc($tempr1[1], $portrange2)){ return 0;} - - unless (&checkportinc($tempr2[0], $portrange1)){ return 0;} - unless (&checkportinc($tempr2[1], $portrange1)){ return 0;} - - return 1; # Everything checks out! -} - -# Darren Critchley - we want to make sure that a port entry is not within an already existing range -sub checkportinc -{ - my $port1 = $_[0]; # Port - my $portrange2 = $_[1]; # Port range - my @tempr1 = split(/\:/,$portrange2); - - if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) { - return 1; - } else { - return 0; - } -} - -# Darren Critchley - certain ports are reserved for IPFire -# TCP 67,68,81,222,444 -# UDP 67,68 -# Params passed in -> port, rangeyn, protocol -sub disallowreserved -{ - # port 67 and 68 same for tcp and udp, don't bother putting in an array - my $msg = ""; - my @tcp_reserved = (81,222,444); - my $prt = $_[0]; # the port or range - my $ryn = $_[1]; # tells us whether or not it is a port range - my $prot = $_[2]; # protocol - my $srcdst = $_[3]; # source or destination - if ($ryn) { # disect port range - if ($srcdst eq "src") { - $msg = "$Lang::tr{'rsvd src port overlap'}"; - } else { - $msg = "$Lang::tr{'rsvd dst port overlap'}"; - } - my @tmprng = split(/\:/,$prt); - unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; } - unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; } - if ($prot eq "tcp") { - foreach my $prange (@tcp_reserved) { - unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; } - } - } - } else { - if ($srcdst eq "src") { - $msg = "$Lang::tr{'reserved src port'}"; - } else { - $msg = "$Lang::tr{'reserved dst port'}"; - } - if ($prt == 67) { $errormessage="$msg 67"; return; } - if ($prt == 68) { $errormessage="$msg 68"; return; } - if ($prot eq "tcp") { - foreach my $prange (@tcp_reserved) { - if ($prange == $prt) { $errormessage="$msg $prange"; return; } - } - } - } - return; -} - sub writeserverconf { my %sovpnsettings = (); @@ -369,7 +270,7 @@ sub writeserverconf { print CONF "auth $sovpnsettings{'DAUTH'}\n"; } if ($sovpnsettings{'TLSAUTH'} eq 'on') { - print CONF "tls-auth ${General::swroot}/ovpn/ca/ta.key 0\n"; + print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n"; } if ($sovpnsettings{DCOMPLZO} eq 'on') { print CONF "comp-lzo\n"; @@ -567,7 +468,7 @@ sub getccdadresses my @iprange=(); my %ccdhash=(); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); - $iprange[0]=$ip1.".".$ip2.".".$ip3.".".2; + $iprange[0]=$ip1.".".$ip2.".".$ip3.".".($ip4+2); for (my $i=1;$i<=$count;$i++) { my $tmpip=$iprange[$i-1]; my $stepper=$i*4; @@ -810,13 +711,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'}; } - # Create ta.key for tls-auth if not presant - if ($cgiparams{'TLSAUTH'} eq 'on') { - if ( ! -e "${General::swroot}/ovpn/ca/ta.key") { - system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/ca/ta.key") - } - } - if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { @@ -915,6 +809,16 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $errormessage = $Lang::tr{'invalid input for keepalive 1:2'}; goto ADV_ERROR; } + # Create ta.key for tls-auth if not presant + if ($cgiparams{'TLSAUTH'} eq 'on') { + if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + goto ADV_ERROR; + } + } + } &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); &writeserverconf();#hier ok @@ -1004,7 +908,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General } if ($cgiparams{'COMPLZO'} eq 'on') { print SERVERCONF "# Enable Compression\n"; - print SERVERCONF "comp-lzo\r\n"; + print SERVERCONF "comp-lzo\n"; } print SERVERCONF "# Debug Level\n"; print SERVERCONF "verb 3\n"; @@ -1099,7 +1003,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General } if ($cgiparams{'COMPLZO'} eq 'on') { print CLIENTCONF "# Enable Compression\n"; - print CLIENTCONF "comp-lzo\r\n"; + print CLIENTCONF "comp-lzo\n"; } print CLIENTCONF "# Debug Level\n"; print CLIENTCONF "verb 3\n"; @@ -1119,7 +1023,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General ### Save main settings ### - if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') { &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too, @@ -1130,13 +1033,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SETTINGS_ERROR; } } - if ($errormessage) { goto SETTINGS_ERROR; } - if ($cgiparams{'ENABLED'} eq 'on'){ - &checkportfw($cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'}); - } - if ($errormessage) { goto SETTINGS_ERROR; } - if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) { $errormessage = $Lang::tr{'ovpn subnet is invalid'}; goto SETTINGS_ERROR; @@ -1306,8 +1203,7 @@ END unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; } # Create Diffie Hellmann Parameter - system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); + system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/ca/dh1024.pem"); @@ -1621,6 +1517,18 @@ END print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/certs/servercert.pem`; exit(0); } + +### +### Download tls-auth key +### +}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) { + if ( -f "${General::swroot}/ovpn/certs/ta.key" ) { + print "Content-Type: application/octet-stream\r\n"; + print "Content-Disposition: filename=ta.key\r\n\r\n"; + print `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; + exit(0); + } + ### ### Form for generating a root certificate ### @@ -1848,7 +1756,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', + unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-days', '999999', '-newkey', 'rsa:4096', '-sha512', '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", '-out', "${General::swroot}/ovpn/ca/cacert.pem", @@ -1879,7 +1787,7 @@ END goto ROOTCERT_ERROR; } } else { # child - unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', + unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-newkey', 'rsa:2048', '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", '-out', "${General::swroot}/ovpn/certs/serverreq.pem", @@ -1931,8 +1839,7 @@ END # &cleanssldatabase(); } # Create Diffie Hellmann Parameter - system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); + system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); @@ -1944,7 +1851,14 @@ END goto ROOTCERT_ERROR; # } else { # &cleanssldatabase(); - } + } + # Create ta.key for tls-auth + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + &cleanssldatabase(); + goto ROOTCERT_ERROR; + } goto ROOTCERT_SUCCESS; } ROOTCERT_ERROR: @@ -2187,7 +2101,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ } if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') { print CLIENTCONF "# Enable Compression\n"; - print CLIENTCONF "comp-lzo\r\n"; + print CLIENTCONF "comp-lzo\n"; } print CLIENTCONF "# Debug Level\n"; print CLIENTCONF "verb 3\n"; @@ -2286,8 +2200,8 @@ else print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; } if ($vpnsettings{'TLSAUTH'} eq 'on') { - print CLIENTCONF "tls-auth ta.key 1\r\n"; - $zip->addFile( "${General::swroot}/ovpn/ca/ta.key", "ta.key") or die "Can't add file ta.key\n"; + print CLIENTCONF "tls-auth ta.key\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n"; } if ($vpnsettings{DCOMPLZO} eq 'on') { print CLIENTCONF "comp-lzo\r\n"; @@ -2453,6 +2367,28 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { exit(0); } +### +### Display tls-auth key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-auth key'}) { + + if (! -e "${General::swroot}/ovpn/certs/ta.key") { + $errormessage = $Lang::tr{'not present'}; + } else { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}:"); + my $output = `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; + $output = &Header::cleanhtml($output,"y"); + print "
$output\n"; + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } + ### ### Display Certificate Revoke List ### @@ -2511,20 +2447,8 @@ ADV_ERROR: if ($cgiparams{'DAUTH'} eq '') { $cgiparams{'DAUTH'} = 'SHA1'; } - if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA1'; - } - if ($cgiparams{'ENGINES'} eq '') { - $cgiparams{'ENGINES'} = 'disabled'; - } - if ($cgiparams{'TLSAUTH'} eq '') { - $cgiparams{'TLSAUTH'} = 'off'; - } - if ($cgiparams{'DAUTH'} eq '') { - $cgiparams{'DAUTH'} = 'SHA1'; - } if ($cgiparams{'TLSAUTH'} eq '') { - $cgiparams{'TLSAUTH'} = 'off'; + $cgiparams{'TLSAUTH'} = 'off'; } $checked{'CLIENT2CLIENT'}{'off'} = ''; $checked{'CLIENT2CLIENT'}{'on'} = ''; @@ -2698,7 +2622,7 @@ print <
$Lang::tr{'ccd subnet'}: | |||
$ccdconf[0] | $ccdconf[1] | $ccdhosts/".(&ccdmaxclients($ccdconf[1])+1)." | ";
print < | - | + END ; } @@ -3092,7 +3016,7 @@ if ( -s "${General::swroot}/ovpn/settings") {$Lang::tr{'net to net vpn'} (Upload Client Package) |
Import Connection Name | |||
Default : Client Packagename | |||
$Lang::tr{'openvpn default'}: Client Packagename | |||
$Lang::tr{'this field may be blank'} | $Lang::tr{'valid till'} (days): | -- | |
+ | $Lang::tr{'valid till'} (days): | ++ | |
$Lang::tr{'pkcs12 file password'}: | |||
$Lang::tr{'pkcs12 file password'}: ($Lang::tr{'confirmation'}) |
+ |||
$Lang::tr{'pkcs12 file password'}: ($Lang::tr{'confirmation'}) |
|||
$Lang::tr{'this field may be blank'} |
$Lang::tr{'upload ca certificate'} | +|||
$Lang::tr{'ca name'}: | @@ -5462,7 +5483,7 @@ END | ||
$Lang::tr{'ovpn dh parameters'}: | +$Lang::tr{'ovpn dh parameters'} | ||
- |