-
-
-
-
@@ -1339,23 +1591,7 @@ ADV_ERROR:
-
-
-
-
-
+
@@ -1371,6 +1607,7 @@ END
;
&Header::closebox();
+# print "";
&Header::closebigbox();
&Header::closepage();
exit(0);
@@ -1419,6 +1656,7 @@ END
@match = split( /^Updated,(.+)/, $line);
$status = $match[1];
}
+#gian
if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) {
@match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line);
if ($match[1] ne "Common Name") {
@@ -1426,8 +1664,8 @@ END
$userlookup{$match[2]} = $uid;
$users[$uid]{'CommonName'} = $match[1];
$users[$uid]{'RealAddress'} = $match[2];
- $users[$uid]{'BytesReceived'} = &Ovpnfunc::sizeformat($match[3]);
- $users[$uid]{'BytesSent'} = &Ovpnfunc::sizeformat($match[4]);
+ $users[$uid]{'BytesReceived'} = &sizeformat($match[3]);
+ $users[$uid]{'BytesSent'} = &sizeformat($match[4]);
$users[$uid]{'Since'} = $match[5];
$users[$uid]{'Proto'} = $proto;
$uid++;
@@ -1448,9 +1686,9 @@ END
if ($user2 >= 1){
for (my $idx = 1; $idx <= $user2; $idx++){
if ($idx % 2) {
- print "\n";
+ print "
\n";
} else {
- print "
\n";
+ print "
\n";
}
print "$users[$idx-1]{'CommonName'} | ";
print "$users[$idx-1]{'RealAddress'} | ";
@@ -1485,11 +1723,42 @@ END
###
} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) {
&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
+
if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
- print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n";
- print "Content-Type: application/octet-stream\r\n\r\n";
- print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
- exit (0);
+ print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n";
+ print "Content-Type: application/octet-stream\r\n\r\n";
+ print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
+ exit (0);
+ }
+
+###
+### Enable/Disable connection
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) {
+
+ &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
+ &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
+
+ if ($confighash{$cgiparams{'KEY'}}) {
+ if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') {
+ $confighash{$cgiparams{'KEY'}}[0] = 'on';
+ &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
+ #&writeserverconf();
+# if ($vpnsettings{'ENABLED'} eq 'on' ||
+# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
+# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
+# }
+ } else {
+ $confighash{$cgiparams{'KEY'}}[0] = 'off';
+# if ($vpnsettings{'ENABLED'} eq 'on' ||
+# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
+# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
+# }
+ &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
+ #&writeserverconf();
+ }
+ } else {
+ $errormessage = $Lang::tr{'invalid key'};
}
###
@@ -1500,30 +1769,53 @@ END
&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
if ($confighash{$cgiparams{'KEY'}}) {
+# if ($vpnsettings{'ENABLED'} eq 'on' ||
+# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
+# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
+# }
} else {
- $errormessage = $Lang::tr{'invalid key'};
+ $errormessage = $Lang::tr{'invalid key'};
}
###
-### Choose between adding a host-net or net-net connection
+### Remove connection
###
-} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') {
- &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
- &Header::showhttpheaders();
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) {
+ &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
+ &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
+
+ if ($confighash{$cgiparams{'KEY'}}) {
+# if ($vpnsettings{'ENABLED'} eq 'on' ||
+# $vpnsettings{'ENABLED_BLUE'} eq 'on') {
+# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'});
+# }
+ unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
+ unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
+ delete $confighash{$cgiparams{'KEY'}};
+ &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
+ #&writeserverconf();
+ } else {
+ $errormessage = $Lang::tr{'invalid key'};
+ }
+#test33
+
+###
+### Choose between adding a host-net or net-net connection
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') {
+ &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
+ &Header::showhttpheaders();
&Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
&Header::openbigbox('100%', 'LEFT', '', '');
&Header::openbox('100%', 'LEFT', $Lang::tr{'connection type'});
print <$Lang::tr{'connection type'}:
- ";
- }
- &Header::closebigbox();
- &Header::closepage();
- exit(0);
-
-###
-### Approve Zerina n2n
-###
-} elsif (($cgiparams{'ACTION'} eq 'Approved') && ($cgiparams{'TYPE'} eq 'zerinan2n')){
- &Ovpnfunc::writenet2netconf($cgiparams{'KEY'},$zerinaclient);
-###
-### Discard Zerina n2n
-###
-} elsif (($cgiparams{'ACTION'} eq 'Discard') && ($cgiparams{'TYPE'} eq 'zerinan2n')){
- &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
- &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
-
- if ($confighash{$cgiparams{'KEY'}}) {
- &Ovpnfunc::removenet2netconf();
- delete $confighash{$cgiparams{'KEY'}};
- &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
- } else {
- $errormessage = $Lang::tr{'invalid key'};
- }
###
### Adding a new connection
###
@@ -1763,498 +1835,431 @@ END
&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) {
- if (! $confighash{$cgiparams{'KEY'}}[0]) {
- $errormessage = $Lang::tr{'invalid key'};
- goto VPNCONF_END;
- }
- $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0];
- $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1];
- $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3];
- $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4];
- $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5];
- $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6];
- $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8];
- $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];
- $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11];
- $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];
- $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[12];
- $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[13];#new fields
- $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[14];
- $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[15];
- $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[16];
- $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[17];
- $cgiparams{'N2NVPN_IP'} = $confighash{$cgiparams{'KEY'}}[18];#new fields
- $cgiparams{'ZERINA_CLIENT'} = $confighash{$cgiparams{'KEY'}}[19];#new fields
- $cgiparams{'CIPHER'} = $confighash{$cgiparams{'KEY'}}[20];#new fields
- if ($cgiparams{'ZERINA_CLIENT'} eq ''){
- $cgiparams{'ZERINA_CLIENT'} = 'no';
- }
- } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {#ab hiere error uebernehmen
- $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
- # n2n error
- if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
- $errormessage = $Lang::tr{'connection type is invalid'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {
- $errormessage = $Lang::tr{'name must only contain characters'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault|server)$/) {
- $errormessage = $Lang::tr{'name is invalid'};
- goto VPNCONF_ERROR;
- }
- if (length($cgiparams{'NAME'}) >60) {
- $errormessage = $Lang::tr{'name too long'};
- goto VPNCONF_ERROR;
- }
- if (! $cgiparams{'KEY'}) {# Check if there is no other entry with this name
- foreach my $key (keys %confighash) {
- if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
- $errormessage = $Lang::tr{'a connection with this name already exists'};
- goto VPNCONF_ERROR;
- }
- }
- }
- if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) {
- $errormessage = $Lang::tr{'invalid input for remote host/ip'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'REMOTE'}) {
- if (! &General::validip($cgiparams{'REMOTE'})) {
- if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
- $errormessage = $Lang::tr{'invalid input for remote host/ip'};
- goto VPNCONF_ERROR;
- } else {
- if (&Ovpnfunc::valid_dns_host($cgiparams{'REMOTE'})) {
- $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}";
- }
- }
- }
- }
- if ($cgiparams{'TYPE'} ne 'host') {
- unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) {
- $errormessage = $Lang::tr{'local subnet is invalid'};
- goto VPNCONF_ERROR;
- }
- }
- #hier1
- my @tmpovpnsubnet = split("\/",$cgiparams{'LOCAL_SUBNET'});
- $tmpovpnsubnet[1] = &Ovpnfunc::cidrormask($tmpovpnsubnet[1]);
- $cgiparams{'LOCAL_SUBNET'} = "$tmpovpnsubnet[0]/$tmpovpnsubnet[1]";#convert from cidr
- #hier1
- if ($cgiparams{'REMOTE'} eq '') {# Check if there is no other entry without IP-address and PSK
- foreach my $key (keys %confighash) {
- if(($cgiparams{'KEY'} ne $key) && ($confighash{$key}[4] eq 'psk' || $cgiparams{'AUTH'} eq 'psk') && $confighash{$key}[10] eq '') {
- $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'};
- goto VPNCONF_ERROR;
- }
- }
- }
- if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) {
- $errormessage = $Lang::tr{'remote subnet is invalid'};
- goto VPNCONF_ERROR;
- }
- #hier2
- my @tmpovpnsubnet = split("\/",$cgiparams{'REMOTE_SUBNET'});
- $tmpovpnsubnet[1] = &Ovpnfunc::cidrormask($tmpovpnsubnet[1]);
- $cgiparams{'REMOTE_SUBNET'} = "$tmpovpnsubnet[0]/$tmpovpnsubnet[1]";#convert from cidr
- #hier2
- if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
- $errormessage = $Lang::tr{'invalid input'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) {
- $errormessage = $Lang::tr{'invalid input'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'ENABLED'} eq 'on'){
- $errormessage = &Ovpnfunc::disallowreserved($cgiparams{'DEST_PORT'},0,$cgiparams{'PROTOCOL'},"dest");
- }
- if ($errormessage) { goto VPNCONF_ERROR; }
-
- if ($cgiparams{'ENABLED'} eq 'on'){
- $errormessage = &Ovpnfunc::checkportfw(0,$cgiparams{'DEST_PORT'},$cgiparams{'PROTOCOL'},'0.0.0.0');
- }
- if ($errormessage) { goto VPNCONF_ERROR; }
-#raul
- if ($cgiparams{'TYPE'} eq 'net') {
- if (! &General::validipandmask($cgiparams{'OVPN_SUBNET'})) {
- $errormessage = $Lang::tr{'ovpn subnet is invalid'};
- goto VPNCONF_ERROR;
- }
- #hier3
- my @tmpovpnsubnet = split("\/",$cgiparams{'OVPN_SUBNET'});
- $tmpovpnsubnet[1] = &Ovpnfunc::cidrormask($tmpovpnsubnet[1]);
- $cgiparams{'OVPN_SUBNET'} = "$tmpovpnsubnet[0]/$tmpovpnsubnet[1]";#convert from cidr
- #hier3
- #plausi2
- $errormessage = &Ovpnfunc::ovelapplausi($tmpovpnsubnet[0],$tmpovpnsubnet[1]);
- #plausi2
- if ($errormessage ne ''){
- goto VPNCONF_ERROR;
- }
- if ((length($cgiparams{'MTU'})==0) || (($cgiparams{'MTU'}) < 1000 )) {
- $errormessage = $Lang::tr{'invalid mtu input'};
- goto VPNCONF_ERROR;
- }
- unless (&General::validport($cgiparams{'DEST_PORT'})) {
- $errormessage = $Lang::tr{'invalid port'};
- goto VPNCONF_ERROR;
- }
- # check protcol/port overlap against existing connections gian
- foreach my $dkey (keys %confighash) {#Check if there is no other entry with this name
- if ($dkey ne $cgiparams{'KEY'}) {
- if ($confighash{$dkey}[14] eq $cgiparams{'PROTOCOL'} && $confighash{$dkey}[15] eq $cgiparams{'DEST_PORT'}){
- #if ($confighash{$dkey}[14] eq 'on') {
- $errormessage = "Choosed Protocol/Port combination is already used by connection: $confighash{$dkey}[1]";
- goto VPNCONF_ERROR;
- #} else {
- # $warnmessage = "Choosed Protcol/Port combination is used by inactive connection: $confighash{$dkey}[1]";
- #}
- }
- }
- }
- #check protcol/port overlap against RWserver gian
- if ($vpnsettings{'ENABLED'} eq 'on') {
- if ($vpnsettings{'DPROTOCOL'} eq $cgiparams{'PROTOCOL'} && $vpnsettings{'DDEST_PORT'} eq $cgiparams{'DEST_PORT'}){
- $errormessage = "Choosed Protocol/Port combination is already used OpenVPN Roadwarrior Server";
- goto VPNCONF_ERROR;
- }
- }
+ if (! $confighash{$cgiparams{'KEY'}}[0]) {
+ $errormessage = $Lang::tr{'invalid key'};
+ goto VPNCONF_END;
+ }
+ $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0];
+ $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1];
+ $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3];
+ $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4];
+ $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5];
+ $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6];
+ $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8];
+ $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10];
+ $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11];
+ $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25];
+ $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26];
+#new fields
+ $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[27];
+ $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[28];
+ $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[29];
+ $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[30];
+ $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[31];
+#new fields
+#ab hiere error uebernehmen
+ } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
+ $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
+ if ($cgiparams{'TYPE'} !~ /^(host|net)$/) {
+ $errormessage = $Lang::tr{'connection type is invalid'};
+ goto VPNCONF_ERROR;
+ }
+
+
+ if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) {
+ $errormessage = $Lang::tr{'name must only contain characters'};
+ goto VPNCONF_ERROR;
+ }
+
+ if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) {
+ $errormessage = $Lang::tr{'name is invalid'};
+ goto VPNCONF_ERROR;
+ }
+
+ if (length($cgiparams{'NAME'}) >60) {
+ $errormessage = $Lang::tr{'name too long'};
+ goto VPNCONF_ERROR;
+ }
+
+# if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) {
+# $errormessage = $Lang::tr{'ipfire side is invalid'};
+# goto VPNCONF_ERROR;
+# }
+
+ # Check if there is no other entry with this name
+ if (! $cgiparams{'KEY'}) {
+ foreach my $key (keys %confighash) {
+ if ($confighash{$key}[1] eq $cgiparams{'NAME'}) {
+ $errormessage = $Lang::tr{'a connection with this name already exists'};
+ goto VPNCONF_ERROR;
}
- if ($cgiparams{'AUTH'} eq 'psk') {
- #removed
- } elsif ($cgiparams{'AUTH'} eq 'certreq') {
- # {
- if ($cgiparams{'KEY'}) {
- $errormessage = $Lang::tr{'cant change certificates'};
- goto VPNCONF_ERROR;
- }
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
- $errormessage = $Lang::tr{'there was no file upload'};
- goto VPNCONF_ERROR;
- }
- (my $fh, my $filename) = tempfile( );# Move uploaded certificate request to a temporary file
- if (copy ($cgiparams{'FH'}, $fh) != 1) {
- $errormessage = $!;
- goto VPNCONF_ERROR;
- }
- # Sign the certificate request and move it
- # Sign the host certificate request
- system('/usr/bin/openssl', 'ca', '-days', '999999',
- '-batch', '-notext',
- '-in', $filename,
- '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
- '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
- if ($?) {
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
- unlink ($filename);
- unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
- &Ovpnfunc::newcleanssldatabase();
- goto VPNCONF_ERROR;
- } else {
- unlink ($filename);
- &Ovpnfunc::deletebackupcert();
- }
- my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
- $temp =~ /Subject:.*CN=(.*)[\n]/;
- $temp = $1;
- $temp =~ s+/Email+, E+;
- $temp =~ s/ ST=/ S=/;
- $cgiparams{'CERT_NAME'} = $temp;
- $cgiparams{'CERT_NAME'} =~ s/,//g;
- $cgiparams{'CERT_NAME'} =~ s/\'//g;
- if ($cgiparams{'CERT_NAME'} eq '') {
- $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
- goto VPNCONF_ERROR;
- }
- } elsif ($cgiparams{'AUTH'} eq 'certfile') {
- if ($cgiparams{'KEY'}) {
- $errormessage = $Lang::tr{'cant change certificates'};
- goto VPNCONF_ERROR;
- }
- if (ref ($cgiparams{'FH'}) ne 'Fh') {
- $errormessage = $Lang::tr{'there was no file upload'};
- goto VPNCONF_ERROR;
- }
- (my $fh, my $filename) = tempfile( );# Move uploaded certificate to a temporary file
- if (copy ($cgiparams{'FH'}, $fh) != 1) {
- $errormessage = $!;
- goto VPNCONF_ERROR;
- }
- my $validca = 0;# Verify the certificate has a valid CA and move it
- my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/cacert.pem $filename`;
- if ($test =~ /: OK/) {
- $validca = 1;
- } else {
- foreach my $key (keys %cahash) {
- $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem $filename`;
- if ($test =~ /: OK/) {
- $validca = 1;
- }
- }
- }
- if (! $validca) {
- $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'};
- unlink ($filename);
- goto VPNCONF_ERROR;
- } else {
- move($filename, "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
- if ($? ne 0) {
- $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
- unlink ($filename);
- goto VPNCONF_ERROR;
- }
- }
- my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
- $temp =~ /Subject:.*CN=(.*)[\n]/;
- $temp = $1;
- $temp =~ s+/Email+, E+;
- $temp =~ s/ ST=/ S=/;
- $cgiparams{'CERT_NAME'} = $temp;
- $cgiparams{'CERT_NAME'} =~ s/,//g;
- $cgiparams{'CERT_NAME'} =~ s/\'//g;
- if ($cgiparams{'CERT_NAME'} eq '') {
- unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
- $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
- goto VPNCONF_ERROR;
- }
- } elsif ($cgiparams{'AUTH'} eq 'certgen'){
- if ($cgiparams{'KEY'}) {
- $errormessage = $Lang::tr{'cant change certificates'};
- goto VPNCONF_ERROR;
- }
- if (length($cgiparams{'CERT_NAME'}) >60) {# Validate input since the form was submitted
- $errormessage = $Lang::tr{'name too long'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
- $errormessage = $Lang::tr{'invalid input for name'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {
- $errormessage = $Lang::tr{'invalid input for e-mail address'};
- goto VPNCONF_ERROR;
- }
- if (length($cgiparams{'CERT_EMAIL'}) > 40) {
- $errormessage = $Lang::tr{'e-mail address too long'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
- $errormessage = $Lang::tr{'invalid input for department'};
- goto VPNCONF_ERROR;
- }
- if (length($cgiparams{'CERT_ORGANIZATION'}) >60) {
- $errormessage = $Lang::tr{'organization too long'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
- $errormessage = $Lang::tr{'invalid input for organization'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
- $errormessage = $Lang::tr{'invalid input for city'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
- $errormessage = $Lang::tr{'invalid input for state or province'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) {
- $errormessage = $Lang::tr{'invalid input for country'};
- goto VPNCONF_ERROR;
- }
- if ($cgiparams{'CERT_PASS1'} ne '' && $cgiparams{'CERT_PASS2'} ne ''){
- if (length($cgiparams{'CERT_PASS1'}) < 5) {
- $errormessage = $Lang::tr{'password too short'};
- goto VPNCONF_ERROR;
- }
- }
- if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {
- $errormessage = $Lang::tr{'passwords do not match'};
- goto VPNCONF_ERROR;
- }
- (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;# Replace empty strings with a .
- (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
- (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
- my $pid = open(OPENSSL, "|-");# Create the Host certificate request client
- $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto VPNCONF_ERROR;};
- if ($pid) { # parent
- print OPENSSL "$cgiparams{'CERT_COUNTRY'}\n";
- print OPENSSL "$state\n";
- print OPENSSL "$city\n";
- print OPENSSL "$cgiparams{'CERT_ORGANIZATION'}\n";
- print OPENSSL "$ou\n";
- print OPENSSL "$cgiparams{'CERT_NAME'}\n";
- print OPENSSL "$cgiparams{'CERT_EMAIL'}\n";
- print OPENSSL ".\n";
- print OPENSSL ".\n";
- close (OPENSSL);
- if ($?) {
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
- unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}key.pem");
- unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}req.pem");
- goto VPNCONF_ERROR;
- }
- } else { # child
- unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
- '-newkey', 'rsa:1024',
- '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
- '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
- '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
- $errormessage = "$Lang::tr{'cant start openssl'}: $!";
- unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
- unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
- goto VPNCONF_ERROR;
- }
- }
- # Sign the host certificate request
- system('/usr/bin/openssl', 'ca', '-days', '999999',
- '-batch', '-notext',
- '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
- '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
- '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
- if ($?) {
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
- unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
- unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
- unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
- &Ovpnfunc::newcleanssldatabase();
- goto VPNCONF_ERROR;
- } else {
- unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
- &Ovpnfunc::deletebackupcert();
- }
- # Create the pkcs12 file
- system('/usr/bin/openssl', 'pkcs12', '-export',
- '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
- '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
- '-name', $cgiparams{'NAME'},
- '-passout', "pass:$cgiparams{'CERT_PASS1'}",
- '-certfile', "${General::swroot}/ovpn/ca/cacert.pem",
- '-caname', "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA",
- '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
- if ($?) {
- $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
- unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
- unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
- unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
- goto VPNCONF_ERROR;
- } else {
- unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
- }
- } elsif ($cgiparams{'AUTH'} eq 'cert') {
- ;# Nothing, just editing
+ }
+ }
+
+ if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) {
+ $errormessage = $Lang::tr{'invalid input for remote host/ip'};
+ goto VPNCONF_ERROR;
+ }
+
+ if ($cgiparams{'REMOTE'}) {
+ if (! &General::validip($cgiparams{'REMOTE'})) {
+ if (! &General::validfqdn ($cgiparams{'REMOTE'})) {
+ $errormessage = $Lang::tr{'invalid input for remote host/ip'};
+ goto VPNCONF_ERROR;
} else {
- $errormessage = $Lang::tr{'invalid input for authentication method'};
- goto VPNCONF_ERROR;
+ if (&valid_dns_host($cgiparams{'REMOTE'})) {
+ $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}";
+ }
}
- if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) {# Check if there is no other entry with this common name
- foreach my $key (keys %confighash) {
- if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) {
- $errormessage = $Lang::tr{'a connection with this common name already exists'};
- goto VPNCONF_ERROR;
- }
- }
+ }
+ }
+ if ($cgiparams{'TYPE'} ne 'host') {
+ unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) {
+ $errormessage = $Lang::tr{'local subnet is invalid'};
+ goto VPNCONF_ERROR;}
+ }
+ # Check if there is no other entry without IP-address and PSK
+ if ($cgiparams{'REMOTE'} eq '') {
+ foreach my $key (keys %confighash) {
+ if(($cgiparams{'KEY'} ne $key) &&
+ ($confighash{$key}[4] eq 'psk' || $cgiparams{'AUTH'} eq 'psk') &&
+ $confighash{$key}[10] eq '') {
+ $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'};
+ goto VPNCONF_ERROR;
}
+ }
+ }
+ if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) {
+ $errormessage = $Lang::tr{'remote subnet is invalid'};
+ goto VPNCONF_ERROR;
+ }
- my $key = $cgiparams{'KEY'};# Save the config
- if (! $key) {
- $key = &General::findhasharraykey (\%confighash);
- foreach my $i (0 .. 42) { $confighash{$key}[$i] = "";}
+ if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) {
+ $errormessage = $Lang::tr{'invalid input'};
+ goto VPNCONF_ERROR;
+ }
+
+#fixplausi
+ if ($cgiparams{'AUTH'} eq 'psk') {
+# if (! length($cgiparams{'PSK'}) ) {
+# $errormessage = $Lang::tr{'pre-shared key is too short'};
+# goto VPNCONF_ERROR;
+# }
+# if ($cgiparams{'PSK'} =~ /['",&]/) {
+# $errormessage = $Lang::tr{'invalid characters found in pre-shared key'};
+# goto VPNCONF_ERROR;
+# }
+ } elsif ($cgiparams{'AUTH'} eq 'certreq') {
+ if ($cgiparams{'KEY'}) {
+ $errormessage = $Lang::tr{'cant change certificates'};
+ goto VPNCONF_ERROR;
+ }
+ if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ $errormessage = $Lang::tr{'there was no file upload'};
+ goto VPNCONF_ERROR;
+ }
+
+ # Move uploaded certificate request to a temporary file
+ (my $fh, my $filename) = tempfile( );
+ if (copy ($cgiparams{'FH'}, $fh) != 1) {
+ $errormessage = $!;
+ goto VPNCONF_ERROR;
+ }
+
+ # Sign the certificate request and move it
+ # Sign the host certificate request
+ system('/usr/bin/openssl', 'ca', '-days', '999999',
+ '-batch', '-notext',
+ '-in', $filename,
+ '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
+ '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ unlink ($filename);
+ unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
+ &newcleanssldatabase();
+ goto VPNCONF_ERROR;
+ } else {
+ unlink ($filename);
+ &deletebackupcert();
+ }
+
+ my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
+ $temp =~ /Subject:.*CN=(.*)[\n]/;
+ $temp = $1;
+ $temp =~ s+/Email+, E+;
+ $temp =~ s/ ST=/ S=/;
+ $cgiparams{'CERT_NAME'} = $temp;
+ $cgiparams{'CERT_NAME'} =~ s/,//g;
+ $cgiparams{'CERT_NAME'} =~ s/\'//g;
+ if ($cgiparams{'CERT_NAME'} eq '') {
+ $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
+ goto VPNCONF_ERROR;
+ }
+ } elsif ($cgiparams{'AUTH'} eq 'certfile') {
+ if ($cgiparams{'KEY'}) {
+ $errormessage = $Lang::tr{'cant change certificates'};
+ goto VPNCONF_ERROR;
+ }
+ if (ref ($cgiparams{'FH'}) ne 'Fh') {
+ $errormessage = $Lang::tr{'there was no file upload'};
+ goto VPNCONF_ERROR;
+ }
+ # Move uploaded certificate to a temporary file
+ (my $fh, my $filename) = tempfile( );
+ if (copy ($cgiparams{'FH'}, $fh) != 1) {
+ $errormessage = $!;
+ goto VPNCONF_ERROR;
+ }
+
+ # Verify the certificate has a valid CA and move it
+ my $validca = 0;
+ my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/cacert.pem $filename`;
+ if ($test =~ /: OK/) {
+ $validca = 1;
+ } else {
+ foreach my $key (keys %cahash) {
+ $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem $filename`;
+ if ($test =~ /: OK/) {
+ $validca = 1;
+ }
}
- $confighash{$key}[0] = $cgiparams{'ENABLED'};
- $confighash{$key}[1] = $cgiparams{'NAME'};
- if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') {
- $confighash{$key}[2] = $cgiparams{'CERT_NAME'};
+ }
+ if (! $validca) {
+ $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'};
+ unlink ($filename);
+ goto VPNCONF_ERROR;
+ } else {
+ move($filename, "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
+ if ($? ne 0) {
+ $errormessage = "$Lang::tr{'certificate file move failed'}: $!";
+ unlink ($filename);
+ goto VPNCONF_ERROR;
}
- $confighash{$key}[3] = $cgiparams{'TYPE'};
- if ($cgiparams{'AUTH'} eq 'psk') {
- $confighash{$key}[4] = 'psk';
- $confighash{$key}[5] = $cgiparams{'PSK'};
- } else {
- $confighash{$key}[4] = 'cert';
+ }
+
+ my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`;
+ $temp =~ /Subject:.*CN=(.*)[\n]/;
+ $temp = $1;
+ $temp =~ s+/Email+, E+;
+ $temp =~ s/ ST=/ S=/;
+ $cgiparams{'CERT_NAME'} = $temp;
+ $cgiparams{'CERT_NAME'} =~ s/,//g;
+ $cgiparams{'CERT_NAME'} =~ s/\'//g;
+ if ($cgiparams{'CERT_NAME'} eq '') {
+ unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
+ $errormessage = $Lang::tr{'could not retrieve common name from certificate'};
+ goto VPNCONF_ERROR;
+ }
+ } elsif ($cgiparams{'AUTH'} eq 'certgen') {
+ if ($cgiparams{'KEY'}) {
+ $errormessage = $Lang::tr{'cant change certificates'};
+ goto VPNCONF_ERROR;
+ }
+ # Validate input since the form was submitted
+ if (length($cgiparams{'CERT_NAME'}) >60) {
+ $errormessage = $Lang::tr{'name too long'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
+ $errormessage = $Lang::tr{'invalid input for name'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) {
+ $errormessage = $Lang::tr{'invalid input for e-mail address'};
+ goto VPNCONF_ERROR;
+ }
+ if (length($cgiparams{'CERT_EMAIL'}) > 40) {
+ $errormessage = $Lang::tr{'e-mail address too long'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
+ $errormessage = $Lang::tr{'invalid input for department'};
+ goto VPNCONF_ERROR;
+ }
+ if (length($cgiparams{'CERT_ORGANIZATION'}) >60) {
+ $errormessage = $Lang::tr{'organization too long'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) {
+ $errormessage = $Lang::tr{'invalid input for organization'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
+ $errormessage = $Lang::tr{'invalid input for city'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) {
+ $errormessage = $Lang::tr{'invalid input for state or province'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) {
+ $errormessage = $Lang::tr{'invalid input for country'};
+ goto VPNCONF_ERROR;
+ }
+ if ($cgiparams{'CERT_PASS1'} ne '' && $cgiparams{'CERT_PASS2'} ne ''){
+ if (length($cgiparams{'CERT_PASS1'}) < 5) {
+ $errormessage = $Lang::tr{'password too short'};
+ goto VPNCONF_ERROR;
}
- if ($cgiparams{'TYPE'} eq 'net') {
- $confighash{$key}[6] = $cgiparams{'SIDE'};
- $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'};
- if ( $cgiparams{'SIDE'} eq 'client') {
- $confighash{$key}[19] = 'yes';
- } else{
- $confighash{$key}[19] = 'no';
- }
+ }
+ if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) {
+ $errormessage = $Lang::tr{'passwords do not match'};
+ goto VPNCONF_ERROR;
+ }
+
+ # Replace empty strings with a .
+ (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
+ (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;
+ (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./;
+
+ # Create the Host certificate request client
+ my $pid = open(OPENSSL, "|-");
+ $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto VPNCONF_ERROR;};
+ if ($pid) { # parent
+ print OPENSSL "$cgiparams{'CERT_COUNTRY'}\n";
+ print OPENSSL "$state\n";
+ print OPENSSL "$city\n";
+ print OPENSSL "$cgiparams{'CERT_ORGANIZATION'}\n";
+ print OPENSSL "$ou\n";
+ print OPENSSL "$cgiparams{'CERT_NAME'}\n";
+ print OPENSSL "$cgiparams{'CERT_EMAIL'}\n";
+ print OPENSSL ".\n";
+ print OPENSSL ".\n";
+ close (OPENSSL);
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}key.pem");
+ unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}req.pem");
+ goto VPNCONF_ERROR;
}
- $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'};
- $confighash{$key}[10] = $cgiparams{'REMOTE'};
- $confighash{$key}[25] = $cgiparams{'REMARK'};
- $confighash{$key}[12] = $cgiparams{'INTERFACE'};
- $confighash{$key}[13] = $cgiparams{'OVPN_SUBNET'};# new fields
- $confighash{$key}[14] = $cgiparams{'PROTOCOL'};
- $confighash{$key}[15] = $cgiparams{'DEST_PORT'};
- $confighash{$key}[16] = $cgiparams{'COMPLZO'};
- $confighash{$key}[17] = $cgiparams{'MTU'};
- $confighash{$key}[18] = $cgiparams{'N2NVPN_IP'};# new fileds
- $confighash{$key}[19] = $cgiparams{'ZERINA_CLIENT'};# new fileds
- $confighash{$key}[20] = $cgiparams{'CIPHER'};
-
- #default n2n advanced
- $confighash{$key}[26] = '10';#keepalive ping
- $confighash{$key}[27] = '60';#keepalive restart
- $confighash{$key}[28] = '0';#nice
- $confighash{$key}[42] = '3';#verb
- #default n2n advanced
- &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
- &Ovpnfunc::writenet2netconf($key,$zerinaclient);
- #ppp
- my $n2nactive = `/bin/ps ax|grep $cgiparams{'NAME'}.conf|grep -v grep|awk \'{print \$1}\'`;
- if ($cgiparams{'ENABLED'}) {
- if ($n2nactive eq ''){
- system('/usr/local/bin/openvpnctrl', '-sn2n', $cgiparams{'NAME'});
- } else {
- system('/usr/local/bin/openvpnctrl', '-kn2n', $n2nactive);
- system('/usr/local/bin/openvpnctrl', '-sn2n', $cgiparams{'NAME'});
- }
- } else {
- if ($n2nactive ne ''){
- system('/usr/local/bin/openvpnctrl', '-kn2n', $cgiparams{'NAME'});
- }
+ } else { # child
+ unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache',
+ '-newkey', 'rsa:1024',
+ '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
+ '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
+ '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
+ $errormessage = "$Lang::tr{'cant start openssl'}: $!";
+ unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
+ unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
+ goto VPNCONF_ERROR;
}
- if ($cgiparams{'EDIT_ADVANCED'} eq 'on') {
- $cgiparams{'KEY'} = $key;
- $cgiparams{'ACTION'} = $Lang::tr{'advanced'};
+ }
+
+ # Sign the host certificate request
+ system('/usr/bin/openssl', 'ca', '-days', '999999',
+ '-batch', '-notext',
+ '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
+ '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
+ '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
+ unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
+ unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
+ &newcleanssldatabase();
+ goto VPNCONF_ERROR;
+ } else {
+ unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
+ &deletebackupcert();
+ }
+
+ # Create the pkcs12 file
+ system('/usr/bin/openssl', 'pkcs12', '-export',
+ '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
+ '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
+ '-name', $cgiparams{'NAME'},
+ '-passout', "pass:$cgiparams{'CERT_PASS1'}",
+ '-certfile', "${General::swroot}/ovpn/ca/cacert.pem",
+ '-caname', "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA",
+ '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
+ if ($?) {
+ $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+ unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
+ unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
+ unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12");
+ goto VPNCONF_ERROR;
+ } else {
+ unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
+ }
+ } elsif ($cgiparams{'AUTH'} eq 'cert') {
+ ;# Nothing, just editing
+ } else {
+ $errormessage = $Lang::tr{'invalid input for authentication method'};
+ goto VPNCONF_ERROR;
+ }
+
+ # Check if there is no other entry with this common name
+ if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) {
+ foreach my $key (keys %confighash) {
+ if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) {
+ $errormessage = $Lang::tr{'a connection with this common name already exists'};
+ goto VPNCONF_ERROR;
}
- goto VPNCONF_END;
+ }
+ }
+
+ # Save the config
+ my $key = $cgiparams{'KEY'};
+ if (! $key) {
+ $key = &General::findhasharraykey (\%confighash);
+ foreach my $i (0 .. 31) { $confighash{$key}[$i] = "";}
+ }
+ $confighash{$key}[0] = $cgiparams{'ENABLED'};
+ $confighash{$key}[1] = $cgiparams{'NAME'};
+ if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') {
+ $confighash{$key}[2] = $cgiparams{'CERT_NAME'};
+ }
+ $confighash{$key}[3] = $cgiparams{'TYPE'};
+ if ($cgiparams{'AUTH'} eq 'psk') {
+ $confighash{$key}[4] = 'psk';
+ $confighash{$key}[5] = $cgiparams{'PSK'};
+ } else {
+ $confighash{$key}[4] = 'cert';
+ }
+ if ($cgiparams{'TYPE'} eq 'net') {
+ $confighash{$key}[6] = $cgiparams{'SIDE'};
+ $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'};
+ }
+ $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'};
+ $confighash{$key}[10] = $cgiparams{'REMOTE'};
+ $confighash{$key}[25] = $cgiparams{'REMARK'};
+ $confighash{$key}[26] = $cgiparams{'INTERFACE'};
+# new fields
+ $confighash{$key}[27] = $cgiparams{'OVPN_SUBNET'};
+ $confighash{$key}[28] = $cgiparams{'PROTOCOL'};
+ $confighash{$key}[29] = $cgiparams{'DEST_PORT'};
+ $confighash{$key}[30] = $cgiparams{'COMPLZO'};
+ $confighash{$key}[31] = $cgiparams{'MTU'};
+# new fileds
+ &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
+ if ($cgiparams{'EDIT_ADVANCED'} eq 'on') {
+ $cgiparams{'KEY'} = $key;
+ $cgiparams{'ACTION'} = $Lang::tr{'advanced'};
+ }
+ goto VPNCONF_END;
} else {
- $cgiparams{'ENABLED'} = 'on';
- if ($cgiparams{'ZERINA_CLIENT'} eq ''){
- $cgiparams{'ZERINA_CLIENT'} = 'no';
- }
- if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) {
- $cgiparams{'AUTH'} = 'psk';
- } elsif ( ! -f "${General::swroot}/ovpn/ca/cacert.pem") {
- $cgiparams{'AUTH'} = 'certfile';
- } else {
+ $cgiparams{'ENABLED'} = 'on';
+ $cgiparams{'SIDE'} = 'left';
+ if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) {
+ $cgiparams{'AUTH'} = 'psk';
+ } elsif ( ! -f "${General::swroot}/ovpn/ca/cacert.pem") {
+ $cgiparams{'AUTH'} = 'certfile';
+ } else {
$cgiparams{'AUTH'} = 'certgen';
- }
- $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
- $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
- $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'};
- $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'};
- $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};
+ }
+ $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}";
+ $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'};
+ $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'};
+ $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'};
+ $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'};
}
+
VPNCONF_ERROR:
- # n2n default settings
- if ($cgiparams{'CIPHER'} eq '') {
- $cgiparams{'CIPHER'} = 'BF-CBC';
- }
- if ($cgiparams{'MTU'} eq '') {
- $cgiparams{'MTU'} = '1400';
- }
- if ($cgiparams{'OVPN_SUBNET'} eq '') {
- $cgiparams{'OVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
- }
- #n2n default settings
$checked{'ENABLED'}{'off'} = '';
$checked{'ENABLED'}{'on'} = '';
$checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED';
@@ -2264,43 +2269,28 @@ END
$checked{'ENABLED_ORANGE'}{'off'} = '';
$checked{'ENABLED_ORANGE'}{'on'} = '';
$checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED';
+
+
$checked{'EDIT_ADVANCED'}{'off'} = '';
$checked{'EDIT_ADVANCED'}{'on'} = '';
$checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = 'CHECKED';
+
$selected{'SIDE'}{'server'} = '';
$selected{'SIDE'}{'client'} = '';
$selected{'SIDE'}{$cgiparams{'SIDE'}} = 'SELECTED';
-
-# $selected{'DDEVICE'}{'tun'} = '';
-# $selected{'DDEVICE'}{'tap'} = '';
-# $selected{'DDEVICE'}{$cgiparams{'DDEVICE'}} = 'SELECTED';
-
- $selected{'PROTOCOL'}{'udp'} = '';
- $selected{'PROTOCOL'}{'tcp'} = '';
- $selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = 'SELECTED';
-
+
$checked{'AUTH'}{'psk'} = '';
$checked{'AUTH'}{'certreq'} = '';
$checked{'AUTH'}{'certgen'} = '';
$checked{'AUTH'}{'certfile'} = '';
$checked{'AUTH'}{$cgiparams{'AUTH'}} = 'CHECKED';
+
$selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = 'SELECTED';
+
$checked{'COMPLZO'}{'off'} = '';
$checked{'COMPLZO'}{'on'} = '';
$checked{'COMPLZO'}{$cgiparams{'COMPLZO'}} = 'CHECKED';
- $selected{'CIPHER'}{'DES-CBC'} = '';
- $selected{'CIPHER'}{'DES-EDE-CBC'} = '';
- $selected{'CIPHER'}{'DES-EDE3-CBC'} = '';
- $selected{'CIPHER'}{'DESX-CBC'} = '';
- $selected{'CIPHER'}{'RC2-CBC'} = '';
- $selected{'CIPHER'}{'RC2-40-CBC'} = '';
- $selected{'CIPHER'}{'RC2-64-CBC'} = '';
- $selected{'CIPHER'}{'BF-CBC'} = '';
- $selected{'CIPHER'}{'CAST5-CBC'} = '';
- $selected{'CIPHER'}{'AES-128-CBC'} = '';
- $selected{'CIPHER'}{'AES-192-CBC'} = '';
- $selected{'CIPHER'}{'AES-256-CBC'} = '';
- $selected{'CIPHER'}{$cgiparams{'CIPHER'}} = 'SELECTED';
+
if (1) {
&Header::showhttpheaders();
@@ -2312,20 +2302,22 @@ END
print " ";
&Header::closebox();
}
+
if ($warnmessage) {
&Header::openbox('100%', 'LEFT', "$Lang::tr{'warning messages'}:");
print "$warnmessage";
print " ";
&Header::closebox();
}
+
print "
";
+# }
+# }else{
print " |
";
- } elsif ($cgiparams{'ACTION'} ne $Lang::tr{'edit'}){
- print " $Lang::tr{'edit advanced settings when done'}";
- } else {
- print " | ";
- }
+# }
+
&Header::closebox();
+
if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') {
- ;#we dont have psk
+ # &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'});
+ # print <
+ # $Lang::tr{'use a pre-shared key'} |
+ # |
+ #
+END
+ # ;
+ # &Header::closebox();
} elsif (! $cgiparams{'KEY'}) {
my $disabled='';
my $cakeydisabled='';
@@ -2446,6 +2442,7 @@ END
$Lang::tr{'country'}: |
|
+ |
END
;
-} else {
+ } else {
# display rootcert generation buttons
print <
+
$Lang::tr{'root certificate'}: |
$Lang::tr{'not present'} |
|
END
;
-}
+ }
-if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
+ if (-f "${General::swroot}/ovpn/certs/servercert.pem") {
my $hostsubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
$hostsubject =~ /Subject: (.*)[\n]/;
$hostsubject = $1;
$hostsubject =~ s+/Email+, E+;
$hostsubject =~ s/ ST=/ S=/;
+
print <
+
$Lang::tr{'host certificate'} |
$hostsubject |
-
-
+
+
|
-
-
+
+
|
|
END
;
-} else {
+ } else {
# Nothing
print <
+
$Lang::tr{'host certificate'}: |
$Lang::tr{'not present'} |
|
END
;
-}
+ }
-if (! -f "${General::swroot}/ovpn/ca/cacert.pem") {
- print "";
+ if (! -f "${General::swroot}/ovpn/ca/cacert.pem") {
+ print "";
print "";
- print " | \n";
-}
+ print " | \n";
+ }
-if (keys %cahash > 0) {
+ if (keys %cahash > 0) {
foreach my $key (keys %cahash) {
- if (($key + 1) % 2) {
- print "\n";
- } else {
- print " \n";
- }
- print "$cahash{$key}[0] | \n";
- print "$cahash{$key}[1] | \n";
- print <
+ if (($key + 1) % 2) {
+ print " | \n";
+ } else {
+ print " \n";
+ }
+ print "$cahash{$key}[0] | \n";
+ print "$cahash{$key}[1] | \n";
+ print <
- |
-
-
+ |
+
+
- |
-
+ |
+
- |
+
END
;
}
-}
-print "";
-if ( -f "${General::swroot}/ovpn/ca/cacert.pem") {# If the file contains entries, print Key to action icons
- print <
-
+ }
+
+ print "";
+
+ # If the file contains entries, print Key to action icons
+ if ( -f "${General::swroot}/ovpn/ca/cacert.pem") {
+ print <
+
$Lang::tr{'legend'}: |
|
$Lang::tr{'show certificate'} |
- |
+ |
$Lang::tr{'download certificate'} |
-
-
+
+
END
;
-}
-print <
-
+ }
+ print <
+
END
;
-&Header::closebox();
-if ( $srunning eq "yes" ) {
+
+ &Header::closebox();
+ if ( $srunning eq "yes" ) {
print "\n";
-}else{
- print "\n";
-}
-if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) {
- &Header::openbox('100%', 'LEFT', $Lang::tr{'Client status and controlc' });
- print <
-
- $Lang::tr{'name'} |
- $Lang::tr{'type'} |
- $Lang::tr{'common name'} |
- $Lang::tr{'valid till'} |
- $Lang::tr{'remark'}
|
- $Lang::tr{'status'} |
- $Lang::tr{'action'} |
-
+ }else{
+ print "\n";
+ }
+ if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) {
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'Client status and controlc' });
+ print <
+
+ $Lang::tr{'name'} |
+ $Lang::tr{'type'} |
+ $Lang::tr{'common name'} |
+ $Lang::tr{'valid till'} |
+ $Lang::tr{'remark'}
|
+ $Lang::tr{'status'} |
+ $Lang::tr{'action'} |
+
END
;
- my $id = 0;
- my $gif;
- foreach my $key (keys %confighash) {
- if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
- if ($id % 2) {
- print "\n";
- } else {
- print " \n";
- }
- print "$confighash{$key}[1] | ";
- if ($confighash{$key}[3] ne 'host') {
- print "" . $confighash{$key}[6] . "-" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ") | ";
- } else {
- print "" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ") | ";
- }
- if ($confighash{$key}[4] eq 'cert') {
- print "$confighash{$key}[2] | ";
- } else {
- print " | ";
- }
- if ($confighash{$key}[19] ne 'yes') {
- my $cavalid = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`;
- $cavalid =~ /Not After : (.*)[\n]/;
- $cavalid = $1;
- print "$cavalid | ";
- } else {
- print " | ";
- }
- print "$confighash{$key}[25] | ";
- my $active = "";
- if ($confighash{$key}[0] eq 'off') {
- $active = "";
- } else {
- if ($confighash{$key}[3] eq 'host') {
- my $cn;
- my @match = ();
- foreach my $line (@status) {
- chomp($line);
- if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) {
- @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line);
- if ($match[1] ne "Common Name") {
- $cn = $match[1];
- }
- $cn =~ s/[_]/ /g;
- if ($cn eq "$confighash{$key}[2]") {
- $active = "";
- }
- }
- }
- } else {
- my @tempovpnsubnet = split("\/",$confighash{$key}[13]);
- my @ovpnip = split /\./,$tempovpnsubnet[0];
- my $pingip = "";
- if ($confighash{$key}[6] eq 'server') {
- $pingip = "$ovpnip[0].$ovpnip[1].$ovpnip[2].2";
- } else {
- $pingip = "$ovpnip[0].$ovpnip[1].$ovpnip[2].1";
- }
- my $p = Net::Ping->new("udp",1);
- if ($p->ping($pingip)) {
- $active = "";
- }
- $p->close();
- }
- }
- print "$active | ";
- my $disable_clientdl = "";
- if ($confighash{$key}[6] ne 'client') {
- print <
-
-
-
- |
-END
- ; } else {
- print " | ";
- }
- if ($confighash{$key}[4] eq 'cert' && $confighash{$key}[19] ne 'yes') {
- print <
-
-
-
- |
-END
- ; } else {
- print " | ";
- }
- if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$key}[1].p12") {
- print <
-
-
-
- |
-END
- ; } elsif ($confighash{$key}[4] eq 'cert' && $confighash{$key}[19] ne 'yes') {
- print <
-
-
-
- |
+ my $id = 0;
+ my $gif;
+ foreach my $key (keys %confighash) {
+ if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; }
+
+ if ($id % 2) {
+ print "\n";
+ } else {
+ print " \n";
+ }
+ print "$confighash{$key}[1] | ";
+ print "" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ") | ";
+ if ($confighash{$key}[4] eq 'cert') {
+ print "$confighash{$key}[2] | ";
+ } else {
+ print " | ";
+ }
+ my $cavalid = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`;
+ $cavalid =~ /Not After : (.*)[\n]/;
+ $cavalid = $1;
+ print "$cavalid | ";
+ print "$confighash{$key}[25] | ";
+ my $active = "";
+ if ($confighash{$key}[0] eq 'off') {
+ $active = "";
+ } else {
+ my $cn;
+ my @match = ();
+ foreach my $line (@status) {
+ chomp($line);
+ if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) {
+ @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line);
+ if ($match[1] ne "Common Name") {
+ $cn = $match[1];
+ }
+ $cn =~ s/[_]/ /g;
+ if ($cn eq "$confighash{$key}[2]") {
+ $active = "";
+ }
+ }
+ }
+ }
+ my $disable_clientdl = "disabled='disabled'";
+ if (( $cgiparams{'ENABLED'} eq 'on') ||
+ ( $cgiparams{'ENABLED_BLUE'} eq 'on') ||
+ ( $cgiparams{'ENABLED_ORANGE'} eq 'on')){
+ $disable_clientdl = "";
+ }
+ print <$active
+
+
+
+
+
+ |
END
- ; } else {
- print " | ";
- }
- print <
-
-
+ ;
+ if ($confighash{$key}[4] eq 'cert') {
+ print <
+
+
- |
-
-
-
+ |
+END
+ ; } else {
+ print " | ";
+ }
+ if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$key}[1].p12") {
+ print <
+
+
- |
-
-
-
+ |
+END
+ ; } elsif ($confighash{$key}[4] eq 'cert') {
+ print <
+
+
- |
- |
+
END
- ;
- $id++;
+ ; } else {
+ print " | ";
}
+ print <
+
+
+
+ |
+
+
+
+
+
+ |
+
+
+
+
+ |
+
+END
+ ;
+ $id++;
+ }
;
# If the config file contains entries, print Key to action icons
if ( $id ) {
- print <
-
- $Lang::tr{'legend'}: |
- |
- $Lang::tr{'click to disable'} |
- |
- $Lang::tr{'show certificate'} |
- |
- $Lang::tr{'edit'} |
- |
- $Lang::tr{'remove'} |
-
-
- |
- |
- $Lang::tr{'click to enable'} |
- |
- $Lang::tr{'download certificate'} |
- |
- $Lang::tr{'dl client arch'} |
-
-
+ print <
+
+ $Lang::tr{'legend'}: |
+ |
+ $Lang::tr{'click to disable'} |
+ |
+ $Lang::tr{'show certificate'} |
+ |
+ $Lang::tr{'edit'} |
+ |
+ $Lang::tr{'remove'} |
+
+
+ |
+ |
+ $Lang::tr{'click to enable'} |
+ |
+ $Lang::tr{'download certificate'} |
+ |
+ $Lang::tr{'dl client arch'} |
+
+
END
;
}
+
print <
@@ -3243,5 +2965,5 @@ END
END
;
&Header::closebox();
-}
-&Header::closepage();
\ No newline at end of file
+}
+&Header::closepage();
|