X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=8a8390a8f7f5430cf432ecc30583b836d10d210c;hp=33e6140b974b30d354182d0a1d948f6f57d9d57d;hb=95cfccd3ee5aff818b13937075e37a623d3c31fe;hpb=6e13d0a5c5355055343b1f0ab9b7058a64bca89e diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 33e6140b97..8a8390a8f7 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1,13 +1,23 @@ #!/usr/bin/perl -# based on SmoothWall and IPCop CGIs -# -# This code is distributed under the terms of the GPL -# Main idea from zeroconcept -# ZERNINA-VERSION:0.9.7a7 -# (c) 2005 Ufuk Altinkaynak -# -# Ipcop and OpenVPN eas as one two three.. -# +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### use CGI; use CGI qw/:standard/; @@ -16,9 +26,7 @@ use File::Copy; use File::Temp qw/ tempfile tempdir /; use strict; use Archive::Zip qw(:ERROR_CODES :CONSTANTS); -use Net::Ping; require '/var/ipfire/general-functions.pl'; -require '/home/httpd/cgi-bin/ovpnfunc.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; require "${General::swroot}/countries.pl"; @@ -30,7 +38,10 @@ require "${General::swroot}/countries.pl"; my @dummy = ( ${Header::colourgreen} ); undef (@dummy); - +my %color = (); +my %mainsettings = (); +&General::readhash("${General::swroot}/main/settings", \%mainsettings); +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); ### ### Initialize variables @@ -45,7 +56,6 @@ my %selected=(); my $warnmessage = ''; my $errormessage = ''; my %settings=(); -my $zerinaclient = ''; &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} = 'off'; $cgiparams{'ENABLED_BLUE'} = 'off'; @@ -66,6 +76,334 @@ $cgiparams{'DCOMPLZO'} = 'off'; ### ### Useful functions ### +sub haveOrangeNet +{ + if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;} + if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;} + return 0; +} + +sub haveBlueNet +{ + if ($netsettings{'CONFIG_TYPE'} == 3) {return 1;} + if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;} + return 0; +} + +sub sizeformat{ + my $bytesize = shift; + my $i = 0; + + while(abs($bytesize) >= 1024){ + $bytesize=$bytesize/1024; + $i++; + last if($i==6); + } + + my @units = ("Bytes","KB","MB","GB","TB","PB","EB"); + my $newsize=(int($bytesize*100 +0.5))/100; + return("$newsize $units[$i]"); +} + +sub valid_dns_host { + my $hostname = $_[0]; + unless ($hostname) { return "No hostname"}; + my $res = new Net::DNS::Resolver; + my $query = $res->search("$hostname"); + if ($query) { + foreach my $rr ($query->answer) { + ## Potential bug - we are only looking at A records: + return 0 if $rr->type eq "A"; + } + } else { + return $res->errorstring; + } +} + +sub cleanssldatabase +{ + if (open(FILE, ">${General::swroot}/ovpn/certs/serial")) { + print FILE "01"; + close FILE; + } + if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt")) { + print FILE ""; + close FILE; + } + unlink ("${General::swroot}/ovpn/certs/index.txt.old"); + unlink ("${General::swroot}/ovpn/certs/serial.old"); + unlink ("${General::swroot}/ovpn/certs/01.pem"); +} + +sub newcleanssldatabase +{ + if (! -s "${General::swroot}/ovpn/certs/serial" ) { + open(FILE, ">${General::swroot}(ovpn/certs/serial"); + print FILE "01"; + close FILE; + } + if (! -s ">${General::swroot}/ovpn/certs/index.txt") { + system ("touch ${General::swroot}/ovpn/certs/index.txt"); + } + unlink ("${General::swroot}/ovpn/certs/index.txt.old"); + unlink ("${General::swroot}/ovpn/certs/serial.old"); +} + +sub deletebackupcert +{ + if (open(FILE, "${General::swroot}/ovpn/certs/serial.old")) { + my $hexvalue = ; + chomp $hexvalue; + close FILE; + unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem"); + } +} + +sub checkportfw { + my $KEY2 = $_[0]; # key2 + my $SRC_PORT = $_[1]; # src_port + my $PROTOCOL = $_[2]; # protocol + my $SRC_IP = $_[3]; # sourceip + + my $pfwfilename = "${General::swroot}/portfw/config"; + open(FILE, $pfwfilename) or die 'Unable to open config file.'; + my @pfwcurrent = ; + close(FILE); + my $pfwkey1 = 0; # used for finding last sequence number used + foreach my $pfwline (@pfwcurrent) + { + my @pfwtemp = split(/\,/,$pfwline); + + chomp ($pfwtemp[8]); + if ($KEY2 eq "0"){ # if key2 is 0 then it is a portfw addition + if ( $SRC_PORT eq $pfwtemp[3] && + $PROTOCOL eq $pfwtemp[2] && + $SRC_IP eq $pfwtemp[7]) + { + $errormessage = "$Lang::tr{'source port in use'} $SRC_PORT"; + } + # Check if key2 = 0, if it is then it is a port forward entry and we want the sequence number + if ( $pfwtemp[1] eq "0") { + $pfwkey1=$pfwtemp[0]; + } + # Darren Critchley - Duplicate or overlapping Port range check + if ($pfwtemp[1] eq "0" && + $PROTOCOL eq $pfwtemp[2] && + $SRC_IP eq $pfwtemp[7] && + $errormessage eq '') + { + &portchecks($SRC_PORT, $pfwtemp[5]); +# &portchecks($pfwtemp[3], $pfwtemp[5]); +# &portchecks($pfwtemp[3], $SRC_IP); + } + } + } +# $errormessage="$KEY2 $SRC_PORT $PROTOCOL $SRC_IP"; + + return; +} + +sub checkportoverlap +{ + my $portrange1 = $_[0]; # New port range + my $portrange2 = $_[1]; # existing port range + my @tempr1 = split(/\:/,$portrange1); + my @tempr2 = split(/\:/,$portrange2); + + unless (&checkportinc($tempr1[0], $portrange2)){ return 0;} + unless (&checkportinc($tempr1[1], $portrange2)){ return 0;} + + unless (&checkportinc($tempr2[0], $portrange1)){ return 0;} + unless (&checkportinc($tempr2[1], $portrange1)){ return 0;} + + return 1; # Everything checks out! +} + +# Darren Critchley - we want to make sure that a port entry is not within an already existing range +sub checkportinc +{ + my $port1 = $_[0]; # Port + my $portrange2 = $_[1]; # Port range + my @tempr1 = split(/\:/,$portrange2); + + if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) { + return 1; + } else { + return 0; + } +} +# Darren Critchley - Duplicate or overlapping Port range check +sub portchecks +{ + my $p1 = $_[0]; # New port range + my $p2 = $_[1]; # existing port range +# $_ = $_[0]; + our ($prtrange1, $prtrange2); + $prtrange1 = 0; +# if (m/:/ && $prtrange1 == 1) { # comparing two port ranges +# unless (&checkportoverlap($p1,$p2)) { +# $errormessage = "$Lang::tr{'source port overlaps'} $p1"; +# } +# } + if (m/:/ && $prtrange1 == 0 && $errormessage eq '') { # compare one port to a range + unless (&checkportinc($p2,$p1)) { + $errormessage = "$Lang::tr{'srcprt within existing'} $p1"; + } + } + $prtrange1 = 1; + if (! m/:/ && $prtrange1 == 1 && $errormessage eq '') { # compare one port to a range + unless (&checkportinc($p1,$p2)) { + $errormessage = "$Lang::tr{'srcprt range overlaps'} $p2"; + } + } + return; +} + +# Darren Critchley - certain ports are reserved for IPFire +# TCP 67,68,81,222,445 +# UDP 67,68 +# Params passed in -> port, rangeyn, protocol +sub disallowreserved +{ + # port 67 and 68 same for tcp and udp, don't bother putting in an array + my $msg = ""; + my @tcp_reserved = (81,222,445); + my $prt = $_[0]; # the port or range + my $ryn = $_[1]; # tells us whether or not it is a port range + my $prot = $_[2]; # protocol + my $srcdst = $_[3]; # source or destination + if ($ryn) { # disect port range + if ($srcdst eq "src") { + $msg = "$Lang::tr{'rsvd src port overlap'}"; + } else { + $msg = "$Lang::tr{'rsvd dst port overlap'}"; + } + my @tmprng = split(/\:/,$prt); + unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; } + unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; } + if ($prot eq "tcp") { + foreach my $prange (@tcp_reserved) { + unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; } + } + } + } else { + if ($srcdst eq "src") { + $msg = "$Lang::tr{'reserved src port'}"; + } else { + $msg = "$Lang::tr{'reserved dst port'}"; + } + if ($prt == 67) { $errormessage="$msg 67"; return; } + if ($prt == 68) { $errormessage="$msg 68"; return; } + if ($prot eq "tcp") { + foreach my $prange (@tcp_reserved) { + if ($prange == $prt) { $errormessage="$msg $prange"; return; } + } + } + } + return; +} + +sub writeserverconf { + my %sovpnsettings = (); + &General::readhash("${General::swroot}/ovpn/settings", \%sovpnsettings); + + open(CONF, ">${General::swroot}/ovpn/server.conf") or die "Unable to open ${General::swroot}/ovpn/server.conf: $!"; + flock CONF, 2; + print CONF "#OpenVPN Server conf\n"; + print CONF "\n"; + print CONF "daemon openvpnserver\n"; + print CONF "writepid /var/run/openvpn.pid\n"; + print CONF "#DAN prepare OpenVPN for listening on blue and orange\n"; + print CONF ";local $sovpnsettings{'VPN_IP'}\n"; + print CONF "dev $sovpnsettings{'DDEVICE'}\n"; + print CONF "$sovpnsettings{'DDEVICE'}-mtu $sovpnsettings{'DMTU'}\n"; + print CONF "proto $sovpnsettings{'DPROTOCOL'}\n"; + print CONF "port $sovpnsettings{'DDEST_PORT'}\n"; + print CONF "script-security 3 system\n"; + print CONF "tls-server\n"; + print CONF "ca /var/ipfire/ovpn/ca/cacert.pem\n"; + print CONF "cert /var/ipfire/ovpn/certs/servercert.pem\n"; + print CONF "key /var/ipfire/ovpn/certs/serverkey.pem\n"; + print CONF "dh /var/ipfire/ovpn/ca/dh1024.pem\n"; + my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'}); + print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; + print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n"; + if ($sovpnsettings{CLIENT2CLIENT} eq 'on') { + print CONF "client-to-client\n"; + } + if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) { + print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n"; + } + print CONF "status-version 1\n"; + print CONF "status /var/log/ovpnserver.log 30\n"; + print CONF "cipher $sovpnsettings{DCIPHER}\n"; + if ($sovpnsettings{DCOMPLZO} eq 'on') { + print CONF "comp-lzo\n"; + } + if ($sovpnsettings{REDIRECT_GW_DEF1} eq 'on') { + print CONF "push \"redirect-gateway def1\"\n"; + } + if ($sovpnsettings{DHCP_DOMAIN} ne '') { + print CONF "push \"dhcp-option DOMAIN $sovpnsettings{DHCP_DOMAIN}\"\n"; + } + + if ($sovpnsettings{DHCP_DNS} ne '') { + print CONF "push \"dhcp-option DNS $sovpnsettings{DHCP_DNS}\"\n"; + } + + if ($sovpnsettings{DHCP_WINS} ne '') { + print CONF "push \"dhcp-option WINS $sovpnsettings{DHCP_WINS}\"\n"; + } + + if ($sovpnsettings{DHCP_WINS} eq '') { + print CONF "max-clients 100\n"; + } + + if ($sovpnsettings{DHCP_WINS} ne '') { + print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n"; + } + print CONF "tls-verify /var/ipfire/ovpn/verify\n"; + print CONF "crl-verify /var/ipfire/ovpn/crls/cacrl.pem\n"; + print CONF "user nobody\n"; + print CONF "group nobody\n"; + print CONF "persist-key\n"; + print CONF "persist-tun\n"; + if ($sovpnsettings{LOG_VERB} ne '') { + print CONF "verb $sovpnsettings{LOG_VERB}\n"; + } else { + print CONF "verb 3\n"; + } + print CONF "\n"; + + close(CONF); +} +# +sub emptyserverlog{ + if (open(FILE, ">/var/log/ovpnserver.log")) { + flock FILE, 2; + print FILE ""; + close FILE; + } + +} + +#hier die refresh page +if ( -e "${General::swroot}/ovpn/gencanow") { + my $refresh = ''; + $refresh = ""; + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'OVPN'}, 1, $refresh); + &Header::openbigbox('100%', 'center'); + &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:"); + print "\n\n"; + print "Please be patient this realy can take some time on older hardware...\n"; + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit (0); +} +##hier die refresh page + ### ### OpenVPN Server Control @@ -73,29 +411,21 @@ $cgiparams{'DCOMPLZO'} = 'off'; if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'} || $cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'} || $cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}) { - my $serveractive = `/bin/ps ax|grep server.conf|grep -v grep|awk \'{print \$1}\'`; #start openvpn server if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'}){ - &Ovpnfunc::emptyserverlog(); + &emptyserverlog(); system('/usr/local/bin/openvpnctrl', '-s'); } #stop openvpn server if ($cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'}){ - if ($serveractive ne ''){ - system('/usr/local/bin/openvpnctrl', '-kn2n', $serveractive); - } system('/usr/local/bin/openvpnctrl', '-k'); - &Ovpnfunc::emptyserverlog(); + &emptyserverlog(); } # #restart openvpn server if ($cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}){ #workarund, till SIGHUP also works when running as nobody - if ($serveractive ne ''){ - system('/usr/local/bin/openvpnctrl', '-kn2n', $serveractive); - } - system('/usr/local/bin/openvpnctrl', '-k'); - &Ovpnfunc::emptyserverlog(); - system('/usr/local/bin/openvpnctrl', '-s'); + system('/usr/local/bin/openvpnctrl', '-r'); + &emptyserverlog(); } } @@ -117,32 +447,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'}; $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; - #additional push route - $vpnsettings{'AD_ROUTE1'} = $cgiparams{'AD_ROUTE1'}; - $vpnsettings{'AD_ROUTE2'} = $cgiparams{'AD_ROUTE2'}; - $vpnsettings{'AD_ROUTE3'} = $cgiparams{'AD_ROUTE3'}; - #additional push route - - ################################################################################# - # Added by Philipp Jenni # - # # - # Contact: philipp.jenni-at-gmx.ch # - # Date: 2006-04-22 # - # Description: Add the FAST-IO Parameter from OpenVPN to the Zerina Config # - # Add the NICE Parameter from OpenVPN to the Zerina Config # - # Add the MTU-DISC Parameter from OpenVPN to the Zerina Config # - # Add the MSSFIX Parameter from OpenVPN to the Zerina Config # - # Add the FRAMGMENT Parameter from OpenVPN to the Zerina Config # - ################################################################################# - $vpnsettings{'EXTENDED_FASTIO'} = $cgiparams{'EXTENDED_FASTIO'}; - $vpnsettings{'EXTENDED_NICE'} = $cgiparams{'EXTENDED_NICE'}; - $vpnsettings{'EXTENDED_MTUDISC'} = $cgiparams{'EXTENDED_MTUDISC'}; - $vpnsettings{'EXTENDED_MSSFIX'} = $cgiparams{'EXTENDED_MSSFIX'}; - $vpnsettings{'EXTENDED_FRAGMENT'} = $cgiparams{'EXTENDED_FRAGMENT'}; - ################################################################################# - # End of Inserted Data # - ################################################################################# - if ($cgiparams{'DHCP_DOMAIN'} ne ''){ unless (&General::validfqdn($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) { @@ -162,25 +466,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { goto ADV_ERROR; } } - if ($cgiparams{'AD_ROUTE1'} ne ''){ - if (! &General::validipandmask($cgiparams{'AD_ROUTE1'})) { - $errormessage = $Lang::tr{'route subnet is invalid'}; - goto ADV_ERROR; - } - } - if ($cgiparams{'AD_ROUTE2'} ne ''){ - if (! &General::validipandmask($cgiparams{'AD_ROUTE2'})) { - $errormessage = $Lang::tr{'route subnet is invalid'}; - goto ADV_ERROR; - } - } - if ($cgiparams{'AD_ROUTE3'} ne ''){ - if (! &General::validipandmask($cgiparams{'AD_ROUTE3'})) { - $errormessage = $Lang::tr{'route subnet is invalid'}; - goto ADV_ERROR; - } - } - if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 255 )) { $errormessage = $Lang::tr{'invalid input for max clients'}; goto ADV_ERROR; @@ -203,47 +488,81 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { } &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); - &Ovpnfunc::writeserverconf();#hier ok + &writeserverconf();#hier ok } + + + ### ### Save main settings ### if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') { &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); - &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too, #DAN this value has to leave. if ($cgiparams{'ENABLED'} eq 'on'){ unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})) { $errormessage = $Lang::tr{'invalid input for hostname'}; - goto SETTINGS_ERROR; + goto SETTINGS_ERROR; } } if ($cgiparams{'ENABLED'} eq 'on'){ - $errormessage = &Ovpnfunc::disallowreserved($cgiparams{'DDEST_PORT'},0,$cgiparams{'DPROTOCOL'},"dest"); + &disallowreserved($cgiparams{'DDEST_PORT'},0,$cgiparams{'DPROTOCOL'},"dest"); } if ($errormessage) { goto SETTINGS_ERROR; } if ($cgiparams{'ENABLED'} eq 'on'){ - $errormessage = &Ovpnfunc::checkportfw(0,$cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'},'0.0.0.0'); + &checkportfw(0,$cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'},'0.0.0.0'); } if ($errormessage) { goto SETTINGS_ERROR; } if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) { - $errormessage = $Lang::tr{'ovpn subnet is invalid'}; - goto SETTINGS_ERROR; - } - my @tmpovpnsubnet = split("\/",$cgiparams{'DOVPN_SUBNET'}); - $tmpovpnsubnet[1] = &Ovpnfunc::cidrormask($tmpovpnsubnet[1]); - $cgiparams{'DOVPN_SUBNET'} = "$tmpovpnsubnet[0]/$tmpovpnsubnet[1]";#convert from cidr - #plausi1 - $errormessage = &Ovpnfunc::ovelapplausi($tmpovpnsubnet[0],$tmpovpnsubnet[1]); - #plausi1 + $errormessage = $Lang::tr{'ovpn subnet is invalid'}; + goto SETTINGS_ERROR; + } + my @tmpovpnsubnet = split("\/",$cgiparams{'DOVPN_SUBNET'}); + + if (&General::IpInSubnet ( $netsettings{'RED_ADDRESS'}, + $tmpovpnsubnet[0], $tmpovpnsubnet[1])) { + $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire RED Network $netsettings{'RED_ADDRESS'}"; + goto SETTINGS_ERROR; + } + + if (&General::IpInSubnet ( $netsettings{'GREEN_ADDRESS'}, + $tmpovpnsubnet[0], $tmpovpnsubnet[1])) { + $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Green Network $netsettings{'GREEN_ADDRESS'}"; + goto SETTINGS_ERROR; + } + + if (&General::IpInSubnet ( $netsettings{'BLUE_ADDRESS'}, + $tmpovpnsubnet[0], $tmpovpnsubnet[1])) { + $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Blue Network $netsettings{'BLUE_ADDRESS'}"; + goto SETTINGS_ERROR; + } + + if (&General::IpInSubnet ( $netsettings{'ORANGE_ADDRESS'}, + $tmpovpnsubnet[0], $tmpovpnsubnet[1])) { + $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Orange Network $netsettings{'ORANGE_ADDRESS'}"; + goto SETTINGS_ERROR; + } + open(ALIASES, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.'; + while () + { + chomp($_); + my @tempalias = split(/\,/,$_); + if ($tempalias[1] eq 'on') { + if (&General::IpInSubnet ($tempalias[0] , + $tmpovpnsubnet[0], $tmpovpnsubnet[1])) { + $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire alias entry $tempalias[0]"; + } + } + } + close(ALIASES); if ($errormessage ne ''){ - goto SETTINGS_ERROR; + goto SETTINGS_ERROR; } if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { $errormessage = $Lang::tr{'invalid input'}; @@ -255,17 +574,9 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg } unless (&General::validport($cgiparams{'DDEST_PORT'})) { - $errormessage = $Lang::tr{'invalid port'}; - goto SETTINGS_ERROR; + $errormessage = $Lang::tr{'invalid port'}; + goto SETTINGS_ERROR; } - #hhh - foreach my $dkey (keys %confighash) {#Check if there is no other entry with this name - if ($confighash{$dkey}[14] eq $cgiparams{'DPROTOCOL'} && $confighash{$dkey}[15] eq $cgiparams{'DDEST_PORT'}){ - $errormessage = "Choosed Protocol/Port combination is already used by connection: $confighash{$dkey}[1]"; - goto SETTINGS_ERROR; - } - } - #hhh $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'}; $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'}; $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; @@ -278,9 +589,14 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; +#wrtie enable + + if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");} + if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_orange 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_orange 2>/dev/null");} + if ( $vpnsettings{'ENABLED'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable 2>/dev/null");} #new settings for daemon &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); - &Ovpnfunc::writeserverconf();#hier ok + &writeserverconf();#hier ok SETTINGS_ERROR: ### ### Reset all step 2 @@ -290,25 +606,26 @@ SETTINGS_ERROR: &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); foreach my $key (keys %confighash) { - if ($confighash{$key}[4] eq 'cert') { - delete $confighash{$cgiparams{'$key'}}; - } + if ($confighash{$key}[4] eq 'cert') { + delete $confighash{$cgiparams{'$key'}}; + } } while ($file = glob("${General::swroot}/ovpn/ca/*")) { - unlink $file + unlink $file } while ($file = glob("${General::swroot}/ovpn/certs/*")) { - unlink $file + unlink $file } while ($file = glob("${General::swroot}/ovpn/crls/*")) { - unlink $file + unlink $file } - &Ovpnfunc::cleanssldatabase(); + &cleanssldatabase(); if (open(FILE, ">${General::swroot}/ovpn/caconfig")) { print FILE ""; close FILE; } &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + #&writeserverconf(); ### ### Reset all step 1 ### @@ -355,34 +672,34 @@ END # Check if there is no other entry with this name foreach my $key (keys %cahash) { - if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) { - $errormessage = $Lang::tr{'a ca certificate with this name already exists'}; - goto UPLOADCA_ERROR; - } + if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) { + $errormessage = $Lang::tr{'a ca certificate with this name already exists'}; + goto UPLOADCA_ERROR; + } } if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto UPLOADCA_ERROR; + $errormessage = $Lang::tr{'there was no file upload'}; + goto UPLOADCA_ERROR; } # Move uploaded ca to a temporary file (my $fh, my $filename) = tempfile( ); if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto UPLOADCA_ERROR; + $errormessage = $!; + goto UPLOADCA_ERROR; } my $temp = `/usr/bin/openssl x509 -text -in $filename`; - if ($temp !~ /CA:TRUE/i) { - $errormessage = $Lang::tr{'not a valid ca certificate'}; - unlink ($filename); - goto UPLOADCA_ERROR; + if ($temp !~ /CA:TRUE/i) { + $errormessage = $Lang::tr{'not a valid ca certificate'}; + unlink ($filename); + goto UPLOADCA_ERROR; } else { - move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem"); - if ($? ne 0) { - $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; - unlink ($filename); - goto UPLOADCA_ERROR; - } + move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem"); + if ($? ne 0) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + unlink ($filename); + goto UPLOADCA_ERROR; + } } my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem`; @@ -396,13 +713,33 @@ END $cahash{$key}[0] = $cgiparams{'CA_NAME'}; $cahash{$key}[1] = $casubject; &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash); +# system('/usr/local/bin/ipsecctrl', 'R'); + UPLOADCA_ERROR: ### ### Display ca certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) { - &Ovpnfunc::displayca($cgiparams{'KEY'}); + &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash); + + if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', $errormessage); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:"); + my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print "
$Lang::tr{'back'}
"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } else { + $errormessage = $Lang::tr{'invalid key'}; + } + ### ### Download ca certificate ### @@ -429,15 +766,22 @@ END foreach my $key (keys %confighash) { my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`; if ($test =~ /: OK/) { + # Delete connection +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'D', $key); +# } unlink ("${General::swroot}/ovpn//certs/$confighash{$key}[1]cert.pem"); unlink ("${General::swroot}/ovpn/certs/$confighash{$key}[1].p12"); delete $confighash{$key}; &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); +# &writeipsecfiles(); } } unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); delete $cahash{$cgiparams{'KEY'}}; &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash); +# system('/usr/local/bin/ipsecctrl', 'R'); } else { $errormessage = $Lang::tr{'invalid key'}; } @@ -489,8 +833,27 @@ END ### ### Display root certificate ### -}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} || $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) { - &Ovpnfunc::displayroothost($cgiparams{'ACTION'}); +}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} || + $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) { + my $output; + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) { + &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:"); + $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; + } else { + &Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:"); + $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + } + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print "
$Lang::tr{'back'}
"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + ### ### Download root certificate ### @@ -799,11 +1162,11 @@ END unlink ("${General::swroot}/ovpn/serverkey.pem"); unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); unlink ("${General::swroot}/ovpn/certs/servercert.pem"); - &Ovpnfunc::newcleanssldatabase(); + &newcleanssldatabase(); goto ROOTCERT_ERROR; } else { unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); - &Ovpnfunc::deletebackupcert(); + &deletebackupcert(); } # Create an empty CRL @@ -816,8 +1179,10 @@ END unlink ("${General::swroot}/ovpn/certs/servercert.pem"); unlink ("${General::swroot}/ovpn/ca/cacert.pem"); unlink ("${General::swroot}/ovpn/crls/cacrl.pem"); - &Ovpnfunc::cleanssldatabase(); + &cleanssldatabase(); goto ROOTCERT_ERROR; +# } else { +# &cleanssldatabase(); } # Create Diffie Hellmann Parameter system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache', @@ -830,8 +1195,10 @@ END unlink ("${General::swroot}/ovpn/ca/cacert.pem"); unlink ("${General::swroot}/ovpn/crls/cacrl.pem"); unlink ("${General::swroot}/ovpn/ca/dh1024.pem"); - &Ovpnfunc::cleanssldatabase(); + &cleanssldatabase(); goto ROOTCERT_ERROR; +# } else { +# &cleanssldatabase(); } goto ROOTCERT_SUCCESS; } @@ -916,33 +1283,40 @@ END ROOTCERT_SUCCESS: system ("chmod 600 ${General::swroot}/ovpn/certs/serverkey.pem"); +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLE_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'S'); +# } ### ### Enable/Disable connection ### }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) { + + &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + if ($confighash{$cgiparams{'KEY'}}) { - my $n2nactive = `/bin/ps ax|grep $confighash{$cgiparams{'KEY'}}[1].conf|grep -v grep|awk \'{print \$1}\'`; - if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { - $confighash{$cgiparams{'KEY'}}[0] = 'on'; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - if ($n2nactive eq ''){ - system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); - } else { - system('/usr/local/bin/openvpnctrl', '-kn2n', $n2nactive); - system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); - } - } else { - $confighash{$cgiparams{'KEY'}}[0] = 'off'; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - if ($n2nactive ne ''){ - system('/usr/local/bin/openvpnctrl', '-kn2n', $n2nactive); - } - } - } else { - $errormessage = $Lang::tr{'invalid key'}; + if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { + $confighash{$cgiparams{'KEY'}}[0] = 'on'; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + #&writeserverconf(); +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); +# } + } else { + $confighash{$cgiparams{'KEY'}}[0] = 'off'; +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}); +# } + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + #&writeserverconf(); } + } else { + $errormessage = $Lang::tr{'invalid key'}; + } ### ### Download OpenVPN client package @@ -957,12 +1331,6 @@ END my $zippath = "$tempdir/"; my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.zip"; my $zippathname = "$zippath$zipname"; - #anna - if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ - $zerinaclient = 'true'; - &Ovpnfunc::writenet2netconf($cgiparams{'KEY'},$zerinaclient); - exit(0); - } $clientovpn = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.ovpn"; open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!"; flock CLIENTCONF, 2; @@ -977,33 +1345,33 @@ END print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu $vpnsettings{'DMTU'}\r\n"; if ( $vpnsettings{'ENABLED'} eq 'on'){ print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n"; - if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&Ovpnfunc::haveBlueNet())){ - print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Blue interface\r\n"; - print CLIENTCONF ";remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; - } - if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&Ovpnfunc::haveOrangeNet())){ - print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n"; - print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; - } - } elsif ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&Ovpnfunc::haveBlueNet())){ - print CLIENTCONF "remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; - if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&Ovpnfunc::haveOrangeNet())){ - print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n"; - print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; - } - } elsif ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&Ovpnfunc::haveOrangeNet())){ - print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; + if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){ + print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Blue interface\r\n"; + print CLIENTCONF ";remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; + } + if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){ + print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n"; + print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; + } + } elsif ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){ + print CLIENTCONF "remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; + if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){ + print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n"; + print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; + } + } elsif ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){ + print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; } if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { - print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; - $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; + print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; } else { - print CLIENTCONF "ca cacert.pem\r\n"; - print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n"; - print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n"; - $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; - $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; + print CLIENTCONF "ca cacert.pem\r\n"; + print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n"; + print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n"; + $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; if ($vpnsettings{DCOMPLZO} eq 'on') { @@ -1011,6 +1379,7 @@ END } print CLIENTCONF "verb 3\r\n"; print CLIENTCONF "ns-cert-type server\r\n"; + print CLIENTCONF "tls-remote $vpnsettings{ROOTCERT_HOSTNAME}\r\n"; close(CLIENTCONF); $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n"; my $status = $zip->writeToFileNamed($zippathname); @@ -1028,24 +1397,22 @@ END } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) { &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - if ($confighash{$cgiparams{'KEY'}}) { - if ($confighash{$cgiparams{'KEY'}}[19] eq 'yes') { - &Ovpnfunc::killconnection($cgiparams{'KEY'}); - &Ovpnfunc::removenet2netconf($cgiparams{'KEY'}); - delete $confighash{$cgiparams{'KEY'}}; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - } else { - my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; - unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); - unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); - &Ovpnfunc::killconnection($cgiparams{'KEY'}); - &Ovpnfunc::removenet2netconf($cgiparams{'KEY'}); - delete $confighash{$cgiparams{'KEY'}}; - my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - } + + if ($confighash{$cgiparams{'KEY'}}) { +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}); +# } +# + my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; + unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + delete $confighash{$cgiparams{'KEY'}}; + my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + #&writeserverconf(); } else { - $errormessage = $Lang::tr{'invalid key'}; + $errormessage = $Lang::tr{'invalid key'}; } ### ### Download PKCS12 file @@ -1065,36 +1432,38 @@ END &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', ''); - &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; - &Header::closebox(); - print "
$Lang::tr{'back'}
"; - &Header::closebigbox(); - &Header::closepage(); - exit(0); + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:"); + my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print "
$Lang::tr{'back'}
"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); } ### ### Display Certificate Revoke List ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show crl'}) { +# &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + if ( -f "${General::swroot}/ovpn/crls/cacrl.pem") { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', ''); - &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:"); - my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; - &Header::closebox(); - print "
$Lang::tr{'back'}
"; - &Header::closebigbox(); - &Header::closepage(); - exit(0); + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:"); + my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`; + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print "
$Lang::tr{'back'}
"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); } ### @@ -1107,23 +1476,23 @@ END %confighash = (); &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams); +# if ($cgiparams{'CLIENT2CLIENT'} eq '') { +# $cgiparams{'CLIENT2CLIENT'} = 'on'; +# } ADV_ERROR: if ($cgiparams{'MAX_CLIENTS'} eq '') { - $cgiparams{'MAX_CLIENTS'} = '100'; + $cgiparams{'MAX_CLIENTS'} = '100'; } if ($cgiparams{'KEEPALIVE_1'} eq '') { - $cgiparams{'KEEPALIVE_1'} = '10'; + $cgiparams{'KEEPALIVE_1'} = '10'; } if ($cgiparams{'KEEPALIVE_2'} eq '') { - $cgiparams{'KEEPALIVE_2'} = '60'; + $cgiparams{'KEEPALIVE_2'} = '60'; } if ($cgiparams{'LOG_VERB'} eq '') { - $cgiparams{'LOG_VERB'} = '3'; + $cgiparams{'LOG_VERB'} = '3'; } - if ($cgiparams{'EXTENDED_NICE'} eq '') { - $cgiparams{'EXTENDED_NICE'} = '0'; - } $checked{'CLIENT2CLIENT'}{'off'} = ''; $checked{'CLIENT2CLIENT'}{'on'} = ''; $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED'; @@ -1143,44 +1512,15 @@ ADV_ERROR: $selected{'LOG_VERB'}{'11'} = ''; $selected{'LOG_VERB'}{'0'} = ''; $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; - - ################################################################################# - # Added by Philipp Jenni # - # # - # Contact: philipp.jenni-at-gmx.ch # - # Date: 2006-04-22 # - # Description: Definitions to set the FASTIO Checkbox # - # Definitions to set the MTUDISC Checkbox # - # Definitions to set the NICE Selectionbox # - ################################################################################# - $checked{'EXTENDED_FASTIO'}{'off'} = ''; - $checked{'EXTENDED_FASTIO'}{'on'} = ''; - $checked{'EXTENDED_FASTIO'}{$cgiparams{'EXTENDED_FASTIO'}} = 'CHECKED'; - $checked{'EXTENDED_MTUDISC'}{'off'} = ''; - $checked{'EXTENDED_MTUDISC'}{'on'} = ''; - $checked{'EXTENDED_MTUDISC'}{$cgiparams{'EXTENDED_MTUDISC'}} = 'CHECKED'; - $selected{'EXTENDED_NICE'}{'-13'} = ''; - $selected{'EXTENDED_NICE'}{'-10'} = ''; - $selected{'EXTENDED_NICE'}{'-7'} = ''; - $selected{'EXTENDED_NICE'}{'-3'} = ''; - $selected{'EXTENDED_NICE'}{'0'} = ''; - $selected{'EXTENDED_NICE'}{'3'} = ''; - $selected{'EXTENDED_NICE'}{'7'} = ''; - $selected{'EXTENDED_NICE'}{'10'} = ''; - $selected{'EXTENDED_NICE'}{'13'} = ''; - $selected{'EXTENDED_NICE'}{$cgiparams{'EXTENDED_NICE'}} = 'SELECTED'; - ################################################################################# - # End of inserted Data # - ################################################################################# &Header::showhttpheaders(); &Header::openpage($Lang::tr{'status ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); if ($errormessage) { - &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); - print "$errormessage\n"; - print " \n"; - &Header::closebox(); + &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); + print "$errormessage\n"; + print " \n"; + &Header::closebox(); } &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'}); print <
- - - - - - - - - - - - - - - - - - - - -
$Lang::tr{'add-route'}
$Lang::tr{'subnet'} 1
$Lang::tr{'subnet'} 2
$Lang::tr{'subnet'} 3
-
- @@ -1252,71 +1569,6 @@ ADV_ERROR: - - - - - - - - - - - - - - - - - - - - - - - - - - -
$Lang::tr{'misc-options'}
$Lang::tr{'ovpn_processprio'} - -
$Lang::tr{'ovpn_fastio'} - -
$Lang::tr{'ovpn_mtudisc'} - -
$Lang::tr{'ovpn_mssfix'} - -
$Lang::tr{'ovpn_fragment'} - -
@@ -1339,23 +1591,7 @@ ADV_ERROR: - - - - - +
@@ -1371,6 +1607,7 @@ END ; &Header::closebox(); +# print ""; &Header::closebigbox(); &Header::closepage(); exit(0); @@ -1419,6 +1656,7 @@ END @match = split( /^Updated,(.+)/, $line); $status = $match[1]; } +#gian if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) { @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line); if ($match[1] ne "Common Name") { @@ -1426,8 +1664,8 @@ END $userlookup{$match[2]} = $uid; $users[$uid]{'CommonName'} = $match[1]; $users[$uid]{'RealAddress'} = $match[2]; - $users[$uid]{'BytesReceived'} = &Ovpnfunc::sizeformat($match[3]); - $users[$uid]{'BytesSent'} = &Ovpnfunc::sizeformat($match[4]); + $users[$uid]{'BytesReceived'} = &sizeformat($match[3]); + $users[$uid]{'BytesSent'} = &sizeformat($match[4]); $users[$uid]{'Since'} = $match[5]; $users[$uid]{'Proto'} = $proto; $uid++; @@ -1448,9 +1686,9 @@ END if ($user2 >= 1){ for (my $idx = 1; $idx <= $user2; $idx++){ if ($idx % 2) { - print "\n"; + print "\n"; } else { - print "\n"; + print "\n"; } print ""; print ""; @@ -1485,11 +1723,42 @@ END ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) { &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { - print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n"; - print "Content-Type: application/octet-stream\r\n\r\n"; - print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; - exit (0); + print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n"; + print "Content-Type: application/octet-stream\r\n\r\n"; + print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; + exit (0); + } + +### +### Enable/Disable connection +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) { + + &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + + if ($confighash{$cgiparams{'KEY'}}) { + if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { + $confighash{$cgiparams{'KEY'}}[0] = 'on'; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + #&writeserverconf(); +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); +# } + } else { + $confighash{$cgiparams{'KEY'}}[0] = 'off'; +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}); +# } + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + #&writeserverconf(); + } + } else { + $errormessage = $Lang::tr{'invalid key'}; } ### @@ -1500,30 +1769,53 @@ END &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); if ($confighash{$cgiparams{'KEY'}}) { +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); +# } } else { - $errormessage = $Lang::tr{'invalid key'}; + $errormessage = $Lang::tr{'invalid key'}; } ### -### Choose between adding a host-net or net-net connection +### Remove connection ### -} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') { - &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); - &Header::showhttpheaders(); +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) { + &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + + if ($confighash{$cgiparams{'KEY'}}) { +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}); +# } + unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + delete $confighash{$cgiparams{'KEY'}}; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + #&writeserverconf(); + } else { + $errormessage = $Lang::tr{'invalid key'}; + } +#test33 + +### +### Choose between adding a host-net or net-net connection +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') { + &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); + &Header::showhttpheaders(); &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', $Lang::tr{'connection type'}); print <$Lang::tr{'connection type'}:
-
$users[$idx-1]{'CommonName'}$users[$idx-1]{'RealAddress'}
+
- + - - - - +
$Lang::tr{'host to net vpn'}
$Lang::tr{'net to net vpn'}
upload a ZERINA Net-to-Net package
END ; @@ -1531,226 +1823,6 @@ END &Header::closebigbox(); &Header::closepage(); exit (0); - -### -### uploading a ZERINA n2n connection package -### -} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'TYPE'} eq 'zerinan2n')){ - my @zerinaconf; - my @confdetails; - my $uplconffilename =''; - my $uplp12name = ''; - my $complzoactive =''; - my @rem_subnet; - my @rem_subnet2; - my @tmposupnet3; - my $key; - &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); -# Move uploaded ZERINA n2n package to a temporary file - if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto ZERINA_ERROR; - } - # Move uploaded ca to a temporary file - (my $fh, my $filename) = tempfile( ); - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto ZERINA_ERROR; - } - - my $zip = Archive::Zip->new(); - my $zipName = $filename; - my $status = $zip->read( $zipName ); - if ($status != AZ_OK) { - $errormessage = "Read of $zipName failed\n"; - goto ZERINA_ERROR; - } - #my $tempdir = tempdir( CLEANUP => 1 ); - my $tempdir = tempdir(); - my @files = $zip->memberNames(); - for(@files) { - $zip->extractMemberWithoutPaths($_,"$tempdir/$_"); - } - my $countfiles = @files; - # see if we have 2 files - if ( $countfiles == 2){ - foreach (@files){ - if ( $_ =~ /.conf$/){ - $uplconffilename = $_; - } - if ( $_ =~ /.p12$/){ - $uplp12name = $_; - } - } - if (($uplconffilename eq '') || ($uplp12name eq '')){ - $errormessage = "Either no *.conf or no *.p12 file found\n"; - goto ZERINA_ERROR; - } - open(FILE, "$tempdir/$uplconffilename") or die 'Unable to open*.conf file'; - @zerinaconf = ; - close (FILE); - chomp(@zerinaconf); - } else { - # only 2 files are allowed - $errormessage = "Filecount does not match only 2 files are allowed\n"; - goto ZERINA_ERROR; - } - #prepare imported data not elegant, will be changed later - my $ufuk = (@zerinaconf); - push(@confdetails, substr($zerinaconf[0],4));#dev tun 0 - push(@confdetails, substr($zerinaconf[1],8));#mtu value 1 - push(@confdetails, substr($zerinaconf[2],6));#protocol 2 - push(@confdetails, substr($zerinaconf[3],5));#port 3 - push(@confdetails, substr($zerinaconf[4],9));#ovpn subnet 4 - push(@confdetails, substr($zerinaconf[5],7));#remote ip 5 - push(@confdetails, $zerinaconf[6]); #tls-server/tls-client 6 - push(@confdetails, substr($zerinaconf[7],7));#pkcs12 name 7 - push(@confdetails, substr($zerinaconf[$ufuk-1],1));#remote subnet 8 - push(@confdetails, substr($zerinaconf[9],10));#keepalive 9 - push(@confdetails, substr($zerinaconf[10],7));#cipher 10 - if ($ufuk == 14) { - push(@confdetails, $zerinaconf[$ufuk-3]);#complzo 11 - $complzoactive = "on"; - } else { - $complzoactive = "off"; - } - push(@confdetails, substr($zerinaconf[$ufuk-2],5));#verb 12 - push(@confdetails, substr($zerinaconf[8],6));#localsubnet 13 - #push(@confdetails, substr($uplconffilename,0,-5));#connection Name 14 - push(@confdetails, substr($uplp12name,0,-4));#connection Name 14 - #chomp(@confdetails); - foreach my $dkey (keys %confighash) {#Check if there is no other entry with this name - if ($confighash{$dkey}[1] eq $confdetails[$ufuk]) { - $errormessage = $Lang::tr{'a connection with this name already exists'}; - goto ZERINA_ERROR; - } - } - if ($confdetails[$ufuk] eq 'server') { - $errormessage = $Lang::tr{'server reserved'}; - goto ZERINA_ERROR; - } - @rem_subnet2 = split(/ /,$confdetails[4]); - @tmposupnet3 = split /\./,$rem_subnet2[0]; - $errormessage = &Ovpnfunc::ovelapplausi("$tmposupnet3[0].$tmposupnet3[1].$tmposupnet3[2].0","255.255.255.0"); - if ($errormessage ne ''){ - goto ZERINA_ERROR; - } - - $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 42) { $confighash{$key}[$i] = "";} - $confighash{$key}[0] = 'off'; - $confighash{$key}[1] = $confdetails[$ufuk]; - #$confighash{$key}[2] = $confdetails[7]; - $confighash{$key}[2] = $confdetails[$ufuk]; - $confighash{$key}[3] = 'net'; - $confighash{$key}[4] = 'cert'; - $confighash{$key}[6] = 'client'; - $confighash{$key}[8] = $confdetails[8]; - @rem_subnet = split(/ /,$confdetails[$ufuk-1]); - $confighash{$key}[11] = "$rem_subnet[0]/$rem_subnet[1]"; - $confighash{$key}[10] = $confdetails[5]; - $confighash{$key}[25] = 'imported'; - $confighash{$key}[12] = 'red'; - my @tmposupnet = split(/ /,$confdetails[4]); - my @tmposupnet2 = split /\./,$tmposupnet[0]; - $confighash{$key}[13] = "$tmposupnet2[0].$tmposupnet2[1].$tmposupnet2[2].0/255.255.255.0"; - $confighash{$key}[14] = $confdetails[2]; - $confighash{$key}[15] = $confdetails[3]; - $confighash{$key}[16] = $complzoactive; - $confighash{$key}[17] = $confdetails[1]; - $confighash{$key}[18] = '';# nn2nvpn_ip - $confighash{$key}[19] = 'yes';# nn2nvpn_ip - $cgiparams{'KEY'} = $key; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - mkdir("${General::swroot}/ovpn/n2nconf/$confdetails[14]", 0770); - move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$confdetails[14]/$uplconffilename"); - if ($? ne 0) { - $errormessage = "*.conf move failed: $!"; - unlink ($filename); - goto ZERINA_ERROR; - } - move("$tempdir/$uplp12name", "${General::swroot}/ovpn/n2nconf/$confdetails[14]/$uplp12name"); - if ($? ne 0) { - $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; - unlink ($filename); - goto ZERINA_ERROR; - } - ZERINA_ERROR: - - &Header::showhttpheaders(); - &Header::openpage('Validate imported configuration', 1, ''); - &Header::openbigbox('100%', 'LEFT', '', $errormessage); - if ($errormessage) { - &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); - print "$errormessage"; - print " "; - &Header::closebox(); - } else { - &Header::openbox('100%', 'LEFT', 'Validate imported configuration'); - } - if ($errormessage eq ''){ - print < -   -   - $Lang::tr{'name'}: - $confdetails[$ufuk] - $Lang::tr{'Act as'} - $confdetails[6] - $Lang::tr{'remote host/ip'}: - $confdetails[5] - $Lang::tr{'local subnet'} - $confighash{$key}[8] - $Lang::tr{'remote subnet'} - $confighash{$key}[11] - $Lang::tr{'ovpn subnet'} - $confighash{$key}[$ufuk-1] - $Lang::tr{'protocol'} - $confdetails[2] - $Lang::tr{'destination port'}: - $confdetails[3] - $Lang::tr{'comp-lzo'} - $complzoactive - $Lang::tr{'cipher'} - $confdetails[10] - $Lang::tr{'MTU'}  - $confdetails[1] -END -; - - &Header::closebox(); - } - if ($errormessage) { - print ""; - } else { - print "
"; - print ""; - print ""; - print "
"; - } - &Header::closebigbox(); - &Header::closepage(); - exit(0); - -### -### Approve Zerina n2n -### -} elsif (($cgiparams{'ACTION'} eq 'Approved') && ($cgiparams{'TYPE'} eq 'zerinan2n')){ - &Ovpnfunc::writenet2netconf($cgiparams{'KEY'},$zerinaclient); -### -### Discard Zerina n2n -### -} elsif (($cgiparams{'ACTION'} eq 'Discard') && ($cgiparams{'TYPE'} eq 'zerinan2n')){ - &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); - &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - - if ($confighash{$cgiparams{'KEY'}}) { - &Ovpnfunc::removenet2netconf(); - delete $confighash{$cgiparams{'KEY'}}; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - } else { - $errormessage = $Lang::tr{'invalid key'}; - } ### ### Adding a new connection ### @@ -1763,498 +1835,431 @@ END &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { - if (! $confighash{$cgiparams{'KEY'}}[0]) { - $errormessage = $Lang::tr{'invalid key'}; - goto VPNCONF_END; - } - $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0]; - $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1]; - $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; - $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; - $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; - $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6]; - $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8]; - $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; - $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11]; - $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; - $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[12]; - $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[13];#new fields - $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[14]; - $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[15]; - $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[16]; - $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[17]; - $cgiparams{'N2NVPN_IP'} = $confighash{$cgiparams{'KEY'}}[18];#new fields - $cgiparams{'ZERINA_CLIENT'} = $confighash{$cgiparams{'KEY'}}[19];#new fields - $cgiparams{'CIPHER'} = $confighash{$cgiparams{'KEY'}}[20];#new fields - if ($cgiparams{'ZERINA_CLIENT'} eq ''){ - $cgiparams{'ZERINA_CLIENT'} = 'no'; - } - } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {#ab hiere error uebernehmen - $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); - # n2n error - if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { - $errormessage = $Lang::tr{'connection type is invalid'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) { - $errormessage = $Lang::tr{'name must only contain characters'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault|server)$/) { - $errormessage = $Lang::tr{'name is invalid'}; - goto VPNCONF_ERROR; - } - if (length($cgiparams{'NAME'}) >60) { - $errormessage = $Lang::tr{'name too long'}; - goto VPNCONF_ERROR; - } - if (! $cgiparams{'KEY'}) {# Check if there is no other entry with this name - foreach my $key (keys %confighash) { - if ($confighash{$key}[1] eq $cgiparams{'NAME'}) { - $errormessage = $Lang::tr{'a connection with this name already exists'}; - goto VPNCONF_ERROR; - } - } - } - if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) { - $errormessage = $Lang::tr{'invalid input for remote host/ip'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'REMOTE'}) { - if (! &General::validip($cgiparams{'REMOTE'})) { - if (! &General::validfqdn ($cgiparams{'REMOTE'})) { - $errormessage = $Lang::tr{'invalid input for remote host/ip'}; - goto VPNCONF_ERROR; - } else { - if (&Ovpnfunc::valid_dns_host($cgiparams{'REMOTE'})) { - $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}"; - } - } - } - } - if ($cgiparams{'TYPE'} ne 'host') { - unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) { - $errormessage = $Lang::tr{'local subnet is invalid'}; - goto VPNCONF_ERROR; - } - } - #hier1 - my @tmpovpnsubnet = split("\/",$cgiparams{'LOCAL_SUBNET'}); - $tmpovpnsubnet[1] = &Ovpnfunc::cidrormask($tmpovpnsubnet[1]); - $cgiparams{'LOCAL_SUBNET'} = "$tmpovpnsubnet[0]/$tmpovpnsubnet[1]";#convert from cidr - #hier1 - if ($cgiparams{'REMOTE'} eq '') {# Check if there is no other entry without IP-address and PSK - foreach my $key (keys %confighash) { - if(($cgiparams{'KEY'} ne $key) && ($confighash{$key}[4] eq 'psk' || $cgiparams{'AUTH'} eq 'psk') && $confighash{$key}[10] eq '') { - $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'}; - goto VPNCONF_ERROR; - } - } - } - if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) { - $errormessage = $Lang::tr{'remote subnet is invalid'}; - goto VPNCONF_ERROR; - } - #hier2 - my @tmpovpnsubnet = split("\/",$cgiparams{'REMOTE_SUBNET'}); - $tmpovpnsubnet[1] = &Ovpnfunc::cidrormask($tmpovpnsubnet[1]); - $cgiparams{'REMOTE_SUBNET'} = "$tmpovpnsubnet[0]/$tmpovpnsubnet[1]";#convert from cidr - #hier2 - if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'ENABLED'} eq 'on'){ - $errormessage = &Ovpnfunc::disallowreserved($cgiparams{'DEST_PORT'},0,$cgiparams{'PROTOCOL'},"dest"); - } - if ($errormessage) { goto VPNCONF_ERROR; } - - if ($cgiparams{'ENABLED'} eq 'on'){ - $errormessage = &Ovpnfunc::checkportfw(0,$cgiparams{'DEST_PORT'},$cgiparams{'PROTOCOL'},'0.0.0.0'); - } - if ($errormessage) { goto VPNCONF_ERROR; } -#raul - if ($cgiparams{'TYPE'} eq 'net') { - if (! &General::validipandmask($cgiparams{'OVPN_SUBNET'})) { - $errormessage = $Lang::tr{'ovpn subnet is invalid'}; - goto VPNCONF_ERROR; - } - #hier3 - my @tmpovpnsubnet = split("\/",$cgiparams{'OVPN_SUBNET'}); - $tmpovpnsubnet[1] = &Ovpnfunc::cidrormask($tmpovpnsubnet[1]); - $cgiparams{'OVPN_SUBNET'} = "$tmpovpnsubnet[0]/$tmpovpnsubnet[1]";#convert from cidr - #hier3 - #plausi2 - $errormessage = &Ovpnfunc::ovelapplausi($tmpovpnsubnet[0],$tmpovpnsubnet[1]); - #plausi2 - if ($errormessage ne ''){ - goto VPNCONF_ERROR; - } - if ((length($cgiparams{'MTU'})==0) || (($cgiparams{'MTU'}) < 1000 )) { - $errormessage = $Lang::tr{'invalid mtu input'}; - goto VPNCONF_ERROR; - } - unless (&General::validport($cgiparams{'DEST_PORT'})) { - $errormessage = $Lang::tr{'invalid port'}; - goto VPNCONF_ERROR; - } - # check protcol/port overlap against existing connections gian - foreach my $dkey (keys %confighash) {#Check if there is no other entry with this name - if ($dkey ne $cgiparams{'KEY'}) { - if ($confighash{$dkey}[14] eq $cgiparams{'PROTOCOL'} && $confighash{$dkey}[15] eq $cgiparams{'DEST_PORT'}){ - #if ($confighash{$dkey}[14] eq 'on') { - $errormessage = "Choosed Protocol/Port combination is already used by connection: $confighash{$dkey}[1]"; - goto VPNCONF_ERROR; - #} else { - # $warnmessage = "Choosed Protcol/Port combination is used by inactive connection: $confighash{$dkey}[1]"; - #} - } - } - } - #check protcol/port overlap against RWserver gian - if ($vpnsettings{'ENABLED'} eq 'on') { - if ($vpnsettings{'DPROTOCOL'} eq $cgiparams{'PROTOCOL'} && $vpnsettings{'DDEST_PORT'} eq $cgiparams{'DEST_PORT'}){ - $errormessage = "Choosed Protocol/Port combination is already used OpenVPN Roadwarrior Server"; - goto VPNCONF_ERROR; - } - } + if (! $confighash{$cgiparams{'KEY'}}[0]) { + $errormessage = $Lang::tr{'invalid key'}; + goto VPNCONF_END; + } + $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0]; + $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1]; + $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; + $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; + $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; + $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6]; + $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8]; + $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; + $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11]; + $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; + $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26]; +#new fields + $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[27]; + $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[28]; + $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[29]; + $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[30]; + $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[31]; +#new fields +#ab hiere error uebernehmen + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { + $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); + if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { + $errormessage = $Lang::tr{'connection type is invalid'}; + goto VPNCONF_ERROR; + } + + + if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) { + $errormessage = $Lang::tr{'name must only contain characters'}; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) { + $errormessage = $Lang::tr{'name is invalid'}; + goto VPNCONF_ERROR; + } + + if (length($cgiparams{'NAME'}) >60) { + $errormessage = $Lang::tr{'name too long'}; + goto VPNCONF_ERROR; + } + +# if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) { +# $errormessage = $Lang::tr{'ipfire side is invalid'}; +# goto VPNCONF_ERROR; +# } + + # Check if there is no other entry with this name + if (! $cgiparams{'KEY'}) { + foreach my $key (keys %confighash) { + if ($confighash{$key}[1] eq $cgiparams{'NAME'}) { + $errormessage = $Lang::tr{'a connection with this name already exists'}; + goto VPNCONF_ERROR; } - if ($cgiparams{'AUTH'} eq 'psk') { - #removed - } elsif ($cgiparams{'AUTH'} eq 'certreq') { - # { - if ($cgiparams{'KEY'}) { - $errormessage = $Lang::tr{'cant change certificates'}; - goto VPNCONF_ERROR; - } - if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto VPNCONF_ERROR; - } - (my $fh, my $filename) = tempfile( );# Move uploaded certificate request to a temporary file - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto VPNCONF_ERROR; - } - # Sign the certificate request and move it - # Sign the host certificate request - system('/usr/bin/openssl', 'ca', '-days', '999999', - '-batch', '-notext', - '-in', $filename, - '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - unlink ($filename); - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); - &Ovpnfunc::newcleanssldatabase(); - goto VPNCONF_ERROR; - } else { - unlink ($filename); - &Ovpnfunc::deletebackupcert(); - } - my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; - $temp =~ /Subject:.*CN=(.*)[\n]/; - $temp = $1; - $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; - $cgiparams{'CERT_NAME'} = $temp; - $cgiparams{'CERT_NAME'} =~ s/,//g; - $cgiparams{'CERT_NAME'} =~ s/\'//g; - if ($cgiparams{'CERT_NAME'} eq '') { - $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; - goto VPNCONF_ERROR; - } - } elsif ($cgiparams{'AUTH'} eq 'certfile') { - if ($cgiparams{'KEY'}) { - $errormessage = $Lang::tr{'cant change certificates'}; - goto VPNCONF_ERROR; - } - if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto VPNCONF_ERROR; - } - (my $fh, my $filename) = tempfile( );# Move uploaded certificate to a temporary file - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto VPNCONF_ERROR; - } - my $validca = 0;# Verify the certificate has a valid CA and move it - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/cacert.pem $filename`; - if ($test =~ /: OK/) { - $validca = 1; - } else { - foreach my $key (keys %cahash) { - $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem $filename`; - if ($test =~ /: OK/) { - $validca = 1; - } - } - } - if (! $validca) { - $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'}; - unlink ($filename); - goto VPNCONF_ERROR; - } else { - move($filename, "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); - if ($? ne 0) { - $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; - unlink ($filename); - goto VPNCONF_ERROR; - } - } - my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; - $temp =~ /Subject:.*CN=(.*)[\n]/; - $temp = $1; - $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; - $cgiparams{'CERT_NAME'} = $temp; - $cgiparams{'CERT_NAME'} =~ s/,//g; - $cgiparams{'CERT_NAME'} =~ s/\'//g; - if ($cgiparams{'CERT_NAME'} eq '') { - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); - $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; - goto VPNCONF_ERROR; - } - } elsif ($cgiparams{'AUTH'} eq 'certgen'){ - if ($cgiparams{'KEY'}) { - $errormessage = $Lang::tr{'cant change certificates'}; - goto VPNCONF_ERROR; - } - if (length($cgiparams{'CERT_NAME'}) >60) {# Validate input since the form was submitted - $errormessage = $Lang::tr{'name too long'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { - $errormessage = $Lang::tr{'invalid input for name'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) { - $errormessage = $Lang::tr{'invalid input for e-mail address'}; - goto VPNCONF_ERROR; - } - if (length($cgiparams{'CERT_EMAIL'}) > 40) { - $errormessage = $Lang::tr{'e-mail address too long'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { - $errormessage = $Lang::tr{'invalid input for department'}; - goto VPNCONF_ERROR; - } - if (length($cgiparams{'CERT_ORGANIZATION'}) >60) { - $errormessage = $Lang::tr{'organization too long'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { - $errormessage = $Lang::tr{'invalid input for organization'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { - $errormessage = $Lang::tr{'invalid input for city'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { - $errormessage = $Lang::tr{'invalid input for state or province'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) { - $errormessage = $Lang::tr{'invalid input for country'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_PASS1'} ne '' && $cgiparams{'CERT_PASS2'} ne ''){ - if (length($cgiparams{'CERT_PASS1'}) < 5) { - $errormessage = $Lang::tr{'password too short'}; - goto VPNCONF_ERROR; - } - } - if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) { - $errormessage = $Lang::tr{'passwords do not match'}; - goto VPNCONF_ERROR; - } - (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;# Replace empty strings with a . - (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./; - (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./; - my $pid = open(OPENSSL, "|-");# Create the Host certificate request client - $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto VPNCONF_ERROR;}; - if ($pid) { # parent - print OPENSSL "$cgiparams{'CERT_COUNTRY'}\n"; - print OPENSSL "$state\n"; - print OPENSSL "$city\n"; - print OPENSSL "$cgiparams{'CERT_ORGANIZATION'}\n"; - print OPENSSL "$ou\n"; - print OPENSSL "$cgiparams{'CERT_NAME'}\n"; - print OPENSSL "$cgiparams{'CERT_EMAIL'}\n"; - print OPENSSL ".\n"; - print OPENSSL ".\n"; - close (OPENSSL); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}req.pem"); - goto VPNCONF_ERROR; - } - } else { # child - unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-newkey', 'rsa:1024', - '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", - '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { - $errormessage = "$Lang::tr{'cant start openssl'}: $!"; - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); - goto VPNCONF_ERROR; - } - } - # Sign the host certificate request - system('/usr/bin/openssl', 'ca', '-days', '999999', - '-batch', '-notext', - '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", - '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); - &Ovpnfunc::newcleanssldatabase(); - goto VPNCONF_ERROR; - } else { - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); - &Ovpnfunc::deletebackupcert(); - } - # Create the pkcs12 file - system('/usr/bin/openssl', 'pkcs12', '-export', - '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", - '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", - '-name', $cgiparams{'NAME'}, - '-passout', "pass:$cgiparams{'CERT_PASS1'}", - '-certfile', "${General::swroot}/ovpn/ca/cacert.pem", - '-caname', "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA", - '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12"); - goto VPNCONF_ERROR; - } else { - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); - } - } elsif ($cgiparams{'AUTH'} eq 'cert') { - ;# Nothing, just editing + } + } + + if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) { + $errormessage = $Lang::tr{'invalid input for remote host/ip'}; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'REMOTE'}) { + if (! &General::validip($cgiparams{'REMOTE'})) { + if (! &General::validfqdn ($cgiparams{'REMOTE'})) { + $errormessage = $Lang::tr{'invalid input for remote host/ip'}; + goto VPNCONF_ERROR; } else { - $errormessage = $Lang::tr{'invalid input for authentication method'}; - goto VPNCONF_ERROR; + if (&valid_dns_host($cgiparams{'REMOTE'})) { + $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}"; + } } - if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) {# Check if there is no other entry with this common name - foreach my $key (keys %confighash) { - if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) { - $errormessage = $Lang::tr{'a connection with this common name already exists'}; - goto VPNCONF_ERROR; - } - } + } + } + if ($cgiparams{'TYPE'} ne 'host') { + unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) { + $errormessage = $Lang::tr{'local subnet is invalid'}; + goto VPNCONF_ERROR;} + } + # Check if there is no other entry without IP-address and PSK + if ($cgiparams{'REMOTE'} eq '') { + foreach my $key (keys %confighash) { + if(($cgiparams{'KEY'} ne $key) && + ($confighash{$key}[4] eq 'psk' || $cgiparams{'AUTH'} eq 'psk') && + $confighash{$key}[10] eq '') { + $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'}; + goto VPNCONF_ERROR; } + } + } + if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) { + $errormessage = $Lang::tr{'remote subnet is invalid'}; + goto VPNCONF_ERROR; + } - my $key = $cgiparams{'KEY'};# Save the config - if (! $key) { - $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 42) { $confighash{$key}[$i] = "";} + if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto VPNCONF_ERROR; + } + +#fixplausi + if ($cgiparams{'AUTH'} eq 'psk') { +# if (! length($cgiparams{'PSK'}) ) { +# $errormessage = $Lang::tr{'pre-shared key is too short'}; +# goto VPNCONF_ERROR; +# } +# if ($cgiparams{'PSK'} =~ /['",&]/) { +# $errormessage = $Lang::tr{'invalid characters found in pre-shared key'}; +# goto VPNCONF_ERROR; +# } + } elsif ($cgiparams{'AUTH'} eq 'certreq') { + if ($cgiparams{'KEY'}) { + $errormessage = $Lang::tr{'cant change certificates'}; + goto VPNCONF_ERROR; + } + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto VPNCONF_ERROR; + } + + # Move uploaded certificate request to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto VPNCONF_ERROR; + } + + # Sign the certificate request and move it + # Sign the host certificate request + system('/usr/bin/openssl', 'ca', '-days', '999999', + '-batch', '-notext', + '-in', $filename, + '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", + '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + unlink ($filename); + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); + &newcleanssldatabase(); + goto VPNCONF_ERROR; + } else { + unlink ($filename); + &deletebackupcert(); + } + + my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; + $temp =~ /Subject:.*CN=(.*)[\n]/; + $temp = $1; + $temp =~ s+/Email+, E+; + $temp =~ s/ ST=/ S=/; + $cgiparams{'CERT_NAME'} = $temp; + $cgiparams{'CERT_NAME'} =~ s/,//g; + $cgiparams{'CERT_NAME'} =~ s/\'//g; + if ($cgiparams{'CERT_NAME'} eq '') { + $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; + goto VPNCONF_ERROR; + } + } elsif ($cgiparams{'AUTH'} eq 'certfile') { + if ($cgiparams{'KEY'}) { + $errormessage = $Lang::tr{'cant change certificates'}; + goto VPNCONF_ERROR; + } + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto VPNCONF_ERROR; + } + # Move uploaded certificate to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto VPNCONF_ERROR; + } + + # Verify the certificate has a valid CA and move it + my $validca = 0; + my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/cacert.pem $filename`; + if ($test =~ /: OK/) { + $validca = 1; + } else { + foreach my $key (keys %cahash) { + $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem $filename`; + if ($test =~ /: OK/) { + $validca = 1; + } } - $confighash{$key}[0] = $cgiparams{'ENABLED'}; - $confighash{$key}[1] = $cgiparams{'NAME'}; - if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') { - $confighash{$key}[2] = $cgiparams{'CERT_NAME'}; + } + if (! $validca) { + $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'}; + unlink ($filename); + goto VPNCONF_ERROR; + } else { + move($filename, "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); + if ($? ne 0) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + unlink ($filename); + goto VPNCONF_ERROR; } - $confighash{$key}[3] = $cgiparams{'TYPE'}; - if ($cgiparams{'AUTH'} eq 'psk') { - $confighash{$key}[4] = 'psk'; - $confighash{$key}[5] = $cgiparams{'PSK'}; - } else { - $confighash{$key}[4] = 'cert'; + } + + my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; + $temp =~ /Subject:.*CN=(.*)[\n]/; + $temp = $1; + $temp =~ s+/Email+, E+; + $temp =~ s/ ST=/ S=/; + $cgiparams{'CERT_NAME'} = $temp; + $cgiparams{'CERT_NAME'} =~ s/,//g; + $cgiparams{'CERT_NAME'} =~ s/\'//g; + if ($cgiparams{'CERT_NAME'} eq '') { + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); + $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; + goto VPNCONF_ERROR; + } + } elsif ($cgiparams{'AUTH'} eq 'certgen') { + if ($cgiparams{'KEY'}) { + $errormessage = $Lang::tr{'cant change certificates'}; + goto VPNCONF_ERROR; + } + # Validate input since the form was submitted + if (length($cgiparams{'CERT_NAME'}) >60) { + $errormessage = $Lang::tr{'name too long'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { + $errormessage = $Lang::tr{'invalid input for name'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) { + $errormessage = $Lang::tr{'invalid input for e-mail address'}; + goto VPNCONF_ERROR; + } + if (length($cgiparams{'CERT_EMAIL'}) > 40) { + $errormessage = $Lang::tr{'e-mail address too long'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { + $errormessage = $Lang::tr{'invalid input for department'}; + goto VPNCONF_ERROR; + } + if (length($cgiparams{'CERT_ORGANIZATION'}) >60) { + $errormessage = $Lang::tr{'organization too long'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { + $errormessage = $Lang::tr{'invalid input for organization'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { + $errormessage = $Lang::tr{'invalid input for city'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { + $errormessage = $Lang::tr{'invalid input for state or province'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) { + $errormessage = $Lang::tr{'invalid input for country'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_PASS1'} ne '' && $cgiparams{'CERT_PASS2'} ne ''){ + if (length($cgiparams{'CERT_PASS1'}) < 5) { + $errormessage = $Lang::tr{'password too short'}; + goto VPNCONF_ERROR; } - if ($cgiparams{'TYPE'} eq 'net') { - $confighash{$key}[6] = $cgiparams{'SIDE'}; - $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'}; - if ( $cgiparams{'SIDE'} eq 'client') { - $confighash{$key}[19] = 'yes'; - } else{ - $confighash{$key}[19] = 'no'; - } + } + if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) { + $errormessage = $Lang::tr{'passwords do not match'}; + goto VPNCONF_ERROR; + } + + # Replace empty strings with a . + (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./; + (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./; + (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./; + + # Create the Host certificate request client + my $pid = open(OPENSSL, "|-"); + $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto VPNCONF_ERROR;}; + if ($pid) { # parent + print OPENSSL "$cgiparams{'CERT_COUNTRY'}\n"; + print OPENSSL "$state\n"; + print OPENSSL "$city\n"; + print OPENSSL "$cgiparams{'CERT_ORGANIZATION'}\n"; + print OPENSSL "$ou\n"; + print OPENSSL "$cgiparams{'CERT_NAME'}\n"; + print OPENSSL "$cgiparams{'CERT_EMAIL'}\n"; + print OPENSSL ".\n"; + print OPENSSL ".\n"; + close (OPENSSL); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}req.pem"); + goto VPNCONF_ERROR; } - $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'}; - $confighash{$key}[10] = $cgiparams{'REMOTE'}; - $confighash{$key}[25] = $cgiparams{'REMARK'}; - $confighash{$key}[12] = $cgiparams{'INTERFACE'}; - $confighash{$key}[13] = $cgiparams{'OVPN_SUBNET'};# new fields - $confighash{$key}[14] = $cgiparams{'PROTOCOL'}; - $confighash{$key}[15] = $cgiparams{'DEST_PORT'}; - $confighash{$key}[16] = $cgiparams{'COMPLZO'}; - $confighash{$key}[17] = $cgiparams{'MTU'}; - $confighash{$key}[18] = $cgiparams{'N2NVPN_IP'};# new fileds - $confighash{$key}[19] = $cgiparams{'ZERINA_CLIENT'};# new fileds - $confighash{$key}[20] = $cgiparams{'CIPHER'}; - - #default n2n advanced - $confighash{$key}[26] = '10';#keepalive ping - $confighash{$key}[27] = '60';#keepalive restart - $confighash{$key}[28] = '0';#nice - $confighash{$key}[42] = '3';#verb - #default n2n advanced - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - &Ovpnfunc::writenet2netconf($key,$zerinaclient); - #ppp - my $n2nactive = `/bin/ps ax|grep $cgiparams{'NAME'}.conf|grep -v grep|awk \'{print \$1}\'`; - if ($cgiparams{'ENABLED'}) { - if ($n2nactive eq ''){ - system('/usr/local/bin/openvpnctrl', '-sn2n', $cgiparams{'NAME'}); - } else { - system('/usr/local/bin/openvpnctrl', '-kn2n', $n2nactive); - system('/usr/local/bin/openvpnctrl', '-sn2n', $cgiparams{'NAME'}); - } - } else { - if ($n2nactive ne ''){ - system('/usr/local/bin/openvpnctrl', '-kn2n', $cgiparams{'NAME'}); - } + } else { # child + unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', + '-newkey', 'rsa:1024', + '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", + '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", + '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { + $errormessage = "$Lang::tr{'cant start openssl'}: $!"; + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); + goto VPNCONF_ERROR; } - if ($cgiparams{'EDIT_ADVANCED'} eq 'on') { - $cgiparams{'KEY'} = $key; - $cgiparams{'ACTION'} = $Lang::tr{'advanced'}; + } + + # Sign the host certificate request + system('/usr/bin/openssl', 'ca', '-days', '999999', + '-batch', '-notext', + '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", + '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", + '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); + &newcleanssldatabase(); + goto VPNCONF_ERROR; + } else { + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); + &deletebackupcert(); + } + + # Create the pkcs12 file + system('/usr/bin/openssl', 'pkcs12', '-export', + '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", + '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", + '-name', $cgiparams{'NAME'}, + '-passout', "pass:$cgiparams{'CERT_PASS1'}", + '-certfile', "${General::swroot}/ovpn/ca/cacert.pem", + '-caname', "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA", + '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12"); + goto VPNCONF_ERROR; + } else { + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); + } + } elsif ($cgiparams{'AUTH'} eq 'cert') { + ;# Nothing, just editing + } else { + $errormessage = $Lang::tr{'invalid input for authentication method'}; + goto VPNCONF_ERROR; + } + + # Check if there is no other entry with this common name + if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) { + foreach my $key (keys %confighash) { + if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) { + $errormessage = $Lang::tr{'a connection with this common name already exists'}; + goto VPNCONF_ERROR; } - goto VPNCONF_END; + } + } + + # Save the config + my $key = $cgiparams{'KEY'}; + if (! $key) { + $key = &General::findhasharraykey (\%confighash); + foreach my $i (0 .. 31) { $confighash{$key}[$i] = "";} + } + $confighash{$key}[0] = $cgiparams{'ENABLED'}; + $confighash{$key}[1] = $cgiparams{'NAME'}; + if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') { + $confighash{$key}[2] = $cgiparams{'CERT_NAME'}; + } + $confighash{$key}[3] = $cgiparams{'TYPE'}; + if ($cgiparams{'AUTH'} eq 'psk') { + $confighash{$key}[4] = 'psk'; + $confighash{$key}[5] = $cgiparams{'PSK'}; + } else { + $confighash{$key}[4] = 'cert'; + } + if ($cgiparams{'TYPE'} eq 'net') { + $confighash{$key}[6] = $cgiparams{'SIDE'}; + $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'}; + } + $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'}; + $confighash{$key}[10] = $cgiparams{'REMOTE'}; + $confighash{$key}[25] = $cgiparams{'REMARK'}; + $confighash{$key}[26] = $cgiparams{'INTERFACE'}; +# new fields + $confighash{$key}[27] = $cgiparams{'OVPN_SUBNET'}; + $confighash{$key}[28] = $cgiparams{'PROTOCOL'}; + $confighash{$key}[29] = $cgiparams{'DEST_PORT'}; + $confighash{$key}[30] = $cgiparams{'COMPLZO'}; + $confighash{$key}[31] = $cgiparams{'MTU'}; +# new fileds + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + if ($cgiparams{'EDIT_ADVANCED'} eq 'on') { + $cgiparams{'KEY'} = $key; + $cgiparams{'ACTION'} = $Lang::tr{'advanced'}; + } + goto VPNCONF_END; } else { - $cgiparams{'ENABLED'} = 'on'; - if ($cgiparams{'ZERINA_CLIENT'} eq ''){ - $cgiparams{'ZERINA_CLIENT'} = 'no'; - } - if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) { - $cgiparams{'AUTH'} = 'psk'; - } elsif ( ! -f "${General::swroot}/ovpn/ca/cacert.pem") { - $cgiparams{'AUTH'} = 'certfile'; - } else { + $cgiparams{'ENABLED'} = 'on'; + $cgiparams{'SIDE'} = 'left'; + if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) { + $cgiparams{'AUTH'} = 'psk'; + } elsif ( ! -f "${General::swroot}/ovpn/ca/cacert.pem") { + $cgiparams{'AUTH'} = 'certfile'; + } else { $cgiparams{'AUTH'} = 'certgen'; - } - $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; - $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'}; - $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'}; - $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'}; - $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'}; + } + $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; + $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'}; + $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'}; + $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'}; + $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'}; } + VPNCONF_ERROR: - # n2n default settings - if ($cgiparams{'CIPHER'} eq '') { - $cgiparams{'CIPHER'} = 'BF-CBC'; - } - if ($cgiparams{'MTU'} eq '') { - $cgiparams{'MTU'} = '1400'; - } - if ($cgiparams{'OVPN_SUBNET'} eq '') { - $cgiparams{'OVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; - } - #n2n default settings $checked{'ENABLED'}{'off'} = ''; $checked{'ENABLED'}{'on'} = ''; $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED'; @@ -2264,43 +2269,28 @@ END $checked{'ENABLED_ORANGE'}{'off'} = ''; $checked{'ENABLED_ORANGE'}{'on'} = ''; $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED'; + + $checked{'EDIT_ADVANCED'}{'off'} = ''; $checked{'EDIT_ADVANCED'}{'on'} = ''; $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = 'CHECKED'; + $selected{'SIDE'}{'server'} = ''; $selected{'SIDE'}{'client'} = ''; $selected{'SIDE'}{$cgiparams{'SIDE'}} = 'SELECTED'; - -# $selected{'DDEVICE'}{'tun'} = ''; -# $selected{'DDEVICE'}{'tap'} = ''; -# $selected{'DDEVICE'}{$cgiparams{'DDEVICE'}} = 'SELECTED'; - - $selected{'PROTOCOL'}{'udp'} = ''; - $selected{'PROTOCOL'}{'tcp'} = ''; - $selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = 'SELECTED'; - + $checked{'AUTH'}{'psk'} = ''; $checked{'AUTH'}{'certreq'} = ''; $checked{'AUTH'}{'certgen'} = ''; $checked{'AUTH'}{'certfile'} = ''; $checked{'AUTH'}{$cgiparams{'AUTH'}} = 'CHECKED'; + $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = 'SELECTED'; + $checked{'COMPLZO'}{'off'} = ''; $checked{'COMPLZO'}{'on'} = ''; $checked{'COMPLZO'}{$cgiparams{'COMPLZO'}} = 'CHECKED'; - $selected{'CIPHER'}{'DES-CBC'} = ''; - $selected{'CIPHER'}{'DES-EDE-CBC'} = ''; - $selected{'CIPHER'}{'DES-EDE3-CBC'} = ''; - $selected{'CIPHER'}{'DESX-CBC'} = ''; - $selected{'CIPHER'}{'RC2-CBC'} = ''; - $selected{'CIPHER'}{'RC2-40-CBC'} = ''; - $selected{'CIPHER'}{'RC2-64-CBC'} = ''; - $selected{'CIPHER'}{'BF-CBC'} = ''; - $selected{'CIPHER'}{'CAST5-CBC'} = ''; - $selected{'CIPHER'}{'AES-128-CBC'} = ''; - $selected{'CIPHER'}{'AES-192-CBC'} = ''; - $selected{'CIPHER'}{'AES-256-CBC'} = ''; - $selected{'CIPHER'}{$cgiparams{'CIPHER'}} = 'SELECTED'; + if (1) { &Header::showhttpheaders(); @@ -2312,20 +2302,22 @@ END print " "; &Header::closebox(); } + if ($warnmessage) { &Header::openbox('100%', 'LEFT', "$Lang::tr{'warning messages'}:"); print "$warnmessage"; print " "; &Header::closebox(); } + print "
"; print ""; - print ""; + if ($cgiparams{'KEY'}) { print ""; print ""; - print ""; } + &Header::openbox('100%', 'LEFT', "$Lang::tr{'connection'}:"); print "\n"; print ""; @@ -2335,77 +2327,81 @@ END } else { print ""; } +# print ""; +# print ""; +# print <"; if ($cgiparams{'KEY'}) { - print ""; + print ""; } else { - print ""; + print ""; } - print ""; - print ""; - print ""; - if ((($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) && ($cgiparams{'ZERINA_CLIENT'} eq 'no')) || - (($cgiparams{'ACTION'} eq $Lang::tr{'save'}) && ($cgiparams{'ZERINA_CLIENT'} eq 'no')) || - (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'ZERINA_CLIENT'} eq 'no'))) { - print ""; - print ""; - print ""; - print ""; - print ""; - } else { - print ""; - print ""; - print ""; - } - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; + print <  + + + + + + + + + +ttt + + + + + + + + + + + + +END + ; } print ""; print ""; + # if ($cgiparams{'TYPE'} eq 'net') { print "\n"; - if ($cgiparams{'TYPE'} eq 'host') { +# if ($cgiparams{'KEY'}) { +# print "
$Lang::tr{'name'}:
$Lang::tr{'interface'}
$cgiparams{'NAME'}$cgiparams{'NAME'}  
$Lang::tr{'Act as'}
$Lang::tr{'local vpn hostname/ip'}:$Lang::tr{'remote host/ip'}:
$Lang::tr{'Act as'}$cgiparams{'SIDE'}$Lang::tr{'remote host/ip'}:
$Lang::tr{'local subnet'}$Lang::tr{'remote subnet'}
$Lang::tr{'ovpn subnet'}
$Lang::tr{'protocol'}$Lang::tr{'destination port'}:
$Lang::tr{'comp-lzo'}$Lang::tr{'cipher'}
$Lang::tr{'MTU'}   
$Lang::tr{'Act as'}$Lang::tr{'remote host/ip'}:
$Lang::tr{'local subnet'}$Lang::tr{'remote subnet'}
$Lang::tr{'ovpn subnet'}
$Lang::tr{'protocol'}$Lang::tr{'destination port'}:
$Lang::tr{'comp-lzo'}
$Lang::tr{'MTU'} 
$Lang::tr{'remark title'} 
$Lang::tr{'enabled'}  
"; +# } else { +# print " $Lang::tr{'edit advanced settings when done'}"; +# } +# }else{ print " "; - } elsif ($cgiparams{'ACTION'} ne $Lang::tr{'edit'}){ - print " $Lang::tr{'edit advanced settings when done'}"; - } else { - print ""; - } +# } + &Header::closebox(); + if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') { - ;#we dont have psk + # &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'}); + # print < + # $Lang::tr{'use a pre-shared key'} + # + # +END + # ; + # &Header::closebox(); } elsif (! $cgiparams{'KEY'}) { my $disabled=''; my $cakeydisabled=''; @@ -2446,6 +2442,7 @@ END $Lang::tr{'country'}: "; if ($cgiparams{'KEY'}) { - print ""; +# print ""; } print ""; &Header::closebigbox(); @@ -2477,762 +2475,486 @@ END } VPNCONF_END: } + +# SETTINGS_ERROR: ### -### Advanced settings +### Default status page ### -if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || - ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq 'yes')) { - &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); + %cgiparams = (); + %cahash = (); + %confighash = (); + &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams); + &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - - if (! $confighash{$cgiparams{'KEY'}}) { - $errormessage = $Lang::tr{'invalid key'}; - goto ADVANCED_END; - } - #n2n advanced error - if ($cgiparams{'KEEPALIVE_1'} ne '') { - if ($cgiparams{'KEEPALIVE_1'} !~ /^[0-9]+$/) { - $errormessage = $Lang::tr{'invalid input for keepalive 1'}; - goto ADVANCED_ERROR; - } - } - if ($cgiparams{'KEEPALIVE_2'} ne ''){ - if ($cgiparams{'KEEPALIVE_2'} !~ /^[0-9]+$/) { - $errormessage = $Lang::tr{'invalid input for keepalive 2'}; - goto ADVANCED_ERROR; - } - } - if ($cgiparams{'KEEPALIVE_2'} < ($cgiparams{'KEEPALIVE_1'} * 2)){ - $errormessage = $Lang::tr{'invalid input for keepalive 1:2'}; - goto ADVANCED_ERROR; - } - if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { -# if ($cgiparams{'NAT'} !~ /^(on|off)$/) { -# $errormessage = $Lang::tr{'invalid input'}; -# goto ADVANCED_ERROR; -# } - #n2n advanced error - #cgi an config - $confighash{$cgiparams{'KEY'}}[26] = $cgiparams{'KEEPALIVE_1'}; - $confighash{$cgiparams{'KEY'}}[27] = $cgiparams{'KEEPALIVE_2'}; - $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'EXTENDED_NICE'}; - $confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'EXTENDED_FASTIO'}; - $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'EXTENDED_MTUDISC'}; - $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'EXTENDED_MSSFIX'}; - $confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'EXTENDED_FRAGMENT'}; - $confighash{$cgiparams{'KEY'}}[33] = $cgiparams{'PROXY_HOST'}; - $confighash{$cgiparams{'KEY'}}[34] = $cgiparams{'PROXY_PORT'}; - $confighash{$cgiparams{'KEY'}}[35] = $cgiparams{'PROXY_USERNAME'}; - $confighash{$cgiparams{'KEY'}}[36] = $cgiparams{'PROXY_PASS'}; - $confighash{$cgiparams{'KEY'}}[37] = $cgiparams{'PROXY_AUTH_METHOD'}; - $confighash{$cgiparams{'KEY'}}[38] = $cgiparams{'http-proxy-retry'}; - $confighash{$cgiparams{'KEY'}}[39] = $cgiparams{'PROXY_TIMEOUT'}; - $confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'PROXY_OPT_VERSION'}; - $confighash{$cgiparams{'KEY'}}[41] = $cgiparams{'PROXY_OPT_AGENT'}; - $confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'LOG_VERB'}; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - &Ovpnfunc::writenet2netconf($cgiparams{'KEY'},$zerinaclient); - # restart n2n after advanced save ? - goto ADVANCED_END; - } else { - $cgiparams{'KEEPALIVE_1'} = $confighash{$cgiparams{'KEY'}}[26]; - $cgiparams{'KEEPALIVE_2'} = $confighash{$cgiparams{'KEY'}}[27]; - $cgiparams{'EXTENDED_NICE'} = $confighash{$cgiparams{'KEY'}}[28]; - $cgiparams{'EXTENDED_FASTIO'} = $confighash{$cgiparams{'KEY'}}[29]; - $cgiparams{'EXTENDED_MTUDISC'} = $confighash{$cgiparams{'KEY'}}[30]; - $cgiparams{'EXTENDED_MSSFIX'} = $confighash{$cgiparams{'KEY'}}[31]; - $cgiparams{'EXTENDED_FRAGMENT'} = $confighash{$cgiparams{'KEY'}}[32]; - $cgiparams{'PROXY_HOST'} = $confighash{$cgiparams{'KEY'}}[33]; - $cgiparams{'PROXY_PORT'} = $confighash{$cgiparams{'KEY'}}[34]; - $cgiparams{'PROXY_USERNAME'} = $confighash{$cgiparams{'KEY'}}[35]; - $cgiparams{'PROXY_PASS'} = $confighash{$cgiparams{'KEY'}}[36]; - $cgiparams{'PROXY_AUTH_METHOD'} = $confighash{$cgiparams{'KEY'}}[37]; - $cgiparams{'http-proxy-retry'} = $confighash{$cgiparams{'KEY'}}[38]; - $cgiparams{'PROXY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[39]; - $cgiparams{'PROXY_OPT_VERSION'} = $confighash{$cgiparams{'KEY'}}[40]; - $cgiparams{'PROXY_OPT_AGENT'} = $confighash{$cgiparams{'KEY'}}[41]; - $cgiparams{'LOG_VERB'} = $confighash{$cgiparams{'KEY'}}[42]; - #cgi an config - } - ADVANCED_ERROR: - #Schalter setzen - $selected{'EXTENDED_NICE'}{'-13'} = ''; - $selected{'EXTENDED_NICE'}{'-10'} = ''; - $selected{'EXTENDED_NICE'}{'-7'} = ''; - $selected{'EXTENDED_NICE'}{'-3'} = ''; - $selected{'EXTENDED_NICE'}{'0'} = ''; - $selected{'EXTENDED_NICE'}{'3'} = ''; - $selected{'EXTENDED_NICE'}{'7'} = ''; - $selected{'EXTENDED_NICE'}{'10'} = ''; - $selected{'EXTENDED_NICE'}{'13'} = ''; - $selected{'EXTENDED_NICE'}{$cgiparams{'EXTENDED_NICE'}} = 'SELECTED'; - $checked{'EXTENDED_FASTIO'}{'off'} = ''; - $checked{'EXTENDED_FASTIO'}{'on'} = ''; - $checked{'EXTENDED_FASTIO'}{$cgiparams{'EXTENDED_FASTIO'}} = 'CHECKED'; - $checked{'EXTENDED_MTUDISC'}{'off'} = ''; - $checked{'EXTENDED_MTUDISC'}{'on'} = ''; - $checked{'EXTENDED_MTUDISC'}{$cgiparams{'EXTENDED_MTUDISC'}} = 'CHECKED'; - $selected{'LOG_VERB'}{'1'} = ''; - $selected{'LOG_VERB'}{'2'} = ''; - $selected{'LOG_VERB'}{'3'} = ''; - $selected{'LOG_VERB'}{'4'} = ''; - $selected{'LOG_VERB'}{'5'} = ''; - $selected{'LOG_VERB'}{'6'} = ''; - $selected{'LOG_VERB'}{'7'} = ''; - $selected{'LOG_VERB'}{'8'} = ''; - $selected{'LOG_VERB'}{'9'} = ''; - $selected{'LOG_VERB'}{'10'} = ''; - $selected{'LOG_VERB'}{'11'} = ''; - $selected{'LOG_VERB'}{'0'} = ''; - $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; - $selected{'PROXY_AUTH_METHOD'}{'none'} = ''; - $selected{'PROXY_AUTH_METHOD'}{'basic'} = ''; - $selected{'PROXY_AUTH_METHOD'}{'ntlm'} = ''; - $selected{'PROXY_AUTH_METHOD'}{$cgiparams{'PROXY_AUTH_METHOD'}} = 'SELECTED'; - $checked{'PROXY_RETRY'}{'off'} = ''; - $checked{'PROXY_RETRY'}{'on'} = ''; - $checked{'PROXY_RETRY'}{$cgiparams{'PROXY_RETRY'}} = 'CHECKED'; - #Schalter setzen - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', $errormessage); - - if ($errormessage) { - &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); - print "$errormessage"; - print " "; - &Header::closebox(); - } - - if ($warnmessage) { - &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'}); - print "$warnmessage"; - print " "; - &Header::closebox(); - } - - print "
\n"; - print "\n"; - print "\n"; - &Header::openbox('100%', 'LEFT', "$Lang::tr{'advanced'}:"); - print < - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$Lang::tr{'misc-options'}
Keppalive (ping/ping-restart)
$Lang::tr{'ovpn_processprio'} - -
$Lang::tr{'ovpn_fastio'} - -
$Lang::tr{'ovpn_mtudisc'} - -
$Lang::tr{'ovpn_mssfix'} - -
$Lang::tr{'ovpn_fragment'} - -
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$Lang::tr{'proxy'} $Lang::tr{'settings'}
$Lang::tr{'proxy'} $Lang::tr{'host'}:$Lang::tr{'proxy port'}:
$Lang::tr{'username'}$Lang::tr{'password'}
$Lang::tr{'authentication'} $Lang::tr{'method'} - -
http-proxy-retryhttp-proxy-timeout
http-proxy-option VERSIONhttp-proxy-option AGENT
-
- - - - - - - - - - -
$Lang::tr{'log-options'}
VERB
- -EOF - ; - &Header::closebox(); - print "
"; - print "
"; - &Header::closebigbox(); - &Header::closepage(); - exit(0); + my @status = `/bin/cat /var/log/ovpnserver.log`; - ADVANCED_END: -} -### -### Default status page -### -%cgiparams = (); -%cahash = (); -%confighash = (); -&General::readhash("${General::swroot}/ovpn/settings", \%cgiparams); -&General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash); -&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); -my @status = `/bin/cat /var/log/ovpnserver.log`; -if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { + if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { my $ipaddr = ; close IPADDR; chomp ($ipaddr); $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; if ($cgiparams{'VPN_IP'} eq '') { - $cgiparams{'VPN_IP'} = $ipaddr; + $cgiparams{'VPN_IP'} = $ipaddr; } } -} + } + #default setzen -if ($cgiparams{'DCIPHER'} eq '') { + if ($cgiparams{'DCIPHER'} eq '') { $cgiparams{'DCIPHER'} = 'BF-CBC'; -} + } # if ($cgiparams{'DCOMPLZO'} eq '') { # $cgiparams{'DCOMPLZO'} = 'on'; # } -if ($cgiparams{'DDEST_PORT'} eq '') { + if ($cgiparams{'DDEST_PORT'} eq '') { $cgiparams{'DDEST_PORT'} = '1194'; -} -if ($cgiparams{'DMTU'} eq '') { + } + if ($cgiparams{'DMTU'} eq '') { $cgiparams{'DMTU'} = '1400'; -} -if ($cgiparams{'DOVPN_SUBNET'} eq '') { + } + if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; -} -$checked{'ENABLED'}{'off'} = ''; -$checked{'ENABLED'}{'on'} = ''; -$checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED'; -$checked{'ENABLED_BLUE'}{'off'} = ''; -$checked{'ENABLED_BLUE'}{'on'} = ''; -$checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED'; -$checked{'ENABLED_ORANGE'}{'off'} = ''; -$checked{'ENABLED_ORANGE'}{'on'} = ''; -$checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED'; + } + + $checked{'ENABLED'}{'off'} = ''; + $checked{'ENABLED'}{'on'} = ''; + $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED'; + $checked{'ENABLED_BLUE'}{'off'} = ''; + $checked{'ENABLED_BLUE'}{'on'} = ''; + $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED'; + $checked{'ENABLED_ORANGE'}{'off'} = ''; + $checked{'ENABLED_ORANGE'}{'on'} = ''; + $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED'; + + #new settings -$selected{'DDEVICE'}{'tun'} = ''; -$selected{'DDEVICE'}{'tap'} = ''; -$selected{'DDEVICE'}{$cgiparams{'DDEVICE'}} = 'SELECTED'; -$selected{'DPROTOCOL'}{'udp'} = ''; -$selected{'DPROTOCOL'}{'tcp'} = ''; -$selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED'; -$selected{'DCIPHER'}{'DES-CBC'} = ''; -$selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; -$selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; -$selected{'DCIPHER'}{'DESX-CBC'} = ''; -$selected{'DCIPHER'}{'RC2-CBC'} = ''; -$selected{'DCIPHER'}{'RC2-40-CBC'} = ''; -$selected{'DCIPHER'}{'RC2-64-CBC'} = ''; -$selected{'DCIPHER'}{'BF-CBC'} = ''; -$selected{'DCIPHER'}{'CAST5-CBC'} = ''; -$selected{'DCIPHER'}{'AES-128-CBC'} = ''; -$selected{'DCIPHER'}{'AES-192-CBC'} = ''; -$selected{'DCIPHER'}{'AES-256-CBC'} = ''; -$selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; -$checked{'DCOMPLZO'}{'off'} = ''; -$checked{'DCOMPLZO'}{'on'} = ''; -$checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; + $selected{'DDEVICE'}{'tun'} = ''; + $selected{'DDEVICE'}{'tap'} = ''; + $selected{'DDEVICE'}{$cgiparams{'DDEVICE'}} = 'SELECTED'; + + $selected{'DPROTOCOL'}{'udp'} = ''; + $selected{'DPROTOCOL'}{'tcp'} = ''; + $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED'; + + $selected{'DCIPHER'}{'DES-CBC'} = ''; + $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; + $selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; + $selected{'DCIPHER'}{'DESX-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-40-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-64-CBC'} = ''; + $selected{'DCIPHER'}{'BF-CBC'} = ''; + $selected{'DCIPHER'}{'CAST5-CBC'} = ''; + $selected{'DCIPHER'}{'AES-128-CBC'} = ''; + $selected{'DCIPHER'}{'AES-192-CBC'} = ''; + $selected{'DCIPHER'}{'AES-256-CBC'} = ''; + $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; + $checked{'DCOMPLZO'}{'off'} = ''; + $checked{'DCOMPLZO'}{'on'} = ''; + $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; #new settings -&Header::showhttpheaders(); -&Header::openpage($Lang::tr{'status ovpn'}, 1, ''); -&Header::openbigbox('100%', 'LEFT', '', $errormessage); + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'status ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', $errormessage); -if ($errormessage) { + if ($errormessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); print "$errormessage\n"; print " \n"; &Header::closebox(); -} + } -my $sactive = "
$Lang::tr{'stopped'}
"; -my $srunning = "no"; -my $activeonrun = ""; -if ( -e "/var/run/openvpn.pid"){ + my $sactive = "
$Lang::tr{'stopped'}
"; + my $srunning = "no"; + my $activeonrun = ""; + if ( -e "/var/run/openvpn.pid"){ $sactive = "
$Lang::tr{'running'}
"; $srunning ="yes"; $activeonrun = ""; -} else { + } else { $activeonrun = "disabled='disabled'"; -} -&Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'}); -print "
ZERINA-0.9.7a7
"; -print < -
-  -  -  -$Lang::tr{'ovpn server status'} -$sactive -$Lang::tr{'ovpn on red'} - + } + &Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'}); + print < + +   +   +   + $Lang::tr{'ovpn server status'} + $sactive + $Lang::tr{'ovpn on red'} + END ; -if (&Ovpnfunc::haveBlueNet()) { + if (&haveBlueNet()) { print "$Lang::tr{'ovpn on blue'}"; print ""; -} -if (&Ovpnfunc::haveOrangeNet()) { + } + if (&haveOrangeNet()) { print "$Lang::tr{'ovpn on orange'}"; print ""; -} -print <$Lang::tr{'local vpn hostname/ip'}: - - $Lang::tr{'ovpn subnet'} - -$Lang::tr{'ovpn device'} - -$Lang::tr{'protocol'} - - $Lang::tr{'destination port'}: - -$Lang::tr{'MTU'}  - -$Lang::tr{'comp-lzo'} - - $Lang::tr{'cipher'} - + } + print <$Lang::tr{'local vpn hostname/ip'}:
+ $Lang::tr{'ovpn subnet'}
+ $Lang::tr{'ovpn device'} + + $Lang::tr{'protocol'} + + $Lang::tr{'destination port'}: + + $Lang::tr{'MTU'}  + + $Lang::tr{'comp-lzo'} + + $Lang::tr{'cipher'} + END ; -if ( $srunning eq "yes" ) { + if ( $srunning eq "yes" ) { print ""; print ""; print ""; print ""; -} else{ + } else{ print ""; print ""; if (( -e "${General::swroot}/ovpn/ca/cacert.pem" && - -e "${General::swroot}/ovpn/ca/dh1024.pem" && - -e "${General::swroot}/ovpn/certs/servercert.pem" && - -e "${General::swroot}/ovpn/certs/serverkey.pem") && - (( $cgiparams{'ENABLED'} eq 'on') || - ( $cgiparams{'ENABLED_BLUE'} eq 'on') || - ( $cgiparams{'ENABLED_ORANGE'} eq 'on'))){ - print ""; - print ""; + -e "${General::swroot}/ovpn/ca/dh1024.pem" && + -e "${General::swroot}/ovpn/certs/servercert.pem" && + -e "${General::swroot}/ovpn/certs/serverkey.pem") && + (( $cgiparams{'ENABLED'} eq 'on') || + ( $cgiparams{'ENABLED_BLUE'} eq 'on') || + ( $cgiparams{'ENABLED_ORANGE'} eq 'on'))){ + print ""; + print ""; } else { - print ""; - print ""; + print ""; + print ""; } -} -print ""; -&Header::closebox(); -&Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}:"); -print < - - $Lang::tr{'name'} + } + print ""; + &Header::closebox(); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}:"); + print < + + $Lang::tr{'name'} $Lang::tr{'subject'} $Lang::tr{'action'} - + EOF ; -if (-f "${General::swroot}/ovpn/ca/cacert.pem") { + if (-f "${General::swroot}/ovpn/ca/cacert.pem") { my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; $casubject =~ /Subject: (.*)[\n]/; $casubject = $1; $casubject =~ s+/Email+, E+; $casubject =~ s/ ST=/ S=/; + print < - $Lang::tr{'root certificate'} - $casubject -
- - -
-
- + + $Lang::tr{'root certificate'} + $casubject + + + +
+
+ -
-   + +   END ; -} else { + } else { # display rootcert generation buttons print < + $Lang::tr{'root certificate'}: $Lang::tr{'not present'}   END ; -} + } -if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + if (-f "${General::swroot}/ovpn/certs/servercert.pem") { my $hostsubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; $hostsubject =~ /Subject: (.*)[\n]/; $hostsubject = $1; $hostsubject =~ s+/Email+, E+; $hostsubject =~ s/ ST=/ S=/; + print < + $Lang::tr{'host certificate'} $hostsubject
- - + +
- - + +
  END ; -} else { + } else { # Nothing print < + $Lang::tr{'host certificate'}: $Lang::tr{'not present'}   END ; -} + } -if (! -f "${General::swroot}/ovpn/ca/cacert.pem") { - print "
"; + if (! -f "${General::swroot}/ovpn/ca/cacert.pem") { + print ""; print ""; - print "
\n"; -} + print "\n"; + } -if (keys %cahash > 0) { + if (keys %cahash > 0) { foreach my $key (keys %cahash) { - if (($key + 1) % 2) { - print "\n"; - } else { - print "\n"; - } - print "$cahash{$key}[0]\n"; - print "$cahash{$key}[1]\n"; - print < + if (($key + 1) % 2) { + print "\n"; + } else { + print "\n"; + } + print "$cahash{$key}[0]\n"; + print "$cahash{$key}[1]\n"; + print < - -
- +
+
+ -
-
+
+
-
+ END ; } -} -print ""; -if ( -f "${General::swroot}/ovpn/ca/cacert.pem") {# If the file contains entries, print Key to action icons - print < - + } + + print ""; + + # If the file contains entries, print Key to action icons + if ( -f "${General::swroot}/ovpn/ca/cacert.pem") { + print < +   $Lang::tr{'legend'}:     $Lang::tr{ $Lang::tr{'show certificate'} -     $Lang::tr{ +     $Lang::tr{ $Lang::tr{'download certificate'} - - + + END ; -} -print < - - - - - -
$Lang::tr{'ca name'}: -
+ } + print < + + + + +
$Lang::tr{'ca name'}: +
END ; -&Header::closebox(); -if ( $srunning eq "yes" ) { + + &Header::closebox(); + if ( $srunning eq "yes" ) { print "
\n"; -}else{ - print "
\n"; -} -if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) { - &Header::openbox('100%', 'LEFT', $Lang::tr{'Client status and controlc' }); - print < - - $Lang::tr{'name'} - $Lang::tr{'type'} - $Lang::tr{'common name'} - $Lang::tr{'valid till'} - $Lang::tr{'remark'}
L2089 - $Lang::tr{'status'} - $Lang::tr{'action'} - + }else{ + print "
\n"; + } + if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'Client status and controlc' }); + print < + + $Lang::tr{'name'} + $Lang::tr{'type'} + $Lang::tr{'common name'} + $Lang::tr{'valid till'} + $Lang::tr{'remark'}
L2089 + $Lang::tr{'status'} + $Lang::tr{'action'} + END ; - my $id = 0; - my $gif; - foreach my $key (keys %confighash) { - if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } - if ($id % 2) { - print "\n"; - } else { - print "\n"; - } - print "$confighash{$key}[1]"; - if ($confighash{$key}[3] ne 'host') { - print "" . $confighash{$key}[6] . "-" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")"; - } else { - print "" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")"; - } - if ($confighash{$key}[4] eq 'cert') { - print "$confighash{$key}[2]"; - } else { - print " "; - } - if ($confighash{$key}[19] ne 'yes') { - my $cavalid = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`; - $cavalid =~ /Not After : (.*)[\n]/; - $cavalid = $1; - print "$cavalid"; - } else { - print " "; - } - print "$confighash{$key}[25]"; - my $active = "
$Lang::tr{'capsclosed'}
"; - if ($confighash{$key}[0] eq 'off') { - $active = "
$Lang::tr{'capsclosed'}
"; - } else { - if ($confighash{$key}[3] eq 'host') { - my $cn; - my @match = (); - foreach my $line (@status) { - chomp($line); - if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) { - @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line); - if ($match[1] ne "Common Name") { - $cn = $match[1]; - } - $cn =~ s/[_]/ /g; - if ($cn eq "$confighash{$key}[2]") { - $active = "
$Lang::tr{'capsopen'}
"; - } - } - } - } else { - my @tempovpnsubnet = split("\/",$confighash{$key}[13]); - my @ovpnip = split /\./,$tempovpnsubnet[0]; - my $pingip = ""; - if ($confighash{$key}[6] eq 'server') { - $pingip = "$ovpnip[0].$ovpnip[1].$ovpnip[2].2"; - } else { - $pingip = "$ovpnip[0].$ovpnip[1].$ovpnip[2].1"; - } - my $p = Net::Ping->new("udp",1); - if ($p->ping($pingip)) { - $active = "
$Lang::tr{'capsopen'}
"; - } - $p->close(); - } - } - print "$active"; - my $disable_clientdl = ""; - if ($confighash{$key}[6] ne 'client') { - print < - - - - -END - ; } else { - print " "; - } - if ($confighash{$key}[4] eq 'cert' && $confighash{$key}[19] ne 'yes') { - print < - - - - -END - ; } else { - print " "; - } - if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$key}[1].p12") { - print < - - - - -END - ; } elsif ($confighash{$key}[4] eq 'cert' && $confighash{$key}[19] ne 'yes') { - print < - - - - + my $id = 0; + my $gif; + foreach my $key (keys %confighash) { + if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } + + if ($id % 2) { + print "\n"; + } else { + print "\n"; + } + print "$confighash{$key}[1]"; + print "" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")"; + if ($confighash{$key}[4] eq 'cert') { + print "$confighash{$key}[2]"; + } else { + print " "; + } + my $cavalid = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`; + $cavalid =~ /Not After : (.*)[\n]/; + $cavalid = $1; + print "$cavalid"; + print "$confighash{$key}[25]"; + my $active = "
$Lang::tr{'capsclosed'}
"; + if ($confighash{$key}[0] eq 'off') { + $active = "
$Lang::tr{'capsclosed'}
"; + } else { + my $cn; + my @match = (); + foreach my $line (@status) { + chomp($line); + if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) { + @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line); + if ($match[1] ne "Common Name") { + $cn = $match[1]; + } + $cn =~ s/[_]/ /g; + if ($cn eq "$confighash{$key}[2]") { + $active = "
$Lang::tr{'capsopen'}
"; + } + } + } + } + my $disable_clientdl = "disabled='disabled'"; + if (( $cgiparams{'ENABLED'} eq 'on') || + ( $cgiparams{'ENABLED_BLUE'} eq 'on') || + ( $cgiparams{'ENABLED_ORANGE'} eq 'on')){ + $disable_clientdl = ""; + } + print <$active + +
+ + + +
END - ; } else { - print " "; - } - print < - - + ; + if ($confighash{$key}[4] eq 'cert') { + print < + + - -
- - +
+END + ; } else { + print " "; + } + if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$key}[1].p12") { + print < + + - -
- - +
+END + ; } elsif ($confighash{$key}[4] eq 'cert') { + print < + + - - + END - ; - $id++; + ; } else { + print " "; } + print < + + + + + +
+ + + +
+
+ + + +
+ +END + ; + $id++; + } ; # If the config file contains entries, print Key to action icons if ( $id ) { - print < - -   $Lang::tr{'legend'}: -   $Lang::tr{ - $Lang::tr{'click to disable'} -     $Lang::tr{ - $Lang::tr{'show certificate'} -     $Lang::tr{ - $Lang::tr{'edit'} -     $Lang::tr{ - $Lang::tr{'remove'} - - -   -   ?OFF - $Lang::tr{'click to enable'} -     ?FLOPPY - $Lang::tr{'download certificate'} -     ?RELOAD - $Lang::tr{'dl client arch'} - - + print < + +   $Lang::tr{'legend'}: +   $Lang::tr{ + $Lang::tr{'click to disable'} +     $Lang::tr{ + $Lang::tr{'show certificate'} +     $Lang::tr{ + $Lang::tr{'edit'} +     $Lang::tr{ + $Lang::tr{'remove'} + + +   +   ?OFF + $Lang::tr{'click to enable'} + ?FLOPPY + $Lang::tr{'download certificate'} + ?RELOAD + $Lang::tr{'dl client arch'} + + END ; } + print <
@@ -3243,5 +2965,5 @@ END END ; &Header::closebox(); -} -&Header::closepage(); \ No newline at end of file +} +&Header::closepage();