X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=ecca6fa77b42f312d97d0f5d6be5b4a9c6d99df9;hp=90651b5cd6d02ba8230a560c4e685cc9394a6278;hb=74225cce6298598290bee49b0d332507014f2eb6;hpb=bb89e92a474fcaad46c21cf4e18cc0d231705a6d diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 90651b5cd6..ecca6fa77b 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1,13 +1,23 @@ #!/usr/bin/perl -# based on SmoothWall and IPCop CGIs -# -# This code is distributed under the terms of the GPL -# Main idea from zeroconcept -# ZERNINA-VERSION:0.9.7a9 -# (c) 2005 Ufuk Altinkaynak -# -# Ipcop and OpenVPN eas as one two three.. -# +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### use CGI; use CGI qw/:standard/; @@ -16,9 +26,7 @@ use File::Copy; use File::Temp qw/ tempfile tempdir /; use strict; use Archive::Zip qw(:ERROR_CODES :CONSTANTS); -use Net::Ping; require '/var/ipfire/general-functions.pl'; -require '/home/httpd/cgi-bin/ovpnfunc.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; require "${General::swroot}/countries.pl"; @@ -30,7 +38,10 @@ require "${General::swroot}/countries.pl"; my @dummy = ( ${Header::colourgreen} ); undef (@dummy); - +my %color = (); +my %mainsettings = (); +&General::readhash("${General::swroot}/main/settings", \%mainsettings); +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); ### ### Initialize variables @@ -45,7 +56,6 @@ my %selected=(); my $warnmessage = ''; my $errormessage = ''; my %settings=(); -my $zerinaclient = ''; &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} = 'off'; $cgiparams{'ENABLED_BLUE'} = 'off'; @@ -60,12 +70,348 @@ $cgiparams{'DHCP_DOMAIN'} = ''; $cgiparams{'DHCP_DNS'} = ''; $cgiparams{'DHCP_WINS'} = ''; $cgiparams{'DCOMPLZO'} = 'off'; +$cgiparams{'MSSFIX'} = ''; + &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); # prepare openvpn config file ### ### Useful functions ### +sub haveOrangeNet +{ + if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;} + if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;} + return 0; +} + +sub haveBlueNet +{ + if ($netsettings{'CONFIG_TYPE'} == 3) {return 1;} + if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;} + return 0; +} + +sub sizeformat{ + my $bytesize = shift; + my $i = 0; + + while(abs($bytesize) >= 1024){ + $bytesize=$bytesize/1024; + $i++; + last if($i==6); + } + + my @units = ("Bytes","KB","MB","GB","TB","PB","EB"); + my $newsize=(int($bytesize*100 +0.5))/100; + return("$newsize $units[$i]"); +} + +sub valid_dns_host { + my $hostname = $_[0]; + unless ($hostname) { return "No hostname"}; + my $res = new Net::DNS::Resolver; + my $query = $res->search("$hostname"); + if ($query) { + foreach my $rr ($query->answer) { + ## Potential bug - we are only looking at A records: + return 0 if $rr->type eq "A"; + } + } else { + return $res->errorstring; + } +} + +sub cleanssldatabase +{ + if (open(FILE, ">${General::swroot}/ovpn/certs/serial")) { + print FILE "01"; + close FILE; + } + if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt")) { + print FILE ""; + close FILE; + } + unlink ("${General::swroot}/ovpn/certs/index.txt.old"); + unlink ("${General::swroot}/ovpn/certs/serial.old"); + unlink ("${General::swroot}/ovpn/certs/01.pem"); +} + +sub newcleanssldatabase +{ + if (! -s "${General::swroot}/ovpn/certs/serial" ) { + open(FILE, ">${General::swroot}(ovpn/certs/serial"); + print FILE "01"; + close FILE; + } + if (! -s ">${General::swroot}/ovpn/certs/index.txt") { + system ("touch ${General::swroot}/ovpn/certs/index.txt"); + } + unlink ("${General::swroot}/ovpn/certs/index.txt.old"); + unlink ("${General::swroot}/ovpn/certs/serial.old"); +} + +sub deletebackupcert +{ + if (open(FILE, "${General::swroot}/ovpn/certs/serial.old")) { + my $hexvalue = ; + chomp $hexvalue; + close FILE; + unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem"); + } +} + +sub checkportfw { + my $KEY2 = $_[0]; # key2 + my $SRC_PORT = $_[1]; # src_port + my $PROTOCOL = $_[2]; # protocol + my $SRC_IP = $_[3]; # sourceip + + my $pfwfilename = "${General::swroot}/portfw/config"; + open(FILE, $pfwfilename) or die 'Unable to open config file.'; + my @pfwcurrent = ; + close(FILE); + my $pfwkey1 = 0; # used for finding last sequence number used + foreach my $pfwline (@pfwcurrent) + { + my @pfwtemp = split(/\,/,$pfwline); + + chomp ($pfwtemp[8]); + if ($KEY2 eq "0"){ # if key2 is 0 then it is a portfw addition + if ( $SRC_PORT eq $pfwtemp[3] && + $PROTOCOL eq $pfwtemp[2] && + $SRC_IP eq $pfwtemp[7]) + { + $errormessage = "$Lang::tr{'source port in use'} $SRC_PORT"; + } + # Check if key2 = 0, if it is then it is a port forward entry and we want the sequence number + if ( $pfwtemp[1] eq "0") { + $pfwkey1=$pfwtemp[0]; + } + # Darren Critchley - Duplicate or overlapping Port range check + if ($pfwtemp[1] eq "0" && + $PROTOCOL eq $pfwtemp[2] && + $SRC_IP eq $pfwtemp[7] && + $errormessage eq '') + { + &portchecks($SRC_PORT, $pfwtemp[5]); +# &portchecks($pfwtemp[3], $pfwtemp[5]); +# &portchecks($pfwtemp[3], $SRC_IP); + } + } + } +# $errormessage="$KEY2 $SRC_PORT $PROTOCOL $SRC_IP"; + + return; +} + +sub checkportoverlap +{ + my $portrange1 = $_[0]; # New port range + my $portrange2 = $_[1]; # existing port range + my @tempr1 = split(/\:/,$portrange1); + my @tempr2 = split(/\:/,$portrange2); + + unless (&checkportinc($tempr1[0], $portrange2)){ return 0;} + unless (&checkportinc($tempr1[1], $portrange2)){ return 0;} + + unless (&checkportinc($tempr2[0], $portrange1)){ return 0;} + unless (&checkportinc($tempr2[1], $portrange1)){ return 0;} + + return 1; # Everything checks out! +} + +# Darren Critchley - we want to make sure that a port entry is not within an already existing range +sub checkportinc +{ + my $port1 = $_[0]; # Port + my $portrange2 = $_[1]; # Port range + my @tempr1 = split(/\:/,$portrange2); + + if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) { + return 1; + } else { + return 0; + } +} +# Darren Critchley - Duplicate or overlapping Port range check +sub portchecks +{ + my $p1 = $_[0]; # New port range + my $p2 = $_[1]; # existing port range +# $_ = $_[0]; + our ($prtrange1, $prtrange2); + $prtrange1 = 0; +# if (m/:/ && $prtrange1 == 1) { # comparing two port ranges +# unless (&checkportoverlap($p1,$p2)) { +# $errormessage = "$Lang::tr{'source port overlaps'} $p1"; +# } +# } + if (m/:/ && $prtrange1 == 0 && $errormessage eq '') { # compare one port to a range + unless (&checkportinc($p2,$p1)) { + $errormessage = "$Lang::tr{'srcprt within existing'} $p1"; + } + } + $prtrange1 = 1; + if (! m/:/ && $prtrange1 == 1 && $errormessage eq '') { # compare one port to a range + unless (&checkportinc($p1,$p2)) { + $errormessage = "$Lang::tr{'srcprt range overlaps'} $p2"; + } + } + return; +} + +# Darren Critchley - certain ports are reserved for IPFire +# TCP 67,68,81,222,445 +# UDP 67,68 +# Params passed in -> port, rangeyn, protocol +sub disallowreserved +{ + # port 67 and 68 same for tcp and udp, don't bother putting in an array + my $msg = ""; + my @tcp_reserved = (81,222,445); + my $prt = $_[0]; # the port or range + my $ryn = $_[1]; # tells us whether or not it is a port range + my $prot = $_[2]; # protocol + my $srcdst = $_[3]; # source or destination + if ($ryn) { # disect port range + if ($srcdst eq "src") { + $msg = "$Lang::tr{'rsvd src port overlap'}"; + } else { + $msg = "$Lang::tr{'rsvd dst port overlap'}"; + } + my @tmprng = split(/\:/,$prt); + unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; } + unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; } + if ($prot eq "tcp") { + foreach my $prange (@tcp_reserved) { + unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; } + } + } + } else { + if ($srcdst eq "src") { + $msg = "$Lang::tr{'reserved src port'}"; + } else { + $msg = "$Lang::tr{'reserved dst port'}"; + } + if ($prt == 67) { $errormessage="$msg 67"; return; } + if ($prt == 68) { $errormessage="$msg 68"; return; } + if ($prot eq "tcp") { + foreach my $prange (@tcp_reserved) { + if ($prange == $prt) { $errormessage="$msg $prange"; return; } + } + } + } + return; +} + +sub writeserverconf { + my %sovpnsettings = (); + &General::readhash("${General::swroot}/ovpn/settings", \%sovpnsettings); + + open(CONF, ">${General::swroot}/ovpn/server.conf") or die "Unable to open ${General::swroot}/ovpn/server.conf: $!"; + flock CONF, 2; + print CONF "#OpenVPN Server conf\n"; + print CONF "\n"; + print CONF "daemon openvpnserver\n"; + print CONF "writepid /var/run/openvpn.pid\n"; + print CONF "#DAN prepare OpenVPN for listening on blue and orange\n"; + print CONF ";local $sovpnsettings{'VPN_IP'}\n"; + print CONF "dev $sovpnsettings{'DDEVICE'}\n"; + print CONF "$sovpnsettings{'DDEVICE'}-mtu $sovpnsettings{'DMTU'}\n"; + print CONF "proto $sovpnsettings{'DPROTOCOL'}\n"; + print CONF "port $sovpnsettings{'DDEST_PORT'}\n"; + print CONF "script-security 3 system\n"; + print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n"; + print CONF "tls-server\n"; + print CONF "ca /var/ipfire/ovpn/ca/cacert.pem\n"; + print CONF "cert /var/ipfire/ovpn/certs/servercert.pem\n"; + print CONF "key /var/ipfire/ovpn/certs/serverkey.pem\n"; + print CONF "dh /var/ipfire/ovpn/ca/dh1024.pem\n"; + my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'}); + print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; + print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n"; + if ($sovpnsettings{CLIENT2CLIENT} eq 'on') { + print CONF "client-to-client\n"; + } + if ($sovpnsettings{MSSFIX} eq 'on') { + print CONF "mssfix\n"; + } + if ($sovpnsettings{FRAGMENT} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') { + print CONF "fragment $sovpnsettings{'FRAGMENT'}\n"; + } + if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) { + print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n"; + } + print CONF "status-version 1\n"; + print CONF "status /var/log/ovpnserver.log 30\n"; + print CONF "cipher $sovpnsettings{DCIPHER}\n"; + if ($sovpnsettings{DCOMPLZO} eq 'on') { + print CONF "comp-lzo\n"; + } + if ($sovpnsettings{REDIRECT_GW_DEF1} eq 'on') { + print CONF "push \"redirect-gateway def1\"\n"; + } + if ($sovpnsettings{DHCP_DOMAIN} ne '') { + print CONF "push \"dhcp-option DOMAIN $sovpnsettings{DHCP_DOMAIN}\"\n"; + } + + if ($sovpnsettings{DHCP_DNS} ne '') { + print CONF "push \"dhcp-option DNS $sovpnsettings{DHCP_DNS}\"\n"; + } + + if ($sovpnsettings{DHCP_WINS} ne '') { + print CONF "push \"dhcp-option WINS $sovpnsettings{DHCP_WINS}\"\n"; + } + + if ($sovpnsettings{DHCP_WINS} eq '') { + print CONF "max-clients 100\n"; + } + if ($sovpnsettings{DHCP_WINS} ne '') { + print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n"; + } + print CONF "tls-verify /var/ipfire/ovpn/verify\n"; + print CONF "crl-verify /var/ipfire/ovpn/crls/cacrl.pem\n"; + print CONF "user nobody\n"; + print CONF "group nobody\n"; + print CONF "persist-key\n"; + print CONF "persist-tun\n"; + if ($sovpnsettings{LOG_VERB} ne '') { + print CONF "verb $sovpnsettings{LOG_VERB}\n"; + } else { + print CONF "verb 3\n"; + } + print CONF "\n"; + + close(CONF); +} +# +sub emptyserverlog{ + if (open(FILE, ">/var/log/ovpnserver.log")) { + flock FILE, 2; + print FILE ""; + close FILE; + } + +} + +#hier die refresh page +if ( -e "${General::swroot}/ovpn/gencanow") { + my $refresh = ''; + $refresh = ""; + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'OVPN'}, 1, $refresh); + &Header::openbigbox('100%', 'center'); + &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:"); + print "\n\n"; + print "Please be patient this realy can take some time on older hardware...\n"; + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit (0); +} +##hier die refresh page + ### ### OpenVPN Server Control @@ -73,29 +419,21 @@ $cgiparams{'DCOMPLZO'} = 'off'; if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'} || $cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'} || $cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}) { - my $serveractive = `/bin/ps ax|grep server.conf|grep -v grep|awk \'{print \$1}\'`; #start openvpn server if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'}){ - &Ovpnfunc::emptyserverlog(); + &emptyserverlog(); system('/usr/local/bin/openvpnctrl', '-s'); } #stop openvpn server if ($cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'}){ - if ($serveractive ne ''){ - system('/usr/local/bin/openvpnctrl', '-kn2n', $serveractive); - } system('/usr/local/bin/openvpnctrl', '-k'); - &Ovpnfunc::emptyserverlog(); + &emptyserverlog(); } # #restart openvpn server if ($cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}){ #workarund, till SIGHUP also works when running as nobody - if ($serveractive ne ''){ - system('/usr/local/bin/openvpnctrl', '-kn2n', $serveractive); - } - system('/usr/local/bin/openvpnctrl', '-k'); - &Ovpnfunc::emptyserverlog(); - system('/usr/local/bin/openvpnctrl', '-s'); + system('/usr/local/bin/openvpnctrl', '-r'); + &emptyserverlog(); } } @@ -117,33 +455,22 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'}; $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; - #additional push route - $vpnsettings{'AD_ROUTE1'} = $cgiparams{'AD_ROUTE1'}; - $vpnsettings{'AD_ROUTE2'} = $cgiparams{'AD_ROUTE2'}; - $vpnsettings{'AD_ROUTE3'} = $cgiparams{'AD_ROUTE3'}; - #additional push route - - ################################################################################# - # Added by Philipp Jenni # - # # - # Contact: philipp.jenni-at-gmx.ch # - # Date: 2006-04-22 # - # Description: Add the FAST-IO Parameter from OpenVPN to the Zerina Config # - # Add the NICE Parameter from OpenVPN to the Zerina Config # - # Add the MTU-DISC Parameter from OpenVPN to the Zerina Config # - # Add the MSSFIX Parameter from OpenVPN to the Zerina Config # - # Add the FRAMGMENT Parameter from OpenVPN to the Zerina Config # - ################################################################################# - $vpnsettings{'EXTENDED_FASTIO'} = $cgiparams{'EXTENDED_FASTIO'}; - $vpnsettings{'EXTENDED_NICE'} = $cgiparams{'EXTENDED_NICE'}; - $vpnsettings{'EXTENDED_MTUDISC'} = $cgiparams{'EXTENDED_MTUDISC'}; - $vpnsettings{'EXTENDED_MSSFIX'} = $cgiparams{'EXTENDED_MSSFIX'}; - $vpnsettings{'EXTENDED_FRAGMENT'} = $cgiparams{'EXTENDED_FRAGMENT'}; - ################################################################################# - # End of Inserted Data # - ################################################################################# - + if ($cgiparams{'FRAGMENT'} eq '') { + delete $vpnsettings{'FRAGMENT'}; + } else { + if ($cgiparams{'FRAGMENT'} !~ /^[0-9]+$/) { + $errormessage = "Incorrect value, please insert only numbers."; + goto ADV_ERROR; + } else { + $vpnsettings{'FRAGMENT'} = $cgiparams{'FRAGMENT'}; + } + } + if ($cgiparams{'MSSFIX'} ne 'on') { + delete $vpnsettings{'MSSFIX'}; + } else { + $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'}; + } if ($cgiparams{'DHCP_DOMAIN'} ne ''){ unless (&General::validfqdn($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) { $errormessage = $Lang::tr{'invalid input for dhcp domain'}; @@ -162,25 +489,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { goto ADV_ERROR; } } - if ($cgiparams{'AD_ROUTE1'} ne ''){ - if (! &General::validipandmask($cgiparams{'AD_ROUTE1'})) { - $errormessage = $Lang::tr{'route subnet is invalid'}; - goto ADV_ERROR; - } - } - if ($cgiparams{'AD_ROUTE2'} ne ''){ - if (! &General::validipandmask($cgiparams{'AD_ROUTE2'})) { - $errormessage = $Lang::tr{'route subnet is invalid'}; - goto ADV_ERROR; - } - } - if ($cgiparams{'AD_ROUTE3'} ne ''){ - if (! &General::validipandmask($cgiparams{'AD_ROUTE3'})) { - $errormessage = $Lang::tr{'route subnet is invalid'}; - goto ADV_ERROR; - } - } - if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 255 )) { $errormessage = $Lang::tr{'invalid input for max clients'}; goto ADV_ERROR; @@ -203,47 +511,81 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { } &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); - &Ovpnfunc::writeserverconf();#hier ok + &writeserverconf();#hier ok } + + + ### ### Save main settings ### if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') { &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); - &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too, #DAN this value has to leave. if ($cgiparams{'ENABLED'} eq 'on'){ unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})) { $errormessage = $Lang::tr{'invalid input for hostname'}; - goto SETTINGS_ERROR; + goto SETTINGS_ERROR; } } if ($cgiparams{'ENABLED'} eq 'on'){ - $errormessage = &Ovpnfunc::disallowreserved($cgiparams{'DDEST_PORT'},0,$cgiparams{'DPROTOCOL'},"dest"); + &disallowreserved($cgiparams{'DDEST_PORT'},0,$cgiparams{'DPROTOCOL'},"dest"); } if ($errormessage) { goto SETTINGS_ERROR; } if ($cgiparams{'ENABLED'} eq 'on'){ - $errormessage = &Ovpnfunc::checkportfw(0,$cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'},'0.0.0.0'); + &checkportfw(0,$cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'},'0.0.0.0'); } if ($errormessage) { goto SETTINGS_ERROR; } if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) { - $errormessage = $Lang::tr{'ovpn subnet is invalid'}; - goto SETTINGS_ERROR; - } - my @tmpovpnsubnet = split("\/",$cgiparams{'DOVPN_SUBNET'}); - $tmpovpnsubnet[1] = &Ovpnfunc::cidrormask($tmpovpnsubnet[1]); - $cgiparams{'DOVPN_SUBNET'} = "$tmpovpnsubnet[0]/$tmpovpnsubnet[1]";#convert from cidr - #plausi1 - $errormessage = &Ovpnfunc::ovelapplausi($tmpovpnsubnet[0],$tmpovpnsubnet[1]); - #plausi1 + $errormessage = $Lang::tr{'ovpn subnet is invalid'}; + goto SETTINGS_ERROR; + } + my @tmpovpnsubnet = split("\/",$cgiparams{'DOVPN_SUBNET'}); + + if (&General::IpInSubnet ( $netsettings{'RED_ADDRESS'}, + $tmpovpnsubnet[0], $tmpovpnsubnet[1])) { + $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire RED Network $netsettings{'RED_ADDRESS'}"; + goto SETTINGS_ERROR; + } + + if (&General::IpInSubnet ( $netsettings{'GREEN_ADDRESS'}, + $tmpovpnsubnet[0], $tmpovpnsubnet[1])) { + $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Green Network $netsettings{'GREEN_ADDRESS'}"; + goto SETTINGS_ERROR; + } + + if (&General::IpInSubnet ( $netsettings{'BLUE_ADDRESS'}, + $tmpovpnsubnet[0], $tmpovpnsubnet[1])) { + $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Blue Network $netsettings{'BLUE_ADDRESS'}"; + goto SETTINGS_ERROR; + } + + if (&General::IpInSubnet ( $netsettings{'ORANGE_ADDRESS'}, + $tmpovpnsubnet[0], $tmpovpnsubnet[1])) { + $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Orange Network $netsettings{'ORANGE_ADDRESS'}"; + goto SETTINGS_ERROR; + } + open(ALIASES, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.'; + while () + { + chomp($_); + my @tempalias = split(/\,/,$_); + if ($tempalias[1] eq 'on') { + if (&General::IpInSubnet ($tempalias[0] , + $tmpovpnsubnet[0], $tmpovpnsubnet[1])) { + $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire alias entry $tempalias[0]"; + } + } + } + close(ALIASES); if ($errormessage ne ''){ - goto SETTINGS_ERROR; + goto SETTINGS_ERROR; } if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { $errormessage = $Lang::tr{'invalid input'}; @@ -255,17 +597,9 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg } unless (&General::validport($cgiparams{'DDEST_PORT'})) { - $errormessage = $Lang::tr{'invalid port'}; - goto SETTINGS_ERROR; + $errormessage = $Lang::tr{'invalid port'}; + goto SETTINGS_ERROR; } - #hhh - foreach my $dkey (keys %confighash) {#Check if there is no other entry with this name - if ($confighash{$dkey}[14] eq $cgiparams{'DPROTOCOL'} && $confighash{$dkey}[15] eq $cgiparams{'DDEST_PORT'}){ - $errormessage = "Choosed Protocol/Port combination is already used by connection: $confighash{$dkey}[1]"; - goto SETTINGS_ERROR; - } - } - #hhh $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'}; $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'}; $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; @@ -278,9 +612,14 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; +#wrtie enable + + if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");} + if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_orange 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_orange 2>/dev/null");} + if ( $vpnsettings{'ENABLED'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable 2>/dev/null");} #new settings for daemon &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); - &Ovpnfunc::writeserverconf();#hier ok + &writeserverconf();#hier ok SETTINGS_ERROR: ### ### Reset all step 2 @@ -290,25 +629,26 @@ SETTINGS_ERROR: &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); foreach my $key (keys %confighash) { - if ($confighash{$key}[4] eq 'cert') { - delete $confighash{$cgiparams{'$key'}}; - } + if ($confighash{$key}[4] eq 'cert') { + delete $confighash{$cgiparams{'$key'}}; + } } while ($file = glob("${General::swroot}/ovpn/ca/*")) { - unlink $file + unlink $file } while ($file = glob("${General::swroot}/ovpn/certs/*")) { - unlink $file + unlink $file } while ($file = glob("${General::swroot}/ovpn/crls/*")) { - unlink $file + unlink $file } - &Ovpnfunc::cleanssldatabase(); + &cleanssldatabase(); if (open(FILE, ">${General::swroot}/ovpn/caconfig")) { print FILE ""; close FILE; } &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + #&writeserverconf(); ### ### Reset all step 1 ### @@ -355,34 +695,34 @@ END # Check if there is no other entry with this name foreach my $key (keys %cahash) { - if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) { - $errormessage = $Lang::tr{'a ca certificate with this name already exists'}; - goto UPLOADCA_ERROR; - } + if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) { + $errormessage = $Lang::tr{'a ca certificate with this name already exists'}; + goto UPLOADCA_ERROR; + } } if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto UPLOADCA_ERROR; + $errormessage = $Lang::tr{'there was no file upload'}; + goto UPLOADCA_ERROR; } # Move uploaded ca to a temporary file (my $fh, my $filename) = tempfile( ); if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto UPLOADCA_ERROR; + $errormessage = $!; + goto UPLOADCA_ERROR; } my $temp = `/usr/bin/openssl x509 -text -in $filename`; - if ($temp !~ /CA:TRUE/i) { - $errormessage = $Lang::tr{'not a valid ca certificate'}; - unlink ($filename); - goto UPLOADCA_ERROR; + if ($temp !~ /CA:TRUE/i) { + $errormessage = $Lang::tr{'not a valid ca certificate'}; + unlink ($filename); + goto UPLOADCA_ERROR; } else { - move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem"); - if ($? ne 0) { - $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; - unlink ($filename); - goto UPLOADCA_ERROR; - } + move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem"); + if ($? ne 0) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + unlink ($filename); + goto UPLOADCA_ERROR; + } } my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem`; @@ -396,13 +736,33 @@ END $cahash{$key}[0] = $cgiparams{'CA_NAME'}; $cahash{$key}[1] = $casubject; &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash); +# system('/usr/local/bin/ipsecctrl', 'R'); + UPLOADCA_ERROR: ### ### Display ca certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) { - &Ovpnfunc::displayca($cgiparams{'KEY'}); + &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash); + + if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', $errormessage); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:"); + my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print "
$Lang::tr{'back'}
"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } else { + $errormessage = $Lang::tr{'invalid key'}; + } + ### ### Download ca certificate ### @@ -429,15 +789,22 @@ END foreach my $key (keys %confighash) { my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`; if ($test =~ /: OK/) { + # Delete connection +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'D', $key); +# } unlink ("${General::swroot}/ovpn//certs/$confighash{$key}[1]cert.pem"); unlink ("${General::swroot}/ovpn/certs/$confighash{$key}[1].p12"); delete $confighash{$key}; &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); +# &writeipsecfiles(); } } unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); delete $cahash{$cgiparams{'KEY'}}; &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash); +# system('/usr/local/bin/ipsecctrl', 'R'); } else { $errormessage = $Lang::tr{'invalid key'}; } @@ -489,8 +856,27 @@ END ### ### Display root certificate ### -}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} || $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) { - &Ovpnfunc::displayroothost($cgiparams{'ACTION'}); +}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} || + $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) { + my $output; + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) { + &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:"); + $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; + } else { + &Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:"); + $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + } + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print "
$Lang::tr{'back'}
"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + ### ### Download root certificate ### @@ -799,11 +1185,11 @@ END unlink ("${General::swroot}/ovpn/serverkey.pem"); unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); unlink ("${General::swroot}/ovpn/certs/servercert.pem"); - &Ovpnfunc::newcleanssldatabase(); + &newcleanssldatabase(); goto ROOTCERT_ERROR; } else { unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); - &Ovpnfunc::deletebackupcert(); + &deletebackupcert(); } # Create an empty CRL @@ -816,8 +1202,10 @@ END unlink ("${General::swroot}/ovpn/certs/servercert.pem"); unlink ("${General::swroot}/ovpn/ca/cacert.pem"); unlink ("${General::swroot}/ovpn/crls/cacrl.pem"); - &Ovpnfunc::cleanssldatabase(); + &cleanssldatabase(); goto ROOTCERT_ERROR; +# } else { +# &cleanssldatabase(); } # Create Diffie Hellmann Parameter system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache', @@ -830,8 +1218,10 @@ END unlink ("${General::swroot}/ovpn/ca/cacert.pem"); unlink ("${General::swroot}/ovpn/crls/cacrl.pem"); unlink ("${General::swroot}/ovpn/ca/dh1024.pem"); - &Ovpnfunc::cleanssldatabase(); + &cleanssldatabase(); goto ROOTCERT_ERROR; +# } else { +# &cleanssldatabase(); } goto ROOTCERT_SUCCESS; } @@ -916,33 +1306,40 @@ END ROOTCERT_SUCCESS: system ("chmod 600 ${General::swroot}/ovpn/certs/serverkey.pem"); +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLE_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'S'); +# } ### ### Enable/Disable connection ### }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) { + + &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + if ($confighash{$cgiparams{'KEY'}}) { - my $n2nactive = `/bin/ps ax|grep $confighash{$cgiparams{'KEY'}}[1].conf|grep -v grep|awk \'{print \$1}\'`; - if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { - $confighash{$cgiparams{'KEY'}}[0] = 'on'; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - if ($n2nactive eq ''){ - system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); - } else { - system('/usr/local/bin/openvpnctrl', '-kn2n', $n2nactive); - system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); - } - } else { - $confighash{$cgiparams{'KEY'}}[0] = 'off'; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - if ($n2nactive ne ''){ - system('/usr/local/bin/openvpnctrl', '-kn2n', $n2nactive); - } - } - } else { - $errormessage = $Lang::tr{'invalid key'}; + if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { + $confighash{$cgiparams{'KEY'}}[0] = 'on'; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + #&writeserverconf(); +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); +# } + } else { + $confighash{$cgiparams{'KEY'}}[0] = 'off'; +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}); +# } + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + #&writeserverconf(); } + } else { + $errormessage = $Lang::tr{'invalid key'}; + } ### ### Download OpenVPN client package @@ -953,69 +1350,51 @@ END my $file = ''; my $clientovpn = ''; my @fileholder; - my $uhost3 = ''; - my $uhost = `/bin/uname -n`; - if ($uhost ne '') { - my @uhost2 = split /\./, $uhost; - $uhost3 = $uhost2[0]; - } else { - $uhost3 = "IPFire"; - } my $tempdir = tempdir( CLEANUP => 1 ); my $zippath = "$tempdir/"; - my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-TO-$uhost3.zip"; + my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.zip"; my $zippathname = "$zippath$zipname"; - #anna - if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ - $zerinaclient = 'true'; - &Ovpnfunc::writenet2netconf($cgiparams{'KEY'},$zerinaclient); - exit(0); - } - $clientovpn = "$confighash{$cgiparams{'KEY'}}[1]-TO-$uhost3.ovpn"; - open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $clientovpn $!"; + $clientovpn = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.ovpn"; + open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!"; flock CLIENTCONF, 2; my $zip = Archive::Zip->new(); - print CLIENTCONF "#OpenVPN Client conf\r\n"; + print CLIENTCONF "#OpenVPN Server conf\r\n"; print CLIENTCONF "tls-client\r\n"; print CLIENTCONF "client\r\n"; print CLIENTCONF "dev $vpnsettings{'DDEVICE'}\r\n"; - if ($vpnsettings{'DPROTOCOL'} eq 'tcp') { - print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}-client\r\n"; - } else { - print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n"; - } + print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n"; print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu $vpnsettings{'DMTU'}\r\n"; if ( $vpnsettings{'ENABLED'} eq 'on'){ print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n"; - if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&Ovpnfunc::haveBlueNet())){ - print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Blue interface\r\n"; - print CLIENTCONF ";remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; - } - if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&Ovpnfunc::haveOrangeNet())){ - print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n"; - print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; - } - } elsif ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&Ovpnfunc::haveBlueNet())){ - print CLIENTCONF "remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; - if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&Ovpnfunc::haveOrangeNet())){ - print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n"; - print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; - } - } elsif ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&Ovpnfunc::haveOrangeNet())){ - print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; + if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){ + print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Blue interface\r\n"; + print CLIENTCONF ";remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; + } + if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){ + print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n"; + print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; + } + } elsif ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){ + print CLIENTCONF "remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; + if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){ + print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n"; + print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; + } + } elsif ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){ + print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; } if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { - print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; - $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; + print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; } else { - print CLIENTCONF "ca cacert.pem\r\n"; - print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n"; - print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n"; - $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; - $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; + print CLIENTCONF "ca cacert.pem\r\n"; + print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n"; + print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n"; + $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; if ($vpnsettings{DCOMPLZO} eq 'on') { @@ -1023,6 +1402,13 @@ END } print CLIENTCONF "verb 3\r\n"; print CLIENTCONF "ns-cert-type server\r\n"; + print CLIENTCONF "tls-remote $vpnsettings{ROOTCERT_HOSTNAME}\r\n"; + if ($vpnsettings{MSSFIX} eq 'on') { + print CLIENTCONF "mssfix\r\n"; + } + if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) { + print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n"; + } close(CLIENTCONF); $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n"; my $status = $zip->writeToFileNamed($zippathname); @@ -1040,24 +1426,22 @@ END } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) { &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - if ($confighash{$cgiparams{'KEY'}}) { - if ($confighash{$cgiparams{'KEY'}}[19] eq 'yes') { - &Ovpnfunc::killconnection($cgiparams{'KEY'}); - &Ovpnfunc::removenet2netconf($cgiparams{'KEY'}); - delete $confighash{$cgiparams{'KEY'}}; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - } else { - my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; - unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); - unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); - &Ovpnfunc::killconnection($cgiparams{'KEY'}); - &Ovpnfunc::removenet2netconf($cgiparams{'KEY'}); - delete $confighash{$cgiparams{'KEY'}}; - my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - } + + if ($confighash{$cgiparams{'KEY'}}) { +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}); +# } +# + my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; + unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + delete $confighash{$cgiparams{'KEY'}}; + my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + #&writeserverconf(); } else { - $errormessage = $Lang::tr{'invalid key'}; + $errormessage = $Lang::tr{'invalid key'}; } ### ### Download PKCS12 file @@ -1077,36 +1461,38 @@ END &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', ''); - &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; - &Header::closebox(); - print "
$Lang::tr{'back'}
"; - &Header::closebigbox(); - &Header::closepage(); - exit(0); + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:"); + my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print "
$Lang::tr{'back'}
"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); } ### ### Display Certificate Revoke List ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show crl'}) { +# &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + if ( -f "${General::swroot}/ovpn/crls/cacrl.pem") { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', ''); - &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:"); - my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; - &Header::closebox(); - print "
$Lang::tr{'back'}
"; - &Header::closebigbox(); - &Header::closepage(); - exit(0); + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:"); + my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`; + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print "
$Lang::tr{'back'}
"; + &Header::closebigbox(); + &Header::closepage(); + exit(0); } ### @@ -1119,29 +1505,33 @@ END %confighash = (); &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams); +# if ($cgiparams{'CLIENT2CLIENT'} eq '') { +# $cgiparams{'CLIENT2CLIENT'} = 'on'; +# } ADV_ERROR: if ($cgiparams{'MAX_CLIENTS'} eq '') { - $cgiparams{'MAX_CLIENTS'} = '100'; + $cgiparams{'MAX_CLIENTS'} = '100'; } if ($cgiparams{'KEEPALIVE_1'} eq '') { - $cgiparams{'KEEPALIVE_1'} = '10'; + $cgiparams{'KEEPALIVE_1'} = '10'; } if ($cgiparams{'KEEPALIVE_2'} eq '') { - $cgiparams{'KEEPALIVE_2'} = '60'; + $cgiparams{'KEEPALIVE_2'} = '60'; } if ($cgiparams{'LOG_VERB'} eq '') { - $cgiparams{'LOG_VERB'} = '3'; + $cgiparams{'LOG_VERB'} = '3'; } - if ($cgiparams{'EXTENDED_NICE'} eq '') { - $cgiparams{'EXTENDED_NICE'} = '0'; - } $checked{'CLIENT2CLIENT'}{'off'} = ''; $checked{'CLIENT2CLIENT'}{'on'} = ''; $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED'; $checked{'REDIRECT_GW_DEF1'}{'off'} = ''; $checked{'REDIRECT_GW_DEF1'}{'on'} = ''; $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED'; + $selected{'ENGINES'}{$cgiparams{'ENGINES'}} = 'SELECTED'; + $checked{'MSSFIX'}{'off'} = ''; + $checked{'MSSFIX'}{'on'} = ''; + $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; $selected{'LOG_VERB'}{'1'} = ''; $selected{'LOG_VERB'}{'2'} = ''; $selected{'LOG_VERB'}{'3'} = ''; @@ -1156,43 +1546,16 @@ ADV_ERROR: $selected{'LOG_VERB'}{'0'} = ''; $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; - ################################################################################# - # Added by Philipp Jenni # - # # - # Contact: philipp.jenni-at-gmx.ch # - # Date: 2006-04-22 # - # Description: Definitions to set the FASTIO Checkbox # - # Definitions to set the MTUDISC Checkbox # - # Definitions to set the NICE Selectionbox # - ################################################################################# - $checked{'EXTENDED_FASTIO'}{'off'} = ''; - $checked{'EXTENDED_FASTIO'}{'on'} = ''; - $checked{'EXTENDED_FASTIO'}{$cgiparams{'EXTENDED_FASTIO'}} = 'CHECKED'; - $checked{'EXTENDED_MTUDISC'}{'off'} = ''; - $checked{'EXTENDED_MTUDISC'}{'on'} = ''; - $checked{'EXTENDED_MTUDISC'}{$cgiparams{'EXTENDED_MTUDISC'}} = 'CHECKED'; - $selected{'EXTENDED_NICE'}{'-13'} = ''; - $selected{'EXTENDED_NICE'}{'-10'} = ''; - $selected{'EXTENDED_NICE'}{'-7'} = ''; - $selected{'EXTENDED_NICE'}{'-3'} = ''; - $selected{'EXTENDED_NICE'}{'0'} = ''; - $selected{'EXTENDED_NICE'}{'3'} = ''; - $selected{'EXTENDED_NICE'}{'7'} = ''; - $selected{'EXTENDED_NICE'}{'10'} = ''; - $selected{'EXTENDED_NICE'}{'13'} = ''; - $selected{'EXTENDED_NICE'}{$cgiparams{'EXTENDED_NICE'}} = 'SELECTED'; - ################################################################################# - # End of inserted Data # - ################################################################################# + &Header::showhttpheaders(); &Header::openpage($Lang::tr{'status ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); if ($errormessage) { - &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); - print "$errormessage\n"; - print " \n"; - &Header::closebox(); + &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); + print "$errormessage\n"; + print " \n"; + &Header::closebox(); } &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'}); print <
- - - - - - - - - - - - - - - - - - - - -
$Lang::tr{'add-route'}
$Lang::tr{'subnet'} 1
$Lang::tr{'subnet'} 2
$Lang::tr{'subnet'} 3
-
- - + @@ -1258,85 +1598,50 @@ ADV_ERROR: - + - - - - - - + + + + - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + +
$Lang::tr{'misc-options'}
Client-To-Client
Max-Clients
Keppalive (ping/ping-restart)
Keppalive
+ (ping/ping-restart)
$Lang::tr{'ovpn_processprio'} - -
$Lang::tr{'ovpn_fastio'} - -
$Lang::tr{'ovpn_mtudisc'} - -
$Lang::tr{'ovpn_mssfix'} - -
$Lang::tr{'ovpn_fragment'} - -
fragment
Default: 1300
mssfixDefault: on
- - +
+ + + + + + + + +
Crypto-Engines
Engines: +
+-->
- + @@ -1351,23 +1656,7 @@ ADV_ERROR: - - - - - +
$Lang::tr{'log-options'}
VERB
@@ -1383,6 +1672,7 @@ END ; &Header::closebox(); +# print ""; &Header::closebigbox(); &Header::closepage(); exit(0); @@ -1431,6 +1721,7 @@ END @match = split( /^Updated,(.+)/, $line); $status = $match[1]; } +#gian if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) { @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line); if ($match[1] ne "Common Name") { @@ -1438,8 +1729,8 @@ END $userlookup{$match[2]} = $uid; $users[$uid]{'CommonName'} = $match[1]; $users[$uid]{'RealAddress'} = $match[2]; - $users[$uid]{'BytesReceived'} = &Ovpnfunc::sizeformat($match[3]); - $users[$uid]{'BytesSent'} = &Ovpnfunc::sizeformat($match[4]); + $users[$uid]{'BytesReceived'} = &sizeformat($match[3]); + $users[$uid]{'BytesSent'} = &sizeformat($match[4]); $users[$uid]{'Since'} = $match[5]; $users[$uid]{'Proto'} = $proto; $uid++; @@ -1460,9 +1751,9 @@ END if ($user2 >= 1){ for (my $idx = 1; $idx <= $user2; $idx++){ if ($idx % 2) { - print "\n"; + print "\n"; } else { - print "\n"; + print "\n"; } print ""; print ""; @@ -1497,11 +1788,42 @@ END ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) { &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { - print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n"; - print "Content-Type: application/octet-stream\r\n\r\n"; - print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; - exit (0); + print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n"; + print "Content-Type: application/octet-stream\r\n\r\n"; + print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; + exit (0); + } + +### +### Enable/Disable connection +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) { + + &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + + if ($confighash{$cgiparams{'KEY'}}) { + if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { + $confighash{$cgiparams{'KEY'}}[0] = 'on'; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + #&writeserverconf(); +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); +# } + } else { + $confighash{$cgiparams{'KEY'}}[0] = 'off'; +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}); +# } + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + #&writeserverconf(); + } + } else { + $errormessage = $Lang::tr{'invalid key'}; } ### @@ -1512,9 +1834,35 @@ END &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); if ($confighash{$cgiparams{'KEY'}}) { +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); +# } + } else { + $errormessage = $Lang::tr{'invalid key'}; + } + +### +### Remove connection +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) { + &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + + if ($confighash{$cgiparams{'KEY'}}) { +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}); +# } + unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + delete $confighash{$cgiparams{'KEY'}}; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + #&writeserverconf(); } else { - $errormessage = $Lang::tr{'invalid key'}; + $errormessage = $Lang::tr{'invalid key'}; } +#test33 ### ### Choose between adding a host-net or net-net connection @@ -1524,16 +1872,15 @@ END &Header::showhttpheaders(); &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); - &Header::openbox('100%', 'LEFT', "Net to Net $Lang::tr{'connection type'}"); + &Header::openbox('100%', 'LEFT', $Lang::tr{'connection type'}); print <$Lang::tr{'connection type'}:
-
$users[$idx-1]{'CommonName'}$users[$idx-1]{'RealAddress'}
- +
+ + + - - - - +
$Lang::tr{'host to net vpn'}
$Lang::tr{'net to net vpn'}
upload a ZERINA Net-to-Net package
END ; @@ -1541,884 +1888,585 @@ END &Header::closebigbox(); &Header::closepage(); exit (0); - ### -### uploading a ZERINA n2n connection package +### Adding a new connection ### -} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'TYPE'} eq 'zerinan2n')){ - my @zerinaconf; - my @confdetails; - my $uplconffilename =''; - my $uplp12name = ''; - my $complzoactive =''; - my @rem_subnet; - my @rem_subnet2; - my @tmposupnet3; - my $key; - &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); -# Move uploaded ZERINA n2n package to a temporary file - if (ref ($cgiparams{'FH'}) ne 'Fh') { +} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) || + ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) || + ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) { + + &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); + &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash); + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + + if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { + if (! $confighash{$cgiparams{'KEY'}}[0]) { + $errormessage = $Lang::tr{'invalid key'}; + goto VPNCONF_END; + } + $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0]; + $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1]; + $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; + $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; + $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; + $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6]; + $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8]; + $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; + $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11]; + $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; + $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26]; +#new fields + $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[27]; + $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[28]; + $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[29]; + $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[30]; + $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[31]; +#new fields +#ab hiere error uebernehmen + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { + $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); + if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { + $errormessage = $Lang::tr{'connection type is invalid'}; + goto VPNCONF_ERROR; + } + + + if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) { + $errormessage = $Lang::tr{'name must only contain characters'}; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) { + $errormessage = $Lang::tr{'name is invalid'}; + goto VPNCONF_ERROR; + } + + if (length($cgiparams{'NAME'}) >60) { + $errormessage = $Lang::tr{'name too long'}; + goto VPNCONF_ERROR; + } + +# if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) { +# $errormessage = $Lang::tr{'ipfire side is invalid'}; +# goto VPNCONF_ERROR; +# } + + # Check if there is no other entry with this name + if (! $cgiparams{'KEY'}) { + foreach my $key (keys %confighash) { + if ($confighash{$key}[1] eq $cgiparams{'NAME'}) { + $errormessage = $Lang::tr{'a connection with this name already exists'}; + goto VPNCONF_ERROR; + } + } + } + + if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) { + $errormessage = $Lang::tr{'invalid input for remote host/ip'}; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'REMOTE'}) { + if (! &General::validip($cgiparams{'REMOTE'})) { + if (! &General::validfqdn ($cgiparams{'REMOTE'})) { + $errormessage = $Lang::tr{'invalid input for remote host/ip'}; + goto VPNCONF_ERROR; + } else { + if (&valid_dns_host($cgiparams{'REMOTE'})) { + $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}"; + } + } + } + } + if ($cgiparams{'TYPE'} ne 'host') { + unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) { + $errormessage = $Lang::tr{'local subnet is invalid'}; + goto VPNCONF_ERROR;} + } + # Check if there is no other entry without IP-address and PSK + if ($cgiparams{'REMOTE'} eq '') { + foreach my $key (keys %confighash) { + if(($cgiparams{'KEY'} ne $key) && + ($confighash{$key}[4] eq 'psk' || $cgiparams{'AUTH'} eq 'psk') && + $confighash{$key}[10] eq '') { + $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'}; + goto VPNCONF_ERROR; + } + } + } + if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) { + $errormessage = $Lang::tr{'remote subnet is invalid'}; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto VPNCONF_ERROR; + } + +#fixplausi + if ($cgiparams{'AUTH'} eq 'psk') { +# if (! length($cgiparams{'PSK'}) ) { +# $errormessage = $Lang::tr{'pre-shared key is too short'}; +# goto VPNCONF_ERROR; +# } +# if ($cgiparams{'PSK'} =~ /['",&]/) { +# $errormessage = $Lang::tr{'invalid characters found in pre-shared key'}; +# goto VPNCONF_ERROR; +# } + } elsif ($cgiparams{'AUTH'} eq 'certreq') { + if ($cgiparams{'KEY'}) { + $errormessage = $Lang::tr{'cant change certificates'}; + goto VPNCONF_ERROR; + } + if (ref ($cgiparams{'FH'}) ne 'Fh') { $errormessage = $Lang::tr{'there was no file upload'}; - goto ZERINA_ERROR; - } - # Move uploaded ca to a temporary file - (my $fh, my $filename) = tempfile( ); - if (copy ($cgiparams{'FH'}, $fh) != 1) { + goto VPNCONF_ERROR; + } + + # Move uploaded certificate request to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { $errormessage = $!; - goto ZERINA_ERROR; - } - - my $zip = Archive::Zip->new(); - my $zipName = $filename; - my $status = $zip->read( $zipName ); - if ($status != AZ_OK) { - $errormessage = "Read of $zipName failed\n"; - goto ZERINA_ERROR; - } - #my $tempdir = tempdir( CLEANUP => 1 ); - my $tempdir = tempdir(); - my @files = $zip->memberNames(); - for(@files) { - $zip->extractMemberWithoutPaths($_,"$tempdir/$_"); - } - my $countfiles = @files; - # see if we have 2 files - if ( $countfiles == 2){ - foreach (@files){ - if ( $_ =~ /.conf$/){ - $uplconffilename = $_; - } - if ( $_ =~ /.p12$/){ - $uplp12name = $_; - } + goto VPNCONF_ERROR; + } + + # Sign the certificate request and move it + # Sign the host certificate request + system('/usr/bin/openssl', 'ca', '-days', '999999', + '-batch', '-notext', + '-in', $filename, + '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", + '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + unlink ($filename); + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); + &newcleanssldatabase(); + goto VPNCONF_ERROR; + } else { + unlink ($filename); + &deletebackupcert(); + } + + my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; + $temp =~ /Subject:.*CN=(.*)[\n]/; + $temp = $1; + $temp =~ s+/Email+, E+; + $temp =~ s/ ST=/ S=/; + $cgiparams{'CERT_NAME'} = $temp; + $cgiparams{'CERT_NAME'} =~ s/,//g; + $cgiparams{'CERT_NAME'} =~ s/\'//g; + if ($cgiparams{'CERT_NAME'} eq '') { + $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; + goto VPNCONF_ERROR; + } + } elsif ($cgiparams{'AUTH'} eq 'certfile') { + if ($cgiparams{'KEY'}) { + $errormessage = $Lang::tr{'cant change certificates'}; + goto VPNCONF_ERROR; + } + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto VPNCONF_ERROR; + } + # Move uploaded certificate to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto VPNCONF_ERROR; + } + + # Verify the certificate has a valid CA and move it + my $validca = 0; + my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/cacert.pem $filename`; + if ($test =~ /: OK/) { + $validca = 1; + } else { + foreach my $key (keys %cahash) { + $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem $filename`; + if ($test =~ /: OK/) { + $validca = 1; + } } - if (($uplconffilename eq '') || ($uplp12name eq '')){ - $errormessage = "Either no *.conf or no *.p12 file found\n"; - goto ZERINA_ERROR; + } + if (! $validca) { + $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'}; + unlink ($filename); + goto VPNCONF_ERROR; + } else { + move($filename, "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); + if ($? ne 0) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + unlink ($filename); + goto VPNCONF_ERROR; } - open(FILE, "$tempdir/$uplconffilename") or die 'Unable to open*.conf file'; - @zerinaconf = ; - close (FILE); - chomp(@zerinaconf); - } else { - # only 2 files are allowed - $errormessage = "Filecount does not match only 2 files are allowed\n"; - goto ZERINA_ERROR; - } - #prepare imported data not elegant, will be changed later - my $ufuk = (@zerinaconf); - push(@confdetails, substr($zerinaconf[0],4));#dev tun 0 - push(@confdetails, substr($zerinaconf[1],8));#mtu value 1 - push(@confdetails, substr($zerinaconf[2],6));#protocol 2 - if ($confdetails[2] eq 'tcp-client' || $confdetails[2] eq 'tcp-server') { - $confdetails[2] = 'tcp'; - } - push(@confdetails, substr($zerinaconf[3],5));#port 3 - push(@confdetails, substr($zerinaconf[4],9));#ovpn subnet 4 - push(@confdetails, substr($zerinaconf[5],7));#remote ip 5 - push(@confdetails, $zerinaconf[6]); #tls-server/tls-client 6 - push(@confdetails, substr($zerinaconf[7],7));#pkcs12 name 7 - push(@confdetails, substr($zerinaconf[$ufuk-1],1));#remote subnet 8 - push(@confdetails, substr($zerinaconf[9],10));#keepalive 9 - push(@confdetails, substr($zerinaconf[10],7));#cipher 10 - if ($ufuk == 14) { - push(@confdetails, $zerinaconf[$ufuk-3]);#complzo 11 - $complzoactive = "on"; + } + + my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; + $temp =~ /Subject:.*CN=(.*)[\n]/; + $temp = $1; + $temp =~ s+/Email+, E+; + $temp =~ s/ ST=/ S=/; + $cgiparams{'CERT_NAME'} = $temp; + $cgiparams{'CERT_NAME'} =~ s/,//g; + $cgiparams{'CERT_NAME'} =~ s/\'//g; + if ($cgiparams{'CERT_NAME'} eq '') { + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); + $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; + goto VPNCONF_ERROR; + } + } elsif ($cgiparams{'AUTH'} eq 'certgen') { + if ($cgiparams{'KEY'}) { + $errormessage = $Lang::tr{'cant change certificates'}; + goto VPNCONF_ERROR; + } + # Validate input since the form was submitted + if (length($cgiparams{'CERT_NAME'}) >60) { + $errormessage = $Lang::tr{'name too long'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { + $errormessage = $Lang::tr{'invalid input for name'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) { + $errormessage = $Lang::tr{'invalid input for e-mail address'}; + goto VPNCONF_ERROR; + } + if (length($cgiparams{'CERT_EMAIL'}) > 40) { + $errormessage = $Lang::tr{'e-mail address too long'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { + $errormessage = $Lang::tr{'invalid input for department'}; + goto VPNCONF_ERROR; + } + if (length($cgiparams{'CERT_ORGANIZATION'}) >60) { + $errormessage = $Lang::tr{'organization too long'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { + $errormessage = $Lang::tr{'invalid input for organization'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { + $errormessage = $Lang::tr{'invalid input for city'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { + $errormessage = $Lang::tr{'invalid input for state or province'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) { + $errormessage = $Lang::tr{'invalid input for country'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_PASS1'} ne '' && $cgiparams{'CERT_PASS2'} ne ''){ + if (length($cgiparams{'CERT_PASS1'}) < 5) { + $errormessage = $Lang::tr{'password too short'}; + goto VPNCONF_ERROR; + } + } + if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) { + $errormessage = $Lang::tr{'passwords do not match'}; + goto VPNCONF_ERROR; + } + + # Replace empty strings with a . + (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./; + (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./; + (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./; + + # Create the Host certificate request client + my $pid = open(OPENSSL, "|-"); + $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto VPNCONF_ERROR;}; + if ($pid) { # parent + print OPENSSL "$cgiparams{'CERT_COUNTRY'}\n"; + print OPENSSL "$state\n"; + print OPENSSL "$city\n"; + print OPENSSL "$cgiparams{'CERT_ORGANIZATION'}\n"; + print OPENSSL "$ou\n"; + print OPENSSL "$cgiparams{'CERT_NAME'}\n"; + print OPENSSL "$cgiparams{'CERT_EMAIL'}\n"; + print OPENSSL ".\n"; + print OPENSSL ".\n"; + close (OPENSSL); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}req.pem"); + goto VPNCONF_ERROR; + } + } else { # child + unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', + '-newkey', 'rsa:1024', + '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", + '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", + '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { + $errormessage = "$Lang::tr{'cant start openssl'}: $!"; + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); + goto VPNCONF_ERROR; + } + } + + # Sign the host certificate request + system('/usr/bin/openssl', 'ca', '-days', '999999', + '-batch', '-notext', + '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", + '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", + '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); + &newcleanssldatabase(); + goto VPNCONF_ERROR; + } else { + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); + &deletebackupcert(); + } + + # Create the pkcs12 file + system('/usr/bin/openssl', 'pkcs12', '-export', + '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", + '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", + '-name', $cgiparams{'NAME'}, + '-passout', "pass:$cgiparams{'CERT_PASS1'}", + '-certfile', "${General::swroot}/ovpn/ca/cacert.pem", + '-caname', "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA", + '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12"); + goto VPNCONF_ERROR; + } else { + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); + } + } elsif ($cgiparams{'AUTH'} eq 'cert') { + ;# Nothing, just editing } else { - $complzoactive = "off"; - } - push(@confdetails, substr($zerinaconf[$ufuk-2],5));#verb 12 - push(@confdetails, substr($zerinaconf[8],6));#localsubnet 13 - #push(@confdetails, substr($uplconffilename,0,-5));#connection Name 14 - push(@confdetails, substr($uplp12name,0,-4));#connection Name 14 - #chomp(@confdetails); - foreach my $dkey (keys %confighash) {#Check if there is no other entry with this name - if ($confighash{$dkey}[1] eq $confdetails[$ufuk]) { - $errormessage = $Lang::tr{'a connection with this name already exists'}; - goto ZERINA_ERROR; + $errormessage = $Lang::tr{'invalid input for authentication method'}; + goto VPNCONF_ERROR; + } + + # Check if there is no other entry with this common name + if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) { + foreach my $key (keys %confighash) { + if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) { + $errormessage = $Lang::tr{'a connection with this common name already exists'}; + goto VPNCONF_ERROR; } + } } - if ($confdetails[$ufuk] eq 'server') { - $errormessage = $Lang::tr{'server reserved'}; - goto ZERINA_ERROR; + + # Save the config + my $key = $cgiparams{'KEY'}; + if (! $key) { + $key = &General::findhasharraykey (\%confighash); + foreach my $i (0 .. 31) { $confighash{$key}[$i] = "";} } - @rem_subnet2 = split(/ /,$confdetails[4]); - @tmposupnet3 = split /\./,$rem_subnet2[0]; - $errormessage = &Ovpnfunc::ovelapplausi("$tmposupnet3[0].$tmposupnet3[1].$tmposupnet3[2].0","255.255.255.0"); - if ($errormessage ne ''){ - goto ZERINA_ERROR; + $confighash{$key}[0] = $cgiparams{'ENABLED'}; + $confighash{$key}[1] = $cgiparams{'NAME'}; + if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') { + $confighash{$key}[2] = $cgiparams{'CERT_NAME'}; } - - $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 42) { $confighash{$key}[$i] = "";} - $confighash{$key}[0] = 'off'; - $confighash{$key}[1] = $confdetails[$ufuk]; - #$confighash{$key}[2] = $confdetails[7]; - $confighash{$key}[2] = $confdetails[$ufuk]; - $confighash{$key}[3] = 'net'; - $confighash{$key}[4] = 'cert'; - $confighash{$key}[6] = 'client'; - $confighash{$key}[8] = $confdetails[8]; - @rem_subnet = split(/ /,$confdetails[$ufuk-1]); - $confighash{$key}[11] = "$rem_subnet[0]/$rem_subnet[1]"; - $confighash{$key}[10] = $confdetails[5]; - $confighash{$key}[25] = 'imported'; - $confighash{$key}[12] = 'red'; - my @tmposupnet = split(/ /,$confdetails[4]); - my @tmposupnet2 = split /\./,$tmposupnet[0]; - $confighash{$key}[13] = "$tmposupnet2[0].$tmposupnet2[1].$tmposupnet2[2].0/255.255.255.0"; - $confighash{$key}[14] = $confdetails[2]; - $confighash{$key}[15] = $confdetails[3]; - $confighash{$key}[16] = $complzoactive; - $confighash{$key}[17] = $confdetails[1]; - $confighash{$key}[18] = '';# nn2nvpn_ip - $confighash{$key}[19] = 'yes';# nn2nvpn_ip - $confighash{$key}[20] = $confdetails[10]; - $cgiparams{'KEY'} = $key; + $confighash{$key}[3] = $cgiparams{'TYPE'}; + if ($cgiparams{'AUTH'} eq 'psk') { + $confighash{$key}[4] = 'psk'; + $confighash{$key}[5] = $cgiparams{'PSK'}; + } else { + $confighash{$key}[4] = 'cert'; + } + if ($cgiparams{'TYPE'} eq 'net') { + $confighash{$key}[6] = $cgiparams{'SIDE'}; + $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'}; + } + $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'}; + $confighash{$key}[10] = $cgiparams{'REMOTE'}; + $confighash{$key}[25] = $cgiparams{'REMARK'}; + $confighash{$key}[26] = $cgiparams{'INTERFACE'}; +# new fields + $confighash{$key}[27] = $cgiparams{'OVPN_SUBNET'}; + $confighash{$key}[28] = $cgiparams{'PROTOCOL'}; + $confighash{$key}[29] = $cgiparams{'DEST_PORT'}; + $confighash{$key}[30] = $cgiparams{'COMPLZO'}; + $confighash{$key}[31] = $cgiparams{'MTU'}; +# new fileds &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - mkdir("${General::swroot}/ovpn/n2nconf/$confdetails[$ufuk]", 0770); - move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$confdetails[$ufuk]/$uplconffilename"); - if ($? ne 0) { - $errormessage = "*.conf move failed: $!"; - unlink ($filename); - goto ZERINA_ERROR; + if ($cgiparams{'EDIT_ADVANCED'} eq 'on') { + $cgiparams{'KEY'} = $key; + $cgiparams{'ACTION'} = $Lang::tr{'advanced'}; } - move("$tempdir/$uplp12name", "${General::swroot}/ovpn/n2nconf/$confdetails[$ufuk]/$uplp12name"); - if ($? ne 0) { - $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; - unlink ($filename); - goto ZERINA_ERROR; - } - ZERINA_ERROR: - + goto VPNCONF_END; + } else { + $cgiparams{'ENABLED'} = 'on'; + $cgiparams{'SIDE'} = 'left'; + if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) { + $cgiparams{'AUTH'} = 'psk'; + } elsif ( ! -f "${General::swroot}/ovpn/ca/cacert.pem") { + $cgiparams{'AUTH'} = 'certfile'; + } else { + $cgiparams{'AUTH'} = 'certgen'; + } + $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; + $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'}; + $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'}; + $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'}; + $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'}; + } + + VPNCONF_ERROR: + $checked{'ENABLED'}{'off'} = ''; + $checked{'ENABLED'}{'on'} = ''; + $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED'; + $checked{'ENABLED_BLUE'}{'off'} = ''; + $checked{'ENABLED_BLUE'}{'on'} = ''; + $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED'; + $checked{'ENABLED_ORANGE'}{'off'} = ''; + $checked{'ENABLED_ORANGE'}{'on'} = ''; + $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED'; + + + $checked{'EDIT_ADVANCED'}{'off'} = ''; + $checked{'EDIT_ADVANCED'}{'on'} = ''; + $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = 'CHECKED'; + + $selected{'SIDE'}{'server'} = ''; + $selected{'SIDE'}{'client'} = ''; + $selected{'SIDE'}{$cgiparams{'SIDE'}} = 'SELECTED'; + + $checked{'AUTH'}{'psk'} = ''; + $checked{'AUTH'}{'certreq'} = ''; + $checked{'AUTH'}{'certgen'} = ''; + $checked{'AUTH'}{'certfile'} = ''; + $checked{'AUTH'}{$cgiparams{'AUTH'}} = 'CHECKED'; + + $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = 'SELECTED'; + + $checked{'COMPLZO'}{'off'} = ''; + $checked{'COMPLZO'}{'on'} = ''; + $checked{'COMPLZO'}{$cgiparams{'COMPLZO'}} = 'CHECKED'; + + + if (1) { &Header::showhttpheaders(); - &Header::openpage('Validate imported configuration', 1, ''); + &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); if ($errormessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); print "$errormessage"; print " "; - &Header::closebox(); - } else { - &Header::openbox('100%', 'LEFT', 'Validate imported configuration'); - } - if ($errormessage eq ''){ - print < -   -   - $Lang::tr{'name'}: - $confdetails[$ufuk] + &Header::closebox(); + } + + if ($warnmessage) { + &Header::openbox('100%', 'LEFT', "$Lang::tr{'warning messages'}:"); + print "$warnmessage"; + print " "; + &Header::closebox(); + } + + print "
"; + print ""; + + if ($cgiparams{'KEY'}) { + print ""; + print ""; + } + + &Header::openbox('100%', 'LEFT', "$Lang::tr{'connection'}:"); + print "\n"; + print ""; + if ($cgiparams{'TYPE'} eq 'host') { + if ($cgiparams{'KEY'}) { + print "\n"; + } else { + print ""; + } +# print ""; +# print ""; +# print <"; + if ($cgiparams{'KEY'}) { + print ""; + } else { + print ""; + } + print <  + - - - + + + - - - + + + +ttt - + - - - - - - - - - + + + + + + + + + END -; - - &Header::closebox(); + ; } - if ($errormessage) { - print ""; - } else { - print "
"; - print ""; - print ""; - print "
"; - } - &Header::closebigbox(); - &Header::closepage(); - exit(0); - -### -### Approve Zerina n2n -### -} elsif (($cgiparams{'ACTION'} eq 'Approved') && ($cgiparams{'TYPE'} eq 'zerinan2n')){ - &Ovpnfunc::writenet2netconf($cgiparams{'KEY'},$zerinaclient); -### -### Discard Zerina n2n -### -} elsif (($cgiparams{'ACTION'} eq 'Discard') && ($cgiparams{'TYPE'} eq 'zerinan2n')){ - &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); - &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - - if ($confighash{$cgiparams{'KEY'}}) { - &Ovpnfunc::removenet2netconf(); - delete $confighash{$cgiparams{'KEY'}}; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - } else { - $errormessage = $Lang::tr{'invalid key'}; - } -### -### Adding a new connection -### -} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) || - ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) || - ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) { - - &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); - &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash); - &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - - if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { - if (! $confighash{$cgiparams{'KEY'}}[0]) { - $errormessage = $Lang::tr{'invalid key'}; - goto VPNCONF_END; - } - $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0]; - $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1]; - $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; - $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; - $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; - $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6]; - $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8]; - $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; - $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11]; - $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; - $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[12]; - $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[13];#new fields - $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[14]; - $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[15]; - $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[16]; - $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[17]; - $cgiparams{'N2NVPN_IP'} = $confighash{$cgiparams{'KEY'}}[18];#new fields - $cgiparams{'ZERINA_CLIENT'} = $confighash{$cgiparams{'KEY'}}[19];#new fields - $cgiparams{'CIPHER'} = $confighash{$cgiparams{'KEY'}}[20];#new fields - if ($cgiparams{'ZERINA_CLIENT'} eq ''){ - $cgiparams{'ZERINA_CLIENT'} = 'no'; - } - } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {#ab hiere error uebernehmen - $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); - # n2n error - if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { - $errormessage = $Lang::tr{'connection type is invalid'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) { - $errormessage = $Lang::tr{'name must only contain characters'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault|server)$/) { - $errormessage = $Lang::tr{'name is invalid'}; - goto VPNCONF_ERROR; - } - if (length($cgiparams{'NAME'}) >60) { - $errormessage = $Lang::tr{'name too long'}; - goto VPNCONF_ERROR; - } - if (! $cgiparams{'KEY'}) {# Check if there is no other entry with this name - foreach my $key (keys %confighash) { - if ($confighash{$key}[1] eq $cgiparams{'NAME'}) { - $errormessage = $Lang::tr{'a connection with this name already exists'}; - goto VPNCONF_ERROR; - } - } - } - if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) { - $errormessage = $Lang::tr{'invalid input for remote host/ip'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'REMOTE'}) { - if (! &General::validip($cgiparams{'REMOTE'})) { - if (! &General::validfqdn ($cgiparams{'REMOTE'})) { - $errormessage = $Lang::tr{'invalid input for remote host/ip'}; - goto VPNCONF_ERROR; - } else { - if (&Ovpnfunc::valid_dns_host($cgiparams{'REMOTE'})) { - $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}"; - } - } - } - } - if ($cgiparams{'TYPE'} ne 'host') { - unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) { - $errormessage = $Lang::tr{'local subnet is invalid'}; - goto VPNCONF_ERROR; - } - } - #hier1 - my @tmpovpnsubnet = split("\/",$cgiparams{'LOCAL_SUBNET'}); - $tmpovpnsubnet[1] = &Ovpnfunc::cidrormask($tmpovpnsubnet[1]); - $cgiparams{'LOCAL_SUBNET'} = "$tmpovpnsubnet[0]/$tmpovpnsubnet[1]";#convert from cidr - #hier1 - if ($cgiparams{'REMOTE'} eq '') {# Check if there is no other entry without IP-address and PSK - foreach my $key (keys %confighash) { - if(($cgiparams{'KEY'} ne $key) && ($confighash{$key}[4] eq 'psk' || $cgiparams{'AUTH'} eq 'psk') && $confighash{$key}[10] eq '') { - $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'}; - goto VPNCONF_ERROR; - } - } - } - if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) { - $errormessage = $Lang::tr{'remote subnet is invalid'}; - goto VPNCONF_ERROR; - } - #hier2 - my @tmpovpnsubnet = split("\/",$cgiparams{'REMOTE_SUBNET'}); - $tmpovpnsubnet[1] = &Ovpnfunc::cidrormask($tmpovpnsubnet[1]); - $cgiparams{'REMOTE_SUBNET'} = "$tmpovpnsubnet[0]/$tmpovpnsubnet[1]";#convert from cidr - #hier2 - if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'ENABLED'} eq 'on'){ - $errormessage = &Ovpnfunc::disallowreserved($cgiparams{'DEST_PORT'},0,$cgiparams{'PROTOCOL'},"dest"); - } - if ($errormessage) { goto VPNCONF_ERROR; } - - if ($cgiparams{'ENABLED'} eq 'on'){ - $errormessage = &Ovpnfunc::checkportfw(0,$cgiparams{'DEST_PORT'},$cgiparams{'PROTOCOL'},'0.0.0.0'); - } - if ($errormessage) { goto VPNCONF_ERROR; } -#raul - if ($cgiparams{'TYPE'} eq 'net') { - if (! &General::validipandmask($cgiparams{'OVPN_SUBNET'})) { - $errormessage = $Lang::tr{'ovpn subnet is invalid'}; - goto VPNCONF_ERROR; - } - #hier3 - my @tmpovpnsubnet = split("\/",$cgiparams{'OVPN_SUBNET'}); - $tmpovpnsubnet[1] = &Ovpnfunc::cidrormask($tmpovpnsubnet[1]); - $cgiparams{'OVPN_SUBNET'} = "$tmpovpnsubnet[0]/$tmpovpnsubnet[1]";#convert from cidr - #hier3 - #plausi2 - $errormessage = &Ovpnfunc::ovelapplausi($tmpovpnsubnet[0],$tmpovpnsubnet[1]); - #plausi2 - if ($errormessage ne ''){ - goto VPNCONF_ERROR; - } - if ((length($cgiparams{'MTU'})==0) || (($cgiparams{'MTU'}) < 1000 )) { - $errormessage = $Lang::tr{'invalid mtu input'}; - goto VPNCONF_ERROR; - } - unless (&General::validport($cgiparams{'DEST_PORT'})) { - $errormessage = $Lang::tr{'invalid port'}; - goto VPNCONF_ERROR; - } - # check protcol/port overlap against existing connections gian - foreach my $dkey (keys %confighash) {#Check if there is no other entry with this name - if ($dkey ne $cgiparams{'KEY'}) { - if ($confighash{$dkey}[14] eq $cgiparams{'PROTOCOL'} && $confighash{$dkey}[15] eq $cgiparams{'DEST_PORT'}){ - #if ($confighash{$dkey}[14] eq 'on') { - $errormessage = "Choosed Protocol/Port combination is already used by connection: $confighash{$dkey}[1]"; - goto VPNCONF_ERROR; - #} else { - # $warnmessage = "Choosed Protcol/Port combination is used by inactive connection: $confighash{$dkey}[1]"; - #} - } - } - } - #check protcol/port overlap against RWserver gian - if ($vpnsettings{'ENABLED'} eq 'on') { - if ($vpnsettings{'DPROTOCOL'} eq $cgiparams{'PROTOCOL'} && $vpnsettings{'DDEST_PORT'} eq $cgiparams{'DEST_PORT'}){ - $errormessage = "Choosed Protocol/Port combination is already used OpenVPN Roadwarrior Server"; - goto VPNCONF_ERROR; - } - } - } - if ($cgiparams{'AUTH'} eq 'psk') { - #removed - } elsif ($cgiparams{'AUTH'} eq 'certreq') { - # { - if ($cgiparams{'KEY'}) { - $errormessage = $Lang::tr{'cant change certificates'}; - goto VPNCONF_ERROR; - } - if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto VPNCONF_ERROR; - } - (my $fh, my $filename) = tempfile( );# Move uploaded certificate request to a temporary file - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto VPNCONF_ERROR; - } - # Sign the certificate request and move it - # Sign the host certificate request - system('/usr/bin/openssl', 'ca', '-days', '999999', - '-batch', '-notext', - '-in', $filename, - '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - unlink ($filename); - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); - &Ovpnfunc::newcleanssldatabase(); - goto VPNCONF_ERROR; - } else { - unlink ($filename); - &Ovpnfunc::deletebackupcert(); - } - my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; - $temp =~ /Subject:.*CN=(.*)[\n]/; - $temp = $1; - $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; - $cgiparams{'CERT_NAME'} = $temp; - $cgiparams{'CERT_NAME'} =~ s/,//g; - $cgiparams{'CERT_NAME'} =~ s/\'//g; - if ($cgiparams{'CERT_NAME'} eq '') { - $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; - goto VPNCONF_ERROR; - } - } elsif ($cgiparams{'AUTH'} eq 'certfile') { - if ($cgiparams{'KEY'}) { - $errormessage = $Lang::tr{'cant change certificates'}; - goto VPNCONF_ERROR; - } - if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto VPNCONF_ERROR; - } - (my $fh, my $filename) = tempfile( );# Move uploaded certificate to a temporary file - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto VPNCONF_ERROR; - } - my $validca = 0;# Verify the certificate has a valid CA and move it - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/cacert.pem $filename`; - if ($test =~ /: OK/) { - $validca = 1; - } else { - foreach my $key (keys %cahash) { - $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem $filename`; - if ($test =~ /: OK/) { - $validca = 1; - } - } - } - if (! $validca) { - $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'}; - unlink ($filename); - goto VPNCONF_ERROR; - } else { - move($filename, "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); - if ($? ne 0) { - $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; - unlink ($filename); - goto VPNCONF_ERROR; - } - } - my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; - $temp =~ /Subject:.*CN=(.*)[\n]/; - $temp = $1; - $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; - $cgiparams{'CERT_NAME'} = $temp; - $cgiparams{'CERT_NAME'} =~ s/,//g; - $cgiparams{'CERT_NAME'} =~ s/\'//g; - if ($cgiparams{'CERT_NAME'} eq '') { - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); - $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; - goto VPNCONF_ERROR; - } - } elsif ($cgiparams{'AUTH'} eq 'certgen'){ - if ($cgiparams{'KEY'}) { - $errormessage = $Lang::tr{'cant change certificates'}; - goto VPNCONF_ERROR; - } - if (length($cgiparams{'CERT_NAME'}) >60) {# Validate input since the form was submitted - $errormessage = $Lang::tr{'name too long'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { - $errormessage = $Lang::tr{'invalid input for name'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) { - $errormessage = $Lang::tr{'invalid input for e-mail address'}; - goto VPNCONF_ERROR; - } - if (length($cgiparams{'CERT_EMAIL'}) > 40) { - $errormessage = $Lang::tr{'e-mail address too long'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { - $errormessage = $Lang::tr{'invalid input for department'}; - goto VPNCONF_ERROR; - } - if (length($cgiparams{'CERT_ORGANIZATION'}) >60) { - $errormessage = $Lang::tr{'organization too long'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { - $errormessage = $Lang::tr{'invalid input for organization'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { - $errormessage = $Lang::tr{'invalid input for city'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { - $errormessage = $Lang::tr{'invalid input for state or province'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) { - $errormessage = $Lang::tr{'invalid input for country'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_PASS1'} ne '' && $cgiparams{'CERT_PASS2'} ne ''){ - if (length($cgiparams{'CERT_PASS1'}) < 5) { - $errormessage = $Lang::tr{'password too short'}; - goto VPNCONF_ERROR; - } - } - if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) { - $errormessage = $Lang::tr{'passwords do not match'}; - goto VPNCONF_ERROR; - } - (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;# Replace empty strings with a . - (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./; - (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./; - my $pid = open(OPENSSL, "|-");# Create the Host certificate request client - $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto VPNCONF_ERROR;}; - if ($pid) { # parent - print OPENSSL "$cgiparams{'CERT_COUNTRY'}\n"; - print OPENSSL "$state\n"; - print OPENSSL "$city\n"; - print OPENSSL "$cgiparams{'CERT_ORGANIZATION'}\n"; - print OPENSSL "$ou\n"; - print OPENSSL "$cgiparams{'CERT_NAME'}\n"; - print OPENSSL "$cgiparams{'CERT_EMAIL'}\n"; - print OPENSSL ".\n"; - print OPENSSL ".\n"; - close (OPENSSL); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}req.pem"); - goto VPNCONF_ERROR; - } - } else { # child - unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-newkey', 'rsa:1024', - '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", - '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { - $errormessage = "$Lang::tr{'cant start openssl'}: $!"; - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); - goto VPNCONF_ERROR; - } - } - # Sign the host certificate request - system('/usr/bin/openssl', 'ca', '-days', '999999', - '-batch', '-notext', - '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", - '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); - &Ovpnfunc::newcleanssldatabase(); - goto VPNCONF_ERROR; - } else { - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); - &Ovpnfunc::deletebackupcert(); - } - # Create the pkcs12 file - system('/usr/bin/openssl', 'pkcs12', '-export', - '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", - '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", - '-name', $cgiparams{'NAME'}, - '-passout', "pass:$cgiparams{'CERT_PASS1'}", - '-certfile', "${General::swroot}/ovpn/ca/cacert.pem", - '-caname', "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA", - '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12"); - goto VPNCONF_ERROR; - } else { - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); - } - } elsif ($cgiparams{'AUTH'} eq 'cert') { - ;# Nothing, just editing - } else { - $errormessage = $Lang::tr{'invalid input for authentication method'}; - goto VPNCONF_ERROR; - } - if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) {# Check if there is no other entry with this common name - foreach my $key (keys %confighash) { - if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) { - $errormessage = $Lang::tr{'a connection with this common name already exists'}; - goto VPNCONF_ERROR; - } - } - } - - my $key = $cgiparams{'KEY'};# Save the config - if (! $key) { - $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 42) { $confighash{$key}[$i] = "";} - } - $confighash{$key}[0] = $cgiparams{'ENABLED'}; - $confighash{$key}[1] = $cgiparams{'NAME'}; - if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') { - $confighash{$key}[2] = $cgiparams{'CERT_NAME'}; - } - $confighash{$key}[3] = $cgiparams{'TYPE'}; - if ($cgiparams{'AUTH'} eq 'psk') { - $confighash{$key}[4] = 'psk'; - $confighash{$key}[5] = $cgiparams{'PSK'}; - } else { - $confighash{$key}[4] = 'cert'; - } - if ($cgiparams{'TYPE'} eq 'net') { - $confighash{$key}[6] = $cgiparams{'SIDE'}; - $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'}; - if ( $cgiparams{'SIDE'} eq 'client') { - $confighash{$key}[19] = 'yes'; - } else{ - $confighash{$key}[19] = 'no'; - } - } - $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'}; - $confighash{$key}[10] = $cgiparams{'REMOTE'}; - $confighash{$key}[25] = $cgiparams{'REMARK'}; - $confighash{$key}[12] = $cgiparams{'INTERFACE'}; - $confighash{$key}[13] = $cgiparams{'OVPN_SUBNET'};# new fields - $confighash{$key}[14] = $cgiparams{'PROTOCOL'}; - $confighash{$key}[15] = $cgiparams{'DEST_PORT'}; - $confighash{$key}[16] = $cgiparams{'COMPLZO'}; - $confighash{$key}[17] = $cgiparams{'MTU'}; - $confighash{$key}[18] = $cgiparams{'N2NVPN_IP'};# new fileds - $confighash{$key}[19] = $cgiparams{'ZERINA_CLIENT'};# new fileds - $confighash{$key}[20] = $cgiparams{'CIPHER'}; - - #default n2n advanced - $confighash{$key}[26] = '10';#keepalive ping - $confighash{$key}[27] = '60';#keepalive restart - $confighash{$key}[28] = '0';#nice - $confighash{$key}[42] = '3';#verb - #default n2n advanced - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - &Ovpnfunc::writenet2netconf($key,$zerinaclient); - #ppp - my $n2nactive = `/bin/ps ax|grep $cgiparams{'NAME'}.conf|grep -v grep|awk \'{print \$1}\'`; - if ($cgiparams{'ENABLED'}) { - if ($n2nactive eq ''){ - system('/usr/local/bin/openvpnctrl', '-sn2n', $cgiparams{'NAME'}); - } else { - system('/usr/local/bin/openvpnctrl', '-kn2n', $n2nactive); - system('/usr/local/bin/openvpnctrl', '-sn2n', $cgiparams{'NAME'}); - } - } else { - if ($n2nactive ne ''){ - system('/usr/local/bin/openvpnctrl', '-kn2n', $cgiparams{'NAME'}); - } - } - if ($cgiparams{'EDIT_ADVANCED'} eq 'on') { - $cgiparams{'KEY'} = $key; - $cgiparams{'ACTION'} = $Lang::tr{'advanced'}; - } - goto VPNCONF_END; - } else { - $cgiparams{'ENABLED'} = 'on'; - if ($cgiparams{'ZERINA_CLIENT'} eq ''){ - $cgiparams{'ZERINA_CLIENT'} = 'no'; - } - if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) { - $cgiparams{'AUTH'} = 'psk'; - } elsif ( ! -f "${General::swroot}/ovpn/ca/cacert.pem") { - $cgiparams{'AUTH'} = 'certfile'; - } else { - $cgiparams{'AUTH'} = 'certgen'; - } - $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; - $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'}; - $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'}; - $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'}; - $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'}; - } - VPNCONF_ERROR: - # n2n default settings - if ($cgiparams{'CIPHER'} eq '') { - $cgiparams{'CIPHER'} = 'BF-CBC'; - } - if ($cgiparams{'MTU'} eq '') { - $cgiparams{'MTU'} = '1400'; - } - if ($cgiparams{'OVPN_SUBNET'} eq '') { - $cgiparams{'OVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; - } - #n2n default settings - $checked{'ENABLED'}{'off'} = ''; - $checked{'ENABLED'}{'on'} = ''; - $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED'; - $checked{'ENABLED_BLUE'}{'off'} = ''; - $checked{'ENABLED_BLUE'}{'on'} = ''; - $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED'; - $checked{'ENABLED_ORANGE'}{'off'} = ''; - $checked{'ENABLED_ORANGE'}{'on'} = ''; - $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED'; - $checked{'EDIT_ADVANCED'}{'off'} = ''; - $checked{'EDIT_ADVANCED'}{'on'} = ''; - $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = 'CHECKED'; - $selected{'SIDE'}{'server'} = ''; - $selected{'SIDE'}{'client'} = ''; - $selected{'SIDE'}{$cgiparams{'SIDE'}} = 'SELECTED'; - -# $selected{'DDEVICE'}{'tun'} = ''; -# $selected{'DDEVICE'}{'tap'} = ''; -# $selected{'DDEVICE'}{$cgiparams{'DDEVICE'}} = 'SELECTED'; - - $selected{'PROTOCOL'}{'udp'} = ''; - $selected{'PROTOCOL'}{'tcp'} = ''; - $selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = 'SELECTED'; - - $checked{'AUTH'}{'psk'} = ''; - $checked{'AUTH'}{'certreq'} = ''; - $checked{'AUTH'}{'certgen'} = ''; - $checked{'AUTH'}{'certfile'} = ''; - $checked{'AUTH'}{$cgiparams{'AUTH'}} = 'CHECKED'; - $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = 'SELECTED'; - $checked{'COMPLZO'}{'off'} = ''; - $checked{'COMPLZO'}{'on'} = ''; - $checked{'COMPLZO'}{$cgiparams{'COMPLZO'}} = 'CHECKED'; - $selected{'CIPHER'}{'DES-CBC'} = ''; - $selected{'CIPHER'}{'DES-EDE-CBC'} = ''; - $selected{'CIPHER'}{'DES-EDE3-CBC'} = ''; - $selected{'CIPHER'}{'DESX-CBC'} = ''; - $selected{'CIPHER'}{'RC2-CBC'} = ''; - $selected{'CIPHER'}{'RC2-40-CBC'} = ''; - $selected{'CIPHER'}{'RC2-64-CBC'} = ''; - $selected{'CIPHER'}{'BF-CBC'} = ''; - $selected{'CIPHER'}{'CAST5-CBC'} = ''; - $selected{'CIPHER'}{'AES-128-CBC'} = ''; - $selected{'CIPHER'}{'AES-192-CBC'} = ''; - $selected{'CIPHER'}{'AES-256-CBC'} = ''; - $selected{'CIPHER'}{$cgiparams{'CIPHER'}} = 'SELECTED'; - - if (1) { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', $errormessage); - if ($errormessage) { - &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); - print "$errormessage"; - print " "; - &Header::closebox(); - } - if ($warnmessage) { - &Header::openbox('100%', 'LEFT', "$Lang::tr{'warning messages'}:"); - print "$warnmessage"; - print " "; - &Header::closebox(); - } - print ""; - print ""; - print ""; - if ($cgiparams{'KEY'}) { - print ""; - print ""; - } - &Header::openbox('100%', 'LEFT', "$Lang::tr{'connection'}:"); - print "
$Lang::tr{'name'}:$cgiparams{'NAME'}
$Lang::tr{'interface'}
$cgiparams{'NAME'} 
$Lang::tr{'Act as'}$confdetails[6]$Lang::tr{'remote host/ip'}:$confdetails[5]
$Lang::tr{'remote host/ip'}:
$Lang::tr{'local subnet'}$confighash{$key}[8]$Lang::tr{'remote subnet'}$confighash{$key}[11]
$Lang::tr{'remote subnet'}
$Lang::tr{'ovpn subnet'}$confighash{$key}[$ufuk-1]
$Lang::tr{'protocol'}$confdetails[2]$Lang::tr{'destination port'}:$confdetails[3]
$Lang::tr{'comp-lzo'}$complzoactive$Lang::tr{'cipher'}$confdetails[10]
$Lang::tr{'MTU'} $confdetails[1]
$Lang::tr{'destination port'}:
$Lang::tr{'comp-lzo'}
$Lang::tr{'MTU'} 
\n"; - print ""; - if ($cgiparams{'TYPE'} eq 'host') { - if ($cgiparams{'KEY'}) { - print "\n"; - } else { - print ""; - } - } else { - print ""; - if ($cgiparams{'KEY'}) { - print ""; - } else { - print ""; - } - print ""; - print ""; - print ""; - if ((($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) && ($cgiparams{'ZERINA_CLIENT'} eq 'no')) || - (($cgiparams{'ACTION'} eq $Lang::tr{'save'}) && ($cgiparams{'ZERINA_CLIENT'} eq 'no')) || - (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'ZERINA_CLIENT'} eq 'no'))) { - print ""; - print ""; - print ""; - print ""; - print ""; - } else { - print ""; - print ""; - print ""; - } - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - } - print ""; - print ""; -# if ($cgiparams{'TYPE'} eq 'net') { - print "\n"; - - if ($cgiparams{'TYPE'} eq 'host') { - print "
$Lang::tr{'name'}:$cgiparams{'NAME'}$cgiparams{'NAME'}  
$Lang::tr{'Act as'}
$Lang::tr{'local vpn hostname/ip'}:$Lang::tr{'remote host/ip'}:
$Lang::tr{'Act as'}$cgiparams{'SIDE'}$Lang::tr{'remote host/ip'}:
$Lang::tr{'local subnet'}$Lang::tr{'remote subnet'}
$Lang::tr{'ovpn subnet'}
$Lang::tr{'protocol'}$Lang::tr{'destination port'}:
$Lang::tr{'comp-lzo'}$Lang::tr{'cipher'}
$Lang::tr{'MTU'} 
$Lang::tr{'remark title'} 
$Lang::tr{'enabled'}  
"; - } elsif ($cgiparams{'ACTION'} ne $Lang::tr{'edit'}){ - print " $Lang::tr{'edit advanced settings when done'}"; - } else { - print ""; - } - + print "$Lang::tr{'remark title'} "; + print ""; + +# if ($cgiparams{'TYPE'} eq 'net') { + print "$Lang::tr{'enabled'} \n"; + +# if ($cgiparams{'KEY'}) { +# print " "; +# } else { +# print " $Lang::tr{'edit advanced settings when done'}"; +# } +# }else{ + print " "; +# } + + &Header::closebox(); + if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') { - ;#we dont have psk + # &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'}); + # print < + # $Lang::tr{'use a pre-shared key'} + # + # +END + # ; + # &Header::closebox(); } elsif (! $cgiparams{'KEY'}) { my $disabled=''; my $cakeydisabled=''; @@ -2459,6 +2507,7 @@ END $Lang::tr{'country'}: "; if ($cgiparams{'KEY'}) { - if ($cgiparams{'TYPE'} ne 'host') { - print ""; - } +# print ""; } print ""; &Header::closebigbox(); @@ -2492,595 +2540,495 @@ END } VPNCONF_END: } + +# SETTINGS_ERROR: ### -### Advanced settings +### Default status page ### -if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || - ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq 'yes')) { - &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); + %cgiparams = (); + %cahash = (); + %confighash = (); + &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams); + &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - - if (! $confighash{$cgiparams{'KEY'}}) { - $errormessage = $Lang::tr{'invalid key'}; - goto ADVANCED_END; - } - #n2n advanced error - if ($cgiparams{'KEEPALIVE_1'} ne '') { - if ($cgiparams{'KEEPALIVE_1'} !~ /^[0-9]+$/) { - $errormessage = $Lang::tr{'invalid input for keepalive 1'}; - goto ADVANCED_ERROR; - } - } - if ($cgiparams{'KEEPALIVE_2'} ne ''){ - if ($cgiparams{'KEEPALIVE_2'} !~ /^[0-9]+$/) { - $errormessage = $Lang::tr{'invalid input for keepalive 2'}; - goto ADVANCED_ERROR; - } - } - if ($cgiparams{'KEEPALIVE_2'} < ($cgiparams{'KEEPALIVE_1'} * 2)){ - $errormessage = $Lang::tr{'invalid input for keepalive 1:2'}; - goto ADVANCED_ERROR; - } - if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { -# if ($cgiparams{'NAT'} !~ /^(on|off)$/) { -# $errormessage = $Lang::tr{'invalid input'}; -# goto ADVANCED_ERROR; -# } - #n2n advanced error - #cgi an config - $confighash{$cgiparams{'KEY'}}[26] = $cgiparams{'KEEPALIVE_1'}; - $confighash{$cgiparams{'KEY'}}[27] = $cgiparams{'KEEPALIVE_2'}; - $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'EXTENDED_NICE'}; - $confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'EXTENDED_FASTIO'}; - $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'EXTENDED_MTUDISC'}; - $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'EXTENDED_MSSFIX'}; - $confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'EXTENDED_FRAGMENT'}; - $confighash{$cgiparams{'KEY'}}[33] = $cgiparams{'PROXY_HOST'}; - $confighash{$cgiparams{'KEY'}}[34] = $cgiparams{'PROXY_PORT'}; - $confighash{$cgiparams{'KEY'}}[35] = $cgiparams{'PROXY_USERNAME'}; - $confighash{$cgiparams{'KEY'}}[36] = $cgiparams{'PROXY_PASS'}; - $confighash{$cgiparams{'KEY'}}[37] = $cgiparams{'PROXY_AUTH_METHOD'}; - $confighash{$cgiparams{'KEY'}}[38] = $cgiparams{'http-proxy-retry'}; - $confighash{$cgiparams{'KEY'}}[39] = $cgiparams{'PROXY_TIMEOUT'}; - $confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'PROXY_OPT_VERSION'}; - $confighash{$cgiparams{'KEY'}}[41] = $cgiparams{'PROXY_OPT_AGENT'}; - $confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'LOG_VERB'}; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - &Ovpnfunc::writenet2netconf($cgiparams{'KEY'},$zerinaclient); - # restart n2n after advanced save ? - goto ADVANCED_END; - } else { - $cgiparams{'KEEPALIVE_1'} = $confighash{$cgiparams{'KEY'}}[26]; - $cgiparams{'KEEPALIVE_2'} = $confighash{$cgiparams{'KEY'}}[27]; - $cgiparams{'EXTENDED_NICE'} = $confighash{$cgiparams{'KEY'}}[28]; - $cgiparams{'EXTENDED_FASTIO'} = $confighash{$cgiparams{'KEY'}}[29]; - $cgiparams{'EXTENDED_MTUDISC'} = $confighash{$cgiparams{'KEY'}}[30]; - $cgiparams{'EXTENDED_MSSFIX'} = $confighash{$cgiparams{'KEY'}}[31]; - $cgiparams{'EXTENDED_FRAGMENT'} = $confighash{$cgiparams{'KEY'}}[32]; - $cgiparams{'PROXY_HOST'} = $confighash{$cgiparams{'KEY'}}[33]; - $cgiparams{'PROXY_PORT'} = $confighash{$cgiparams{'KEY'}}[34]; - $cgiparams{'PROXY_USERNAME'} = $confighash{$cgiparams{'KEY'}}[35]; - $cgiparams{'PROXY_PASS'} = $confighash{$cgiparams{'KEY'}}[36]; - $cgiparams{'PROXY_AUTH_METHOD'} = $confighash{$cgiparams{'KEY'}}[37]; - $cgiparams{'http-proxy-retry'} = $confighash{$cgiparams{'KEY'}}[38]; - $cgiparams{'PROXY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[39]; - $cgiparams{'PROXY_OPT_VERSION'} = $confighash{$cgiparams{'KEY'}}[40]; - $cgiparams{'PROXY_OPT_AGENT'} = $confighash{$cgiparams{'KEY'}}[41]; - $cgiparams{'LOG_VERB'} = $confighash{$cgiparams{'KEY'}}[42]; - #cgi an config - } - ADVANCED_ERROR: - #Schalter setzen - $selected{'EXTENDED_NICE'}{'-13'} = ''; - $selected{'EXTENDED_NICE'}{'-10'} = ''; - $selected{'EXTENDED_NICE'}{'-7'} = ''; - $selected{'EXTENDED_NICE'}{'-3'} = ''; - $selected{'EXTENDED_NICE'}{'0'} = ''; - $selected{'EXTENDED_NICE'}{'3'} = ''; - $selected{'EXTENDED_NICE'}{'7'} = ''; - $selected{'EXTENDED_NICE'}{'10'} = ''; - $selected{'EXTENDED_NICE'}{'13'} = ''; - $selected{'EXTENDED_NICE'}{$cgiparams{'EXTENDED_NICE'}} = 'SELECTED'; - $checked{'EXTENDED_FASTIO'}{'off'} = ''; - $checked{'EXTENDED_FASTIO'}{'on'} = ''; - $checked{'EXTENDED_FASTIO'}{$cgiparams{'EXTENDED_FASTIO'}} = 'CHECKED'; - $checked{'EXTENDED_MTUDISC'}{'off'} = ''; - $checked{'EXTENDED_MTUDISC'}{'on'} = ''; - $checked{'EXTENDED_MTUDISC'}{$cgiparams{'EXTENDED_MTUDISC'}} = 'CHECKED'; - $selected{'LOG_VERB'}{'1'} = ''; - $selected{'LOG_VERB'}{'2'} = ''; - $selected{'LOG_VERB'}{'3'} = ''; - $selected{'LOG_VERB'}{'4'} = ''; - $selected{'LOG_VERB'}{'5'} = ''; - $selected{'LOG_VERB'}{'6'} = ''; - $selected{'LOG_VERB'}{'7'} = ''; - $selected{'LOG_VERB'}{'8'} = ''; - $selected{'LOG_VERB'}{'9'} = ''; - $selected{'LOG_VERB'}{'10'} = ''; - $selected{'LOG_VERB'}{'11'} = ''; - $selected{'LOG_VERB'}{'0'} = ''; - $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; - $selected{'PROXY_AUTH_METHOD'}{'none'} = ''; - $selected{'PROXY_AUTH_METHOD'}{'basic'} = ''; - $selected{'PROXY_AUTH_METHOD'}{'ntlm'} = ''; - $selected{'PROXY_AUTH_METHOD'}{$cgiparams{'PROXY_AUTH_METHOD'}} = 'SELECTED'; - $checked{'PROXY_RETRY'}{'off'} = ''; - $checked{'PROXY_RETRY'}{'on'} = ''; - $checked{'PROXY_RETRY'}{$cgiparams{'PROXY_RETRY'}} = 'CHECKED'; - #Schalter setzen - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', $errormessage); - if ($errormessage) { - &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); - print "$errormessage"; - print " "; - &Header::closebox(); - } - - if ($warnmessage) { - &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'}); - print "$warnmessage"; - print " "; - &Header::closebox(); - } + my @status = `/bin/cat /var/log/ovpnserver.log`; - print "
\n"; - print "\n"; - print "\n"; - - &Header::openbox('100%', 'LEFT', "$Lang::tr{'advanced'}:"); - print < - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$Lang::tr{'misc-options'}
Keppalive (ping/ping-restart)
$Lang::tr{'ovpn_processprio'} - -
$Lang::tr{'ovpn_fastio'} - -
$Lang::tr{'ovpn_mtudisc'} - -
$Lang::tr{'ovpn_mssfix'} - -
$Lang::tr{'ovpn_fragment'} - -
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$Lang::tr{'proxy'} $Lang::tr{'settings'}
$Lang::tr{'proxy'} $Lang::tr{'host'}:$Lang::tr{'proxy port'}:
$Lang::tr{'username'}$Lang::tr{'password'}
$Lang::tr{'authentication'} $Lang::tr{'method'} - -
http-proxy-retryhttp-proxy-timeout
http-proxy-option VERSIONhttp-proxy-option AGENT
-
- - - - - - - - - - -
$Lang::tr{'log-options'}
VERB
- -EOF - ; - &Header::closebox(); - print "
"; - print "
"; - &Header::closebigbox(); - &Header::closepage(); - exit(0); - - ADVANCED_END: -} -### -### Default status page -### -%cgiparams = (); -%cahash = (); -%confighash = (); -&General::readhash("${General::swroot}/ovpn/settings", \%cgiparams); -&General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash); -&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); -my @status = `/bin/cat /var/log/ovpnserver.log`; -if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { + if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { my $ipaddr = ; close IPADDR; chomp ($ipaddr); $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; if ($cgiparams{'VPN_IP'} eq '') { - $cgiparams{'VPN_IP'} = $ipaddr; + $cgiparams{'VPN_IP'} = $ipaddr; } } -} + } + #default setzen -if ($cgiparams{'DCIPHER'} eq '') { + if ($cgiparams{'DCIPHER'} eq '') { $cgiparams{'DCIPHER'} = 'BF-CBC'; -} + } # if ($cgiparams{'DCOMPLZO'} eq '') { # $cgiparams{'DCOMPLZO'} = 'on'; # } -if ($cgiparams{'DDEST_PORT'} eq '') { + if ($cgiparams{'DDEST_PORT'} eq '') { $cgiparams{'DDEST_PORT'} = '1194'; -} -if ($cgiparams{'DMTU'} eq '') { + } + if ($cgiparams{'DMTU'} eq '') { $cgiparams{'DMTU'} = '1400'; -} -if ($cgiparams{'DOVPN_SUBNET'} eq '') { + } + if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; -} -$checked{'ENABLED'}{'off'} = ''; -$checked{'ENABLED'}{'on'} = ''; -$checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED'; -$checked{'ENABLED_BLUE'}{'off'} = ''; -$checked{'ENABLED_BLUE'}{'on'} = ''; -$checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED'; -$checked{'ENABLED_ORANGE'}{'off'} = ''; -$checked{'ENABLED_ORANGE'}{'on'} = ''; -$checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED'; + } + + $checked{'ENABLED'}{'off'} = ''; + $checked{'ENABLED'}{'on'} = ''; + $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED'; + $checked{'ENABLED_BLUE'}{'off'} = ''; + $checked{'ENABLED_BLUE'}{'on'} = ''; + $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED'; + $checked{'ENABLED_ORANGE'}{'off'} = ''; + $checked{'ENABLED_ORANGE'}{'on'} = ''; + $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED'; + + #new settings -$selected{'DDEVICE'}{'tun'} = ''; -$selected{'DDEVICE'}{'tap'} = ''; -$selected{'DDEVICE'}{$cgiparams{'DDEVICE'}} = 'SELECTED'; -$selected{'DPROTOCOL'}{'udp'} = ''; -$selected{'DPROTOCOL'}{'tcp'} = ''; -$selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED'; -$selected{'DCIPHER'}{'DES-CBC'} = ''; -$selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; -$selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; -$selected{'DCIPHER'}{'DESX-CBC'} = ''; -$selected{'DCIPHER'}{'RC2-CBC'} = ''; -$selected{'DCIPHER'}{'RC2-40-CBC'} = ''; -$selected{'DCIPHER'}{'RC2-64-CBC'} = ''; -$selected{'DCIPHER'}{'BF-CBC'} = ''; -$selected{'DCIPHER'}{'CAST5-CBC'} = ''; -$selected{'DCIPHER'}{'AES-128-CBC'} = ''; -$selected{'DCIPHER'}{'AES-192-CBC'} = ''; -$selected{'DCIPHER'}{'AES-256-CBC'} = ''; -$selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; -$checked{'DCOMPLZO'}{'off'} = ''; -$checked{'DCOMPLZO'}{'on'} = ''; -$checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; + $selected{'DDEVICE'}{'tun'} = ''; + $selected{'DDEVICE'}{'tap'} = ''; + $selected{'DDEVICE'}{$cgiparams{'DDEVICE'}} = 'SELECTED'; + + $selected{'DPROTOCOL'}{'udp'} = ''; + $selected{'DPROTOCOL'}{'tcp'} = ''; + $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED'; + + $selected{'DCIPHER'}{'DES-CBC'} = ''; + $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; + $selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; + $selected{'DCIPHER'}{'DESX-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-40-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-64-CBC'} = ''; + $selected{'DCIPHER'}{'BF-CBC'} = ''; + $selected{'DCIPHER'}{'CAST5-CBC'} = ''; + $selected{'DCIPHER'}{'AES-128-CBC'} = ''; + $selected{'DCIPHER'}{'AES-192-CBC'} = ''; + $selected{'DCIPHER'}{'AES-256-CBC'} = ''; + $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; + $checked{'DCOMPLZO'}{'off'} = ''; + $checked{'DCOMPLZO'}{'on'} = ''; + $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; #new settings -&Header::showhttpheaders(); -&Header::openpage($Lang::tr{'status ovpn'}, 1, ''); -&Header::openbigbox('100%', 'LEFT', '', $errormessage); + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'status ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', $errormessage); -if ($errormessage) { + if ($errormessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); print "$errormessage\n"; print " \n"; &Header::closebox(); -} + } -my $sactive = "
$Lang::tr{'stopped'}
"; -my $srunning = "no"; -my $activeonrun = ""; -if ( -e "/var/run/openvpn.pid"){ + my $sactive = "
$Lang::tr{'stopped'}
"; + my $srunning = "no"; + my $activeonrun = ""; + if ( -e "/var/run/openvpn.pid"){ $sactive = "
$Lang::tr{'running'}
"; $srunning ="yes"; $activeonrun = ""; -} else { + } else { $activeonrun = "disabled='disabled'"; -} -#ufuk -#CERT -&Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}:"); -print "
ZERINA-0.9.7a9
"; -print " "; -print < - - $Lang::tr{'name'} + } + &Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'}); + print < +
+   +   +   + $Lang::tr{'ovpn server status'} + $sactive + $Lang::tr{'ovpn on red'} + +END +; + if (&haveBlueNet()) { + print "$Lang::tr{'ovpn on blue'}"; + print ""; + } + if (&haveOrangeNet()) { + print "$Lang::tr{'ovpn on orange'}"; + print ""; + } + print <$Lang::tr{'local vpn hostname/ip'}:
+ $Lang::tr{'ovpn subnet'}
+ $Lang::tr{'ovpn device'} + + $Lang::tr{'protocol'} + + $Lang::tr{'destination port'}: + + $Lang::tr{'MTU'}  + + $Lang::tr{'comp-lzo'} + + $Lang::tr{'cipher'} + +END +; + + if ( $srunning eq "yes" ) { + print ""; + print ""; + print ""; + print ""; + } else{ + print ""; + print ""; + if (( -e "${General::swroot}/ovpn/ca/cacert.pem" && + -e "${General::swroot}/ovpn/ca/dh1024.pem" && + -e "${General::swroot}/ovpn/certs/servercert.pem" && + -e "${General::swroot}/ovpn/certs/serverkey.pem") && + (( $cgiparams{'ENABLED'} eq 'on') || + ( $cgiparams{'ENABLED_BLUE'} eq 'on') || + ( $cgiparams{'ENABLED_ORANGE'} eq 'on'))){ + print ""; + print ""; + } else { + print ""; + print ""; + } + } + print ""; + &Header::closebox(); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}:"); + print < + + $Lang::tr{'name'} $Lang::tr{'subject'} $Lang::tr{'action'} - + EOF ; -if (-f "${General::swroot}/ovpn/ca/cacert.pem") { + if (-f "${General::swroot}/ovpn/ca/cacert.pem") { my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; $casubject =~ /Subject: (.*)[\n]/; $casubject = $1; $casubject =~ s+/Email+, E+; $casubject =~ s/ ST=/ S=/; + print < - $Lang::tr{'root certificate'} - $casubject -
- - -
-
- + + $Lang::tr{'root certificate'} + $casubject + + + +
+
+ -
-   + +   END ; -} else { + } else { # display rootcert generation buttons print < + $Lang::tr{'root certificate'}: $Lang::tr{'not present'}   END ; -} + } -if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + if (-f "${General::swroot}/ovpn/certs/servercert.pem") { my $hostsubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; $hostsubject =~ /Subject: (.*)[\n]/; $hostsubject = $1; $hostsubject =~ s+/Email+, E+; $hostsubject =~ s/ ST=/ S=/; + print < + $Lang::tr{'host certificate'} $hostsubject
- - + +
- - + +
  END ; -} else { + } else { # Nothing print < + $Lang::tr{'host certificate'}: $Lang::tr{'not present'}   END ; -} + } -if (! -f "${General::swroot}/ovpn/ca/cacert.pem") { - print "
"; + if (! -f "${General::swroot}/ovpn/ca/cacert.pem") { + print ""; print ""; - print "
\n"; -} + print "\n"; + } -if (keys %cahash > 0) { + if (keys %cahash > 0) { foreach my $key (keys %cahash) { - if (($key + 1) % 2) { - print "\n"; - } else { - print "\n"; - } - print "$cahash{$key}[0]\n"; - print "$cahash{$key}[1]\n"; - print < + if (($key + 1) % 2) { + print "\n"; + } else { + print "\n"; + } + print "$cahash{$key}[0]\n"; + print "$cahash{$key}[1]\n"; + print < - -
- +
+
+ -
-
+
+
-
+ END ; } -} -print ""; -if ( -f "${General::swroot}/ovpn/ca/cacert.pem") {# If the file contains entries, print Key to action icons - print < - + } + + print ""; + + # If the file contains entries, print Key to action icons + if ( -f "${General::swroot}/ovpn/ca/cacert.pem") { + print < +   $Lang::tr{'legend'}:     $Lang::tr{ $Lang::tr{'show certificate'} -     $Lang::tr{ +     $Lang::tr{ $Lang::tr{'download certificate'} - - + + END ; -} -print < - - - - - -
$Lang::tr{'ca name'}: -
+ } + print < + + + + +
$Lang::tr{'ca name'}: +
END ; -&Header::closebox(); -if ( $srunning eq "yes" ) { + + &Header::closebox(); + if ( $srunning eq "yes" ) { print "
\n"; -}else{ - print "
\n"; -} -#CERT -#RWSERVER -#&Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'}); -&Header::openbox('100%', 'LEFT', 'Roadwarrior Server'); -print < -
-  -  -  -$Lang::tr{'ovpn server status'} -$sactive -$Lang::tr{'ovpn on red'} - -END -; -if (&Ovpnfunc::haveBlueNet()) { - print "$Lang::tr{'ovpn on blue'}"; - print ""; -} -if (&Ovpnfunc::haveOrangeNet()) { - print "$Lang::tr{'ovpn on orange'}"; - print ""; -} -print <$Lang::tr{'local vpn hostname/ip'}: - - $Lang::tr{'ovpn subnet'} - -$Lang::tr{'ovpn device'} - -$Lang::tr{'protocol'} - - $Lang::tr{'destination port'}: - -$Lang::tr{'MTU'}  - -$Lang::tr{'comp-lzo'} - - $Lang::tr{'cipher'} - + }else{ + print "
\n"; + } + if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'Client status and controlc' }); + print < + + $Lang::tr{'name'} + $Lang::tr{'type'} + $Lang::tr{'common name'} + $Lang::tr{'valid till'} + $Lang::tr{'remark'}
L2089 + $Lang::tr{'status'} + $Lang::tr{'action'} + END -; - -if ( $srunning eq "yes" ) { - print ""; - print ""; - print ""; - print ""; -} else{ - print ""; - print ""; - if (( -e "${General::swroot}/ovpn/ca/cacert.pem" && - -e "${General::swroot}/ovpn/ca/dh1024.pem" && - -e "${General::swroot}/ovpn/certs/servercert.pem" && - -e "${General::swroot}/ovpn/certs/serverkey.pem") && - (( $cgiparams{'ENABLED'} eq 'on') || - ( $cgiparams{'ENABLED_BLUE'} eq 'on') || - ( $cgiparams{'ENABLED_ORANGE'} eq 'on'))){ - print ""; - print ""; + ; + my $id = 0; + my $gif; + foreach my $key (keys %confighash) { + if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } + + if ($id % 2) { + print "\n"; } else { - print ""; - print ""; - } + print "\n"; + } + print "$confighash{$key}[1]"; + print "" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")"; + if ($confighash{$key}[4] eq 'cert') { + print "$confighash{$key}[2]"; + } else { + print " "; + } + my $cavalid = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`; + $cavalid =~ /Not After : (.*)[\n]/; + $cavalid = $1; + print "$cavalid"; + print "$confighash{$key}[25]"; + my $active = "
$Lang::tr{'capsclosed'}
"; + if ($confighash{$key}[0] eq 'off') { + $active = "
$Lang::tr{'capsclosed'}
"; + } else { + my $cn; + my @match = (); + foreach my $line (@status) { + chomp($line); + if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) { + @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line); + if ($match[1] ne "Common Name") { + $cn = $match[1]; + } + $cn =~ s/[_]/ /g; + if ($cn eq "$confighash{$key}[2]") { + $active = "
$Lang::tr{'capsopen'}
"; + } + } + } + } + my $disable_clientdl = "disabled='disabled'"; + if (( $cgiparams{'ENABLED'} eq 'on') || + ( $cgiparams{'ENABLED_BLUE'} eq 'on') || + ( $cgiparams{'ENABLED_ORANGE'} eq 'on')){ + $disable_clientdl = ""; + } + print <$active + +
+ + + +
+END + ; + if ($confighash{$key}[4] eq 'cert') { + print < + + + + +END + ; } else { + print " "; + } + if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$key}[1].p12") { + print < + + + + +END + ; } elsif ($confighash{$key}[4] eq 'cert') { + print < + + + + +END + ; } else { + print " "; + } + print < + + + + + +
+ + + +
+
+ + + +
+ +END + ; + $id++; + } + ; + + # If the config file contains entries, print Key to action icons + if ( $id ) { + print < + +   $Lang::tr{'legend'}: +   $Lang::tr{ + $Lang::tr{'click to disable'} +     $Lang::tr{ + $Lang::tr{'show certificate'} +     $Lang::tr{ + $Lang::tr{'edit'} +     $Lang::tr{ + $Lang::tr{'remove'} + + +   +   ?OFF + $Lang::tr{'click to enable'} + ?FLOPPY + $Lang::tr{'download certificate'} + ?RELOAD + $Lang::tr{'dl client arch'} + + +END + ; + } + + print < +
+ + +
+ +END + ; + &Header::closebox(); } -print ""; -&Header::closebox(); -#RWSERVER -&Ovpnfunc::rwclientstatus($activeonrun); -&Ovpnfunc::net2netstatus($activeonrun); -&Header::closepage(); \ No newline at end of file +&Header::closepage();