X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=0c9e73d5b86b9662d9315c0e3828626379e18214;hp=5e18d3cb53bf1a01e15565d7a78d50845185f2b0;hb=49abe7afb1868315b96643afe08c12fa1b339e3a;hpb=c125d8a2b4770e3cd63ef18ae720dd6e5fb8576c diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 5e18d3cb5..0c9e73d5b 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2013 IPFire Team # +# Copyright (C) 2007-2014 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -19,7 +19,7 @@ # # ############################################################################### ### -# Based on IPFireCore 55 +# Based on IPFireCore 77 ### use CGI; use CGI qw/:standard/; @@ -30,6 +30,7 @@ use File::Copy; use File::Temp qw/ tempfile tempdir /; use strict; use Archive::Zip qw(:ERROR_CODES :CONSTANTS); +use Sort::Naturally; require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; @@ -68,6 +69,7 @@ my $confighost="${General::swroot}/fwhosts/customhosts"; my $configgrp="${General::swroot}/fwhosts/customgroups"; my $customnet="${General::swroot}/fwhosts/customnetworks"; my $name; +my $col=""; &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} = 'off'; $cgiparams{'ENABLED_BLUE'} = 'off'; @@ -78,6 +80,8 @@ $cgiparams{'COMPRESSION'} = 'off'; $cgiparams{'ONLY_PROPOSED'} = 'off'; $cgiparams{'ACTION'} = ''; $cgiparams{'CA_NAME'} = ''; +$cgiparams{'DH_NAME'} = 'dh1024.pem'; +$cgiparams{'DHLENGHT'} = ''; $cgiparams{'DHCP_DOMAIN'} = ''; $cgiparams{'DHCP_DNS'} = ''; $cgiparams{'DHCP_WINS'} = ''; @@ -86,6 +90,10 @@ $cgiparams{'DCOMPLZO'} = 'off'; $cgiparams{'MSSFIX'} = ''; $cgiparams{'number'} = ''; $cgiparams{'PMTU_DISCOVERY'} = ''; +$cgiparams{'DCIPHER'} = ''; +$cgiparams{'DAUTH'} = ''; +$cgiparams{'TLSAUTH'} = ''; +$cgiparams{'ENGINES'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; unless (-e $routes_push_file) { system("touch $routes_push_file"); } unless (-e "${General::swroot}/ovpn/ccd.conf") { system("touch ${General::swroot}/ovpn/ccd.conf"); } @@ -165,49 +173,29 @@ sub deletebackupcert unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem"); } } - sub checkportfw { - my $KEY2 = $_[0]; # key2 - my $SRC_PORT = $_[1]; # src_port - my $PROTOCOL = $_[2]; # protocol - my $SRC_IP = $_[3]; # sourceip - - my $pfwfilename = "${General::swroot}/portfw/config"; - open(FILE, $pfwfilename) or die 'Unable to open config file.'; - my @pfwcurrent = ; - close(FILE); - my $pfwkey1 = 0; # used for finding last sequence number used - foreach my $pfwline (@pfwcurrent) - { - my @pfwtemp = split(/\,/,$pfwline); - - chomp ($pfwtemp[8]); - if ($KEY2 eq "0"){ # if key2 is 0 then it is a portfw addition - if ( $SRC_PORT eq $pfwtemp[3] && - $PROTOCOL eq $pfwtemp[2] && - $SRC_IP eq $pfwtemp[7]) - { - $errormessage = "$Lang::tr{'source port in use'} $SRC_PORT"; - } - # Check if key2 = 0, if it is then it is a port forward entry and we want the sequence number - if ( $pfwtemp[1] eq "0") { - $pfwkey1=$pfwtemp[0]; - } - # Darren Critchley - Duplicate or overlapping Port range check - if ($pfwtemp[1] eq "0" && - $PROTOCOL eq $pfwtemp[2] && - $SRC_IP eq $pfwtemp[7] && - $errormessage eq '') - { - &portchecks($SRC_PORT, $pfwtemp[5]); -# &portchecks($pfwtemp[3], $pfwtemp[5]); -# &portchecks($pfwtemp[3], $SRC_IP); + my $DPORT = shift; + my $DPROT = shift; + my %natconfig =(); + my $confignat = "${General::swroot}/firewall/config"; + $DPROT= uc ($DPROT); + &General::readhasharray($confignat, \%natconfig); + foreach my $key (sort keys %natconfig){ + my @portarray = split (/\|/,$natconfig{$key}[30]); + foreach my $value (@portarray){ + if ($value =~ /:/i){ + my ($a,$b) = split (":",$value); + if ($DPROT eq $natconfig{$key}[12] && $DPORT gt $a && $DPORT lt $b){ + $errormessage= "$Lang::tr{'source port in use'} $DPORT"; + } + }else{ + if ($DPROT eq $natconfig{$key}[12] && $DPORT eq $value){ + $errormessage= "$Lang::tr{'source port in use'} $DPORT"; + } + } } } - } -# $errormessage="$KEY2 $SRC_PORT $PROTOCOL $SRC_IP"; - - return; + return; } sub checkportoverlap @@ -239,76 +227,6 @@ sub checkportinc return 0; } } -# Darren Critchley - Duplicate or overlapping Port range check -sub portchecks -{ - my $p1 = $_[0]; # New port range - my $p2 = $_[1]; # existing port range -# $_ = $_[0]; - our ($prtrange1, $prtrange2); - $prtrange1 = 0; -# if (m/:/ && $prtrange1 == 1) { # comparing two port ranges -# unless (&checkportoverlap($p1,$p2)) { -# $errormessage = "$Lang::tr{'source port overlaps'} $p1"; -# } -# } - if (m/:/ && $prtrange1 == 0 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($p2,$p1)) { - $errormessage = "$Lang::tr{'srcprt within existing'} $p1"; - } - } - $prtrange1 = 1; - if (! m/:/ && $prtrange1 == 1 && $errormessage eq '') { # compare one port to a range - unless (&checkportinc($p1,$p2)) { - $errormessage = "$Lang::tr{'srcprt range overlaps'} $p2"; - } - } - return; -} - -# Darren Critchley - certain ports are reserved for IPFire -# TCP 67,68,81,222,445 -# UDP 67,68 -# Params passed in -> port, rangeyn, protocol -sub disallowreserved -{ - # port 67 and 68 same for tcp and udp, don't bother putting in an array - my $msg = ""; - my @tcp_reserved = (81,222,445); - my $prt = $_[0]; # the port or range - my $ryn = $_[1]; # tells us whether or not it is a port range - my $prot = $_[2]; # protocol - my $srcdst = $_[3]; # source or destination - if ($ryn) { # disect port range - if ($srcdst eq "src") { - $msg = "$Lang::tr{'rsvd src port overlap'}"; - } else { - $msg = "$Lang::tr{'rsvd dst port overlap'}"; - } - my @tmprng = split(/\:/,$prt); - unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; } - unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; } - if ($prot eq "tcp") { - foreach my $prange (@tcp_reserved) { - unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; } - } - } - } else { - if ($srcdst eq "src") { - $msg = "$Lang::tr{'reserved src port'}"; - } else { - $msg = "$Lang::tr{'reserved dst port'}"; - } - if ($prt == 67) { $errormessage="$msg 67"; return; } - if ($prt == 68) { $errormessage="$msg 68"; return; } - if ($prot eq "tcp") { - foreach my $prange (@tcp_reserved) { - if ($prange == $prt) { $errormessage="$msg $prange"; return; } - } - } - } - return; -} sub writeserverconf { my %sovpnsettings = (); @@ -331,10 +249,10 @@ sub writeserverconf { print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n"; print CONF "client-config-dir /var/ipfire/ovpn/ccd\n"; print CONF "tls-server\n"; - print CONF "ca /var/ipfire/ovpn/ca/cacert.pem\n"; - print CONF "cert /var/ipfire/ovpn/certs/servercert.pem\n"; - print CONF "key /var/ipfire/ovpn/certs/serverkey.pem\n"; - print CONF "dh /var/ipfire/ovpn/ca/dh1024.pem\n"; + print CONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; + print CONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n"; + print CONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n"; + print CONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n"; my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'}); print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n"; @@ -401,6 +319,19 @@ sub writeserverconf { print CONF "status-version 1\n"; print CONF "status /var/log/ovpnserver.log 30\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; + if ($sovpnsettings{'DAUTH'} eq '') { + print CONF ""; + } else { + print CONF "auth $sovpnsettings{'DAUTH'}\n"; + } + if ($sovpnsettings{'TLSAUTH'} eq 'on') { + print CONF "tls-auth ${General::swroot}/ovpn/ca/ta.key 0\n"; + } + if ($sovpnsettings{ENGINES} eq 'disabled') { + print CONF ""; + } else { + print CONF "engine $sovpnsettings{ENGINES}\n"; + } if ($sovpnsettings{DCOMPLZO} eq 'on') { print CONF "comp-lzo\n"; } @@ -425,7 +356,7 @@ sub writeserverconf { if ($sovpnsettings{DHCP_WINS} ne '') { print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n"; } - print CONF "tls-verify /var/ipfire/ovpn/verify\n"; + print CONF "tls-verify /usr/lib/openvpn/verify\n"; print CONF "crl-verify /var/ipfire/ovpn/crls/cacrl.pem\n"; print CONF "user nobody\n"; print CONF "group nobody\n"; @@ -597,7 +528,7 @@ sub getccdadresses my @iprange=(); my %ccdhash=(); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); - $iprange[0]=$ip1.".".$ip2.".".$ip3.".".2; + $iprange[0]=$ip1.".".$ip2.".".$ip3.".".($ip4+2); for (my $i=1;$i<=$count;$i++) { my $tmpip=$iprange[$i-1]; my $stepper=$i*4; @@ -819,6 +750,9 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; $vpnsettings{'PMTU_DISCOVERY'} = $cgiparams{'PMTU_DISCOVERY'}; + $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; + $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; + $vpnsettings{'ENGINES'} = $cgiparams{'ENGINES'}; my @temp=(); if ($cgiparams{'FRAGMENT'} eq '') { @@ -831,12 +765,20 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'FRAGMENT'} = $cgiparams{'FRAGMENT'}; } } + if ($cgiparams{'MSSFIX'} ne 'on') { delete $vpnsettings{'MSSFIX'}; } else { $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'}; } + # Create ta.key for tls-auth if not presant + if ($cgiparams{'TLSAUTH'} eq 'on') { + if ( ! -e "${General::swroot}/ovpn/ca/ta.key") { + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/ca/ta.key") + } + } + if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { @@ -1013,9 +955,21 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; print SERVERCONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n"; print SERVERCONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n"; - print SERVERCONF "dh ${General::swroot}/ovpn/ca/dh1024.pem\n"; + print SERVERCONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n"; print SERVERCONF "# Cipher\n"; - print SERVERCONF "cipher AES-256-CBC\n"; + print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n"; + if ($cgiparams{'DAUTH'} eq '') { + print SERVERCONF "auth SHA1\n"; + } else { + print SERVERCONF "# HMAC algorithm\n"; + print SERVERCONF "auth $cgiparams{'DAUTH'}\n"; + } + if ($cgiparams{'ENGINES'} eq 'disabled') { + print SERVERCONF ""; + } else { + print SERVERCONF "# Crypto engine\n"; + print SERVERCONF "engine $cgiparams{'ENGINES'}\n"; + } if ($cgiparams{'COMPLZO'} eq 'on') { print SERVERCONF "# Enable Compression\n"; print SERVERCONF "comp-lzo\r\n"; @@ -1102,8 +1056,20 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "# Auth. Client\n"; print CLIENTCONF "tls-client\n"; print CLIENTCONF "# Cipher\n"; - print CLIENTCONF "cipher AES-256-CBC\n"; + print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n"; print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n"; + if ($cgiparams{'DAUTH'} eq '') { + print CLIENTCONF "auth SHA1\n"; + } else { + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth $cgiparams{'DAUTH'}\n"; + } + if ($cgiparams{'ENGINES'} eq 'disabled') { + print CLIENTCONF ""; + } else { + print CLIENTCONF "# Crypto engine\n"; + print CLIENTCONF "engine $cgiparams{'ENGINES'}\n"; + } if ($cgiparams{'COMPLZO'} eq 'on') { print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\r\n"; @@ -1137,16 +1103,11 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SETTINGS_ERROR; } } - if ($cgiparams{'ENABLED'} eq 'on'){ - &disallowreserved($cgiparams{'DDEST_PORT'},0,$cgiparams{'DPROTOCOL'},"dest"); - } if ($errormessage) { goto SETTINGS_ERROR; } - - + if ($cgiparams{'ENABLED'} eq 'on'){ - &checkportfw(0,$cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'},'0.0.0.0'); + &checkportfw($cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'}); } - if ($errormessage) { goto SETTINGS_ERROR; } if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) { @@ -1207,6 +1168,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $errormessage = $Lang::tr{'invalid port'}; goto SETTINGS_ERROR; } + $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'}; $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'}; $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; @@ -1231,7 +1193,7 @@ SETTINGS_ERROR: ### ### Reset all step 2 ### -}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'} && $cgiparams{'AREUSURE'} eq 'yes') { +}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'} && $cgiparams{'AREUSURE'} eq 'yes') { my $file = ''; &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); @@ -1241,37 +1203,67 @@ SETTINGS_ERROR: } } while ($file = glob("${General::swroot}/ovpn/ca/*")) { - unlink $file + unlink $file; } while ($file = glob("${General::swroot}/ovpn/certs/*")) { - unlink $file + unlink $file; } while ($file = glob("${General::swroot}/ovpn/crls/*")) { - unlink $file + unlink $file; } &cleanssldatabase(); if (open(FILE, ">${General::swroot}/ovpn/caconfig")) { print FILE ""; close FILE; } - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + if (open(FILE, ">${General::swroot}/ovpn/ccdroute")) { + print FILE ""; + close FILE; + } + if (open(FILE, ">${General::swroot}/ovpn/ccdroute2")) { + print FILE ""; + close FILE; + } + while ($file = glob("${General::swroot}/ovpn/ccd/*")) { + unlink $file + } + if (open(FILE, ">${General::swroot}/ovpn/ovpn-leases.db")) { + print FILE ""; + close FILE; + } + if (open(FILE, ">${General::swroot}/ovpn/ovpnconfig")) { + print FILE ""; + close FILE; + } + while ($file = glob("${General::swroot}/ovpn/n2nconf/*")) { + system ("rm -rf $file"); + } + #&writeserverconf(); ### ### Reset all step 1 ### -}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'}) { +}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', ''); - &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'}); - print <
- - $Lang::tr{'capswarning'}: - $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'} - - -
+ &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'left', '', ''); + &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); + print < + + + + + + + +
+ + $Lang::tr{'capswarning'}: + $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}
+
+ + END ; &Header::closebox(); @@ -1279,6 +1271,104 @@ END &Header::closepage(); exit (0); +### +### Generate DH key step 2 +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'} && $cgiparams{'AREUSURE'} eq 'yes') { + # Delete if old key exists + if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { + unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; + } + # Create Diffie Hellmann Parameter + system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache', + '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + unlink ("${General::swroot}/ovpn/ca/dh1024.pem"); + } + +### +### Generate DH key step 1 +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'}) { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'gen dh'}:"); + print < + + + + + $Lang::tr{'ovpn dh'}: + +
+ + + + +
+ + + + $Lang::tr{'capswarning'}: $Lang::tr{'dh key warn'} + + + + + + + + + +
$Lang::tr{'dh key warn1'}

+ +END + ; + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit (0); + +### +### Upload DH key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) { + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto UPLOADCA_ERROR; + } + # Move uploaded dh key to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto UPLOADCA_ERROR; + } + my $temp = `/usr/bin/openssl dhparam -text -in $filename`; + if ($temp !~ /DH Parameters: \((1024|2048|3072|4096) bit\)/) { + $errormessage = $Lang::tr{'not a valid dh key'}; + unlink ($filename); + goto UPLOADCA_ERROR; + } else { + # Delete if old key exists + if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { + unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; + } + move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"); + if ($? ne 0) { + $errormessage = "$Lang::tr{'dh key move failed'}: $!"; + unlink ($filename); + goto UPLOADCA_ERROR; + } + } + ### ### Upload CA Certificate ### @@ -1355,7 +1445,7 @@ END if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:"); my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; @@ -1432,10 +1522,10 @@ END } if ($assignedcerts) { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'}); - print <
@@ -1467,7 +1557,7 @@ END $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) { my $output; &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) { &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:"); @@ -1733,7 +1823,7 @@ END } } else { # child unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-days', '999999', '-newkey', 'rsa:2048', + '-days', '999999', '-newkey', 'rsa:4096', '-sha512', '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", '-out', "${General::swroot}/ovpn/ca/cacert.pem", '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { @@ -1764,7 +1854,7 @@ END } } else { # child unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-newkey', 'rsa:1024', + '-newkey', 'rsa:2048', '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", '-out', "${General::swroot}/ovpn/certs/serverreq.pem", '-extensions', 'server', @@ -1816,8 +1906,7 @@ END } # Create Diffie Hellmann Parameter system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-out', "${General::swroot}/ovpn/ca/dh1024.pem", - '1024' ); + '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); @@ -1835,7 +1924,7 @@ END ROOTCERT_ERROR: if ($cgiparams{'ACTION'} ne '') { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); if ($errormessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); @@ -1844,7 +1933,7 @@ END &Header::closebox(); } &Header::openbox('100%', 'LEFT', "$Lang::tr{'generate root/host certificates'}:"); - print < @@ -1877,19 +1966,38 @@ END } print ">$country"; } - print < - + + + + - - + +
$Lang::tr{'organization name'}: 
$Lang::tr{'ovpn dh'}: +
    
* $Lang::tr{'this field may be blank'}
- $Lang::tr{'capswarning'}: - $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'} -

+ + $Lang::tr{'capswarning'}: $Lang::tr{'ovpn generating the root and host certificates'} + + + + + + + +
$Lang::tr{'dh key warn'}
$Lang::tr{'dh key warn1'}

+ + + @@ -1905,7 +2013,7 @@ END END ; &Header::closebox(); - + print ""; &Header::closebigbox(); &Header::closepage(); exit(0) @@ -2037,13 +2145,20 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ print CLIENTCONF "ns-cert-type server\n"; print CLIENTCONF "# Auth. Client\n"; print CLIENTCONF "tls-client\n"; - print CLIENTCONF "# Cipher\n"; - print CLIENTCONF "cipher AES-256-CBC\n"; + print CLIENTCONF "# Cipher\n"; + print CLIENTCONF "cipher $confighash{$cgiparams{'KEY'}}[40]\n"; if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; - } - if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') { + } + if ($confighash{$cgiparams{'KEY'}}[39] eq '') { + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth SHA1\n"; + } else { + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n"; + } + if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') { print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\r\n"; } @@ -2138,6 +2253,15 @@ else $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; + if ($vpnsettings{'DAUTH'} eq '') { + print CLIENTCONF ""; + } else { + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; + } + if ($vpnsettings{'TLSAUTH'} eq 'on') { + print CLIENTCONF "tls-auth ta.key 1\r\n"; + $zip->addFile( "${General::swroot}/ovpn/ca/ta.key", "ta.key") or die "Can't add file ta.key\n"; + } if ($vpnsettings{DCOMPLZO} eq 'on') { print CLIENTCONF "comp-lzo\r\n"; } @@ -2195,14 +2319,15 @@ else # m.a.d net2net ### - if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { - +if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf"); - my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); - unlink ($certfile) or die "Removing $certfile fail: $!"; - unlink ($conffile) or die "Removing $conffile fail: $!"; - rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!"; - + my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + unlink ($certfile); + unlink ($conffile); + + if (-e "${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") { + rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!"; + } } unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); @@ -2245,7 +2370,7 @@ else } else { $errormessage = $Lang::tr{'invalid key'}; } - + &General::firewall_reload(); ### ### Download PKCS12 file @@ -2266,7 +2391,7 @@ else if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:"); my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; @@ -2278,15 +2403,40 @@ else &Header::closepage(); exit(0); } + +### +### Display Diffie-Hellman key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show dh'}) { + + if (! -e "${General::swroot}/ovpn/ca/dh1024.pem") { + $errormessage = $Lang::tr{'not present'}; + } else { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:"); + my $output = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`; + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } + ### ### Display Certificate Revoke List ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show crl'}) { # &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - if ( -f "${General::swroot}/ovpn/crls/cacrl.pem") { + if (! -e "${General::swroot}/ovpn/crls/cacrl.pem") { + $errormessage = $Lang::tr{'not present'}; + } else { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:"); my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`; @@ -2331,17 +2481,26 @@ ADV_ERROR: if ($cgiparams{'PMTU_DISCOVERY'} eq '') { $cgiparams{'PMTU_DISCOVERY'} = 'off'; } + if ($cgiparams{'DAUTH'} eq '') { + $cgiparams{'DAUTH'} = 'SHA1'; + } + if ($cgiparams{'ENGINES'} eq '') { + $cgiparams{'ENGINES'} = 'disabled'; + } + if ($cgiparams{'TLSAUTH'} eq '') { + $cgiparams{'TLSAUTH'} = 'off'; + } $checked{'CLIENT2CLIENT'}{'off'} = ''; $checked{'CLIENT2CLIENT'}{'on'} = ''; $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED'; $checked{'REDIRECT_GW_DEF1'}{'off'} = ''; $checked{'REDIRECT_GW_DEF1'}{'on'} = ''; $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED'; - $selected{'ENGINES'}{$cgiparams{'ENGINES'}} = 'SELECTED'; $checked{'MSSFIX'}{'off'} = ''; $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\''; + $selected{'LOG_VERB'}{'0'} = ''; $selected{'LOG_VERB'}{'1'} = ''; $selected{'LOG_VERB'}{'2'} = ''; $selected{'LOG_VERB'}{'3'} = ''; @@ -2353,8 +2512,22 @@ ADV_ERROR: $selected{'LOG_VERB'}{'9'} = ''; $selected{'LOG_VERB'}{'10'} = ''; $selected{'LOG_VERB'}{'11'} = ''; - $selected{'LOG_VERB'}{'0'} = ''; $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; + $selected{'DAUTH'}{'whirlpool'} = ''; + $selected{'DAUTH'}{'SHA512'} = ''; + $selected{'DAUTH'}{'SHA384'} = ''; + $selected{'DAUTH'}{'SHA256'} = ''; + $selected{'DAUTH'}{'SHA1'} = ''; + $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; + $checked{'TLSAUTH'}{'off'} = ''; + $checked{'TLSAUTH'}{'on'} = ''; + $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; + $selected{'ENGINES'}{'cryptodev'} = ''; + $selected{'ENGINES'}{'dynamic'} = ''; + $selected{'ENGINES'}{'aesni'} = ''; + $selected{'ENGINES'}{'padlock'} = ''; + $selected{'ENGINES'}{'disabled'} = ''; + $selected{'ENGINES'}{$cgiparams{'ENGINES'}} = 'SELECTED'; &Header::showhttpheaders(); &Header::openpage($Lang::tr{'status ovpn'}, 1, ''); @@ -2366,9 +2539,9 @@ ADV_ERROR: &Header::closebox(); } &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'}); - print < -

$Lang::tr{'upload p12 file'}:  
+
@@ -2436,12 +2609,11 @@ print < - - + @@ -2453,53 +2625,84 @@ print <
$Lang::tr{'dhcp-options'}
fragment
Default: 1300
mssfix Default: on$Lang::tr{'openvpn default'}: off
- -
- + +
- + + - - - - - -
$Lang::tr{'log-options'}
VERB

+ HMAC tls-auth + + +
+ + END if ( -e "/var/run/openvpn.pid"){ print"
$Lang::tr{'attention'}:
$Lang::tr{'server restart'}


"; - print<   @@ -2515,7 +2718,7 @@ END }else{ -print<   @@ -2570,11 +2773,11 @@ if ($cgiparams{'ACTION'} eq "edit"){ &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd modify'}); - print < + print < $Lang::tr{'ccd name'}: - $Lang::tr{'ccd subnet'}: + $Lang::tr{'ccd subnet'}:
@@ -2584,7 +2787,7 @@ END &Header::closebox(); &Header::openbox('100%', 'LEFT',$Lang::tr{'ccd net'} ); - print < $Lang::tr{'ccd name'}$Lang::tr{'network'}$Lang::tr{'ccd used'} @@ -2594,7 +2797,7 @@ END else{ if (! -e "/var/run/openvpn.pid"){ &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd add'}); - print < $Lang::tr{'ccd hint'}

@@ -2615,7 +2818,7 @@ END } print < + END @@ -2634,7 +2837,7 @@ END print" + END ; } @@ -2668,16 +2871,16 @@ END # # # protocol temp removed - print < + print < - - - - - - - + + + + + + + END ; @@ -2728,25 +2931,26 @@ END } my $user2 = @users; if ($user2 >= 1){ - for (my $idx = 1; $idx <= $user2; $idx++){ + for (my $idx = 1; $idx <= $user2; $idx++){ if ($idx % 2) { - print "\n"; - } else { - print "\n"; + print ""; + $col="bgcolor='$color{'color22'}'"; + } else { + print ""; + $col="bgcolor='$color{'color20'}'"; } - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; -# print ""; - } - } + print ""; + print ""; + print ""; + print ""; + print ""; + print ""; + print ""; + } + } print "
$Lang::tr{'ccd name'}$Lang::tr{'network'}$Lang::tr{'ccd used'}
$ccdconf[0]$ccdconf[1]$ccdhosts/".(&ccdmaxclients($ccdconf[1])+1).""; print < - + @@ -2643,7 +2846,7 @@ print < -
$Lang::tr{'protocol'}
$Lang::tr{'common name'}$Lang::tr{'real address'}$Lang::tr{'virtual address'}$Lang::tr{'loged in at'}$Lang::tr{'bytes sent'}$Lang::tr{'bytes received'}$Lang::tr{'last activity'}$Lang::tr{'common name'}$Lang::tr{'real address'}$Lang::tr{'virtual address'}$Lang::tr{'loged in at'}$Lang::tr{'bytes sent'}$Lang::tr{'bytes received'}$Lang::tr{'last activity'}
$users[$idx-1]{'CommonName'}$users[$idx-1]{'RealAddress'}$users[$idx-1]{'VirtualAddress'}$users[$idx-1]{'Since'}$users[$idx-1]{'BytesSent'}$users[$idx-1]{'BytesReceived'}$users[$idx-1]{'LastRef'}$users[$idx-1]{'Proto'}$users[$idx-1]{'CommonName'}$users[$idx-1]{'RealAddress'}$users[$idx-1]{'VirtualAddress'}$users[$idx-1]{'Since'}$users[$idx-1]{'BytesSent'}$users[$idx-1]{'BytesReceived'}$users[$idx-1]{'LastRef'}
"; - print < @@ -2855,13 +3059,13 @@ END } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') { &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', $Lang::tr{'connection type'}); if ( -s "${General::swroot}/ovpn/settings") { - print <$Lang::tr{'connection type'}:

@@ -2872,7 +3076,7 @@ if ( -s "${General::swroot}/ovpn/settings") { - + @@ -2882,7 +3086,7 @@ END } else { - print <$Lang::tr{'connection type'}:
$Lang::tr{'net to net vpn'} (Upload Client Package)
 
 Import Connection Name
 Default : Client Packagename
 $Lang::tr{'openvpn default'}: Client Packagename

* $Lang::tr{'this field may be blank'}
@@ -2894,6 +3098,7 @@ END } &Header::closebox(); + print ""; &Header::closebigbox(); &Header::closepage(); exit (0); @@ -3029,7 +3234,8 @@ END my $complzoactive; my $mssfixactive; my $n2nfragment; -my @n2nmtudisc = split(/ /, (grep { /^mtu-disc/ } @firen2nconf)[0]);; +my $authactive; +my @n2nmtudisc = split(/ /, (grep { /^mtu-disc/ } @firen2nconf)[0]); my @n2nproto2 = split(/ /, (grep { /^proto/ } @firen2nconf)[0]); my @n2nproto = split(/-/, $n2nproto2[1]); my @n2nport = split(/ /, (grep { /^port/ } @firen2nconf)[0]); @@ -3046,7 +3252,9 @@ my @n2novpnsub = split(/\./,$n2novpnsuball[1]); my @n2nremsub = split(/ /, (grep { /^route/ } @firen2nconf)[0]); my @n2nmgmt = split(/ /, (grep { /^management/ } @firen2nconf)[0]); my @n2nlocalsub = split(/ /, (grep { /^# remsub/ } @firen2nconf)[0]); - +my @n2ncipher = split(/ /, (grep { /^cipher/ } @firen2nconf)[0]); +my @n2nauth = split(/ /, (grep { /^auth/ } @firen2nconf)[0]); +my @n2nengine = split(/ /, (grep { /^engine/ } @firen2nconf)[0]);; ### # m.a.d delete CR and LF from arrays for this chomp doesnt work @@ -3065,6 +3273,9 @@ $n2nlocalsub[2] =~ s/\n|\r//g; $n2nfragment[1] =~ s/\n|\r//g; $n2nmgmt[2] =~ s/\n|\r//g; $n2nmtudisc[1] =~ s/\n|\r//g; +$n2ncipher[1] =~ s/\n|\r//g; +$n2nauth[1] =~ s/\n|\r//g; +$n2nengine[1] =~ s/\n|\r//g; chomp ($complzoactive); chomp ($mssfixactive); @@ -3101,7 +3312,7 @@ foreach my $dkey (keys %confighash) { } ### -# Check im Dest Port is vaild +# Check if Dest Port is vaild ### foreach my $dkey (keys %confighash) { @@ -3118,7 +3329,7 @@ foreach my $dkey (keys %confighash) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 39) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 42) { $confighash{$key}[$i] = "";} $confighash{$key}[0] = 'off'; $confighash{$key}[1] = $n2nname[0]; @@ -3139,7 +3350,10 @@ foreach my $dkey (keys %confighash) { $confighash{$key}[29] = $n2nport[1]; $confighash{$key}[30] = $complzoactive; $confighash{$key}[31] = $n2ntunmtu[1]; - $confighash{$key}[38] = $n2nmtudisc[1]; + $confighash{$key}[38] = $n2nmtudisc[1]; + $confighash{$key}[39] = $n2nauth[1]; + $confighash{$key}[40] = $n2ncipher[1]; + $confighash{$key}[41] = 'disabled'; &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); @@ -3160,7 +3374,7 @@ foreach my $dkey (keys %confighash) { &Header::openbox('100%', 'LEFT', 'import ipfire net2net config'); } if ($errormessage eq ''){ - print <
$Lang::tr{'host to net vpn'}
@@ -3179,6 +3393,8 @@ foreach my $dkey (keys %confighash) { + +
  
$Lang::tr{'MTU'}$confighash{$key}[31]
$Lang::tr{'ovpn mtu-disc'}$confighash{$key}[38]
Management Port $confighash{$key}[22]
$Lang::tr{'ovpn hmac'}:$confighash{$key}[39]
$Lang::tr{'cipher'}$confighash{$key}[40]
  
END @@ -3196,7 +3412,7 @@ END } &Header::closebigbox(); &Header::closepage(); - exit(0); + exit(0); ## @@ -3249,33 +3465,37 @@ if ($confighash{$cgiparams{'KEY'}}) { $errormessage = $Lang::tr{'invalid key'}; goto VPNCONF_END; } - $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0]; - $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1]; - $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; - $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; - $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; - $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6]; - $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8]; - $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; + $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0]; + $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1]; + $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; + $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; + $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; + $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6]; + $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8]; + $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11]; - $cgiparams{'OVPN_MGMT'} = $confighash{$cgiparams{'KEY'}}[22]; - $cgiparams{'MSSFIX'} = $confighash{$cgiparams{'KEY'}}[23]; - $cgiparams{'FRAGMENT'} = $confighash{$cgiparams{'KEY'}}[24]; - $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; - $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26]; - $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[27]; - $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[28]; - $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[29]; - $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[30]; - $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[31]; - $cgiparams{'CHECK1'} = $confighash{$cgiparams{'KEY'}}[32]; + $cgiparams{'OVPN_MGMT'} = $confighash{$cgiparams{'KEY'}}[22]; + $cgiparams{'MSSFIX'} = $confighash{$cgiparams{'KEY'}}[23]; + $cgiparams{'FRAGMENT'} = $confighash{$cgiparams{'KEY'}}[24]; + $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; + $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26]; + $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[27]; + $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[28]; + $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[29]; + $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[30]; + $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[31]; + $cgiparams{'CHECK1'} = $confighash{$cgiparams{'KEY'}}[32]; $name=$cgiparams{'CHECK1'} ; - $cgiparams{$name} = $confighash{$cgiparams{'KEY'}}[33]; - $cgiparams{'RG'} = $confighash{$cgiparams{'KEY'}}[34]; - $cgiparams{'CCD_DNS1'} = $confighash{$cgiparams{'KEY'}}[35]; - $cgiparams{'CCD_DNS2'} = $confighash{$cgiparams{'KEY'}}[36]; - $cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37]; + $cgiparams{$name} = $confighash{$cgiparams{'KEY'}}[33]; + $cgiparams{'RG'} = $confighash{$cgiparams{'KEY'}}[34]; + $cgiparams{'CCD_DNS1'} = $confighash{$cgiparams{'KEY'}}[35]; + $cgiparams{'CCD_DNS2'} = $confighash{$cgiparams{'KEY'}}[36]; + $cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37]; $cgiparams{'PMTU_DISCOVERY'} = $confighash{$cgiparams{'KEY'}}[38]; + $cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39]; + $cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40]; + $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41]; + $cgiparams{'ENGINES'} = $confighash{$cgiparams{'KEY'}}[42]; } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); @@ -3576,12 +3796,31 @@ if ($cgiparams{'TYPE'} eq 'net') { unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; goto VPNCONF_ERROR; - } + } + + if ($cgiparams{'DEST_PORT'} <= 1023) { + $errormessage = $Lang::tr{'ovpn port in root range'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; + } - if ($cgiparams{'OVPN_MGMT'} eq '') { - $cgiparams{'OVPN_MGMT'} = $cgiparams{'DEST_PORT'}; + if ($cgiparams{'OVPN_MGMT'} eq '') { + $cgiparams{'OVPN_MGMT'} = $cgiparams{'DEST_PORT'}; } - + + if ($cgiparams{'OVPN_MGMT'} <= 1023) { + $errormessage = $Lang::tr{'ovpn mgmt in root range'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; + } + #Check if remote subnet is used elsewhere + my ($n2nip,$n2nsub)=split("/",$cgiparams{'REMOTE_SUBNET'}); + $warnmessage=&General::checksubnets('',$n2nip,'ovpn'); + if ($warnmessage){ + $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'})
".$warnmessage; + } } # if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) { @@ -3604,35 +3843,33 @@ if ($cgiparams{'TYPE'} eq 'net') { } # Check if a remote host/IP has been set for the client. - if ($cgiparams{'REMOTE'} eq '' && $cgiparams{'SIDE'} ne 'server') { - $errormessage = $Lang::tr{'invalid input for remote host/ip'}; + if ($cgiparams{'TYPE'} eq 'net') { + if ($cgiparams{'SIDE'} ne 'server' && $cgiparams{'REMOTE'} eq '') { + $errormessage = $Lang::tr{'invalid input for remote host/ip'}; - # Check if this is a N2N connection and drop temporary config. - if ($cgiparams{'TYPE'} eq 'net') { - unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; - rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; - } - goto VPNCONF_ERROR; - } + # Check if this is a N2N connection and drop temporary config. + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; - # Check if a remote host/IP has been configured - the field can be empty on the server side. - if ($cgiparams{'REMOTE'} ne '') { + goto VPNCONF_ERROR; + } - # Check if the given IP is valid - otherwise check if it is a valid domain. - if (! &General::validip($cgiparams{'REMOTE'})) { + # Check if a remote host/IP has been configured - the field can be empty on the server side. + if ($cgiparams{'REMOTE'} ne '') { + # Check if the given IP is valid - otherwise check if it is a valid domain. + if (! &General::validip($cgiparams{'REMOTE'})) { + # Check for a valid domain. + if (! &General::validfqdn ($cgiparams{'REMOTE'})) { + $errormessage = $Lang::tr{'invalid input for remote host/ip'}; - # Check for a valid domain. - if (! &General::validfqdn ($cgiparams{'REMOTE'})) { - $errormessage = $Lang::tr{'invalid input for remote host/ip'}; + # Check if this is a N2N connection and drop temporary config. + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; - # Check if this is a N2N connection and drop temporary config. - if ($cgiparams{'TYPE'} eq 'net') { - unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; - rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; - } - goto VPNCONF_ERROR; + goto VPNCONF_ERROR; + } + } } - } } if ($cgiparams{'TYPE'} ne 'host') { @@ -3795,6 +4032,8 @@ if ($cgiparams{'TYPE'} eq 'net') { } if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { $errormessage = $Lang::tr{'invalid input for name'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; goto VPNCONF_ERROR; } if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) { @@ -3867,7 +4106,7 @@ if ($cgiparams{'TYPE'} eq 'net') { } } else { # child unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-newkey', 'rsa:1024', + '-newkey', 'rsa:2048', '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { @@ -3936,7 +4175,7 @@ if ($cgiparams{'TYPE'} eq 'net') { if (! $key) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 38) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 43) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; @@ -3955,13 +4194,13 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[6] = $cgiparams{'SIDE'}; $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'}; } - $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'}; + $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'}; $confighash{$key}[10] = $cgiparams{'REMOTE'}; - if ($cgiparams{'OVPN_MGMT'} eq '') { + if ($cgiparams{'OVPN_MGMT'} eq '') { $confighash{$key}[22] = $confighash{$key}[29]; - } else { + } else { $confighash{$key}[22] = $cgiparams{'OVPN_MGMT'}; - } + } $confighash{$key}[23] = $cgiparams{'MSSFIX'}; $confighash{$key}[24] = $cgiparams{'FRAGMENT'}; $confighash{$key}[25] = $cgiparams{'REMARK'}; @@ -3979,7 +4218,10 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[35] = $cgiparams{'CCD_DNS1'}; $confighash{$key}[36] = $cgiparams{'CCD_DNS2'}; $confighash{$key}[37] = $cgiparams{'CCD_WINS'}; - $confighash{$key}[38] = $cgiparams{'PMTU_DISCOVERY'}; + $confighash{$key}[38] = $cgiparams{'PMTU_DISCOVERY'}; + $confighash{$key}[39] = $cgiparams{'DAUTH'}; + $confighash{$key}[40] = $cgiparams{'DCIPHER'}; + $confighash{$key}[42] = $cgiparams{'ENGINES'}; &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); @@ -3991,7 +4233,6 @@ if ($cgiparams{'TYPE'} eq 'net') { if ( -e "${General::swroot}/ovpn/ccd/$confighash{$key}[2]"){ unlink "${General::swroot}/ovpn/ccd/$cgiparams{'CERT_NAME'}"; } - $confighash{$key}[2] =~ s/ /_/gi; open ( CCDRWCONF,'>',"${General::swroot}/ovpn/ccd/$confighash{$key}[2]") or die "Unable to create clientconfigfile $!"; print CCDRWCONF "# OpenVPN clientconfig from ccd extension by Copymaster#\n\n"; if($cgiparams{'CHECK1'} eq 'dynamic'){ @@ -4092,6 +4333,8 @@ if ($cgiparams{'TYPE'} eq 'net') { $cgiparams{'MSSFIX'} = 'on'; $cgiparams{'FRAGMENT'} = '1300'; $cgiparams{'PMTU_DISCOVERY'} = 'off'; + $cgiparams{'DAUTH'} = 'SHA1'; + $cgiparams{'ENGINES'} = 'disabled'; ### # m.a.d n2n end ### @@ -4156,10 +4399,55 @@ if ($cgiparams{'TYPE'} eq 'net') { } $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\''; + $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; + $selected{'DCIPHER'}{'AES-256-CBC'} = ''; + $selected{'DCIPHER'}{'AES-192-CBC'} = ''; + $selected{'DCIPHER'}{'AES-128-CBC'} = ''; + $selected{'DCIPHER'}{'DESX-CBC'} = ''; + $selected{'DCIPHER'}{'SEED-CBC'} = ''; + $selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; + $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; + $selected{'DCIPHER'}{'CAST5-CBC'} = ''; + $selected{'DCIPHER'}{'BF-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-CBC'} = ''; + $selected{'DCIPHER'}{'DES-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-64-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-40-CBC'} = ''; + # If no cipher has been chossen yet, select + # the old default (AES-256-CBC) for compatiblity reasons. + if ($cgiparams{'DCIPHER'} eq '') { + $cgiparams{'DCIPHER'} = 'AES-256-CBC'; + } + $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; + $selected{'DAUTH'}{'whirlpool'} = ''; + $selected{'DAUTH'}{'SHA512'} = ''; + $selected{'DAUTH'}{'SHA384'} = ''; + $selected{'DAUTH'}{'SHA256'} = ''; + $selected{'DAUTH'}{'SHA1'} = ''; + # If no hash algorythm has been choosen yet, select + # the old default value (SHA1) for compatiblity reasons. + if ($cgiparams{'DAUTH'} eq '') { + $cgiparams{'DAUTH'} = 'SHA1'; + } + $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; + + $selected{'ENGINES'}{'disabled'} = ''; + $selected{'ENGINES'}{'cryptodev'} = ''; + $selected{'ENGINES'}{'dynamic'} = ''; + $selected{'ENGINES'}{'aesni'} = ''; + $selected{'ENGINES'}{'padlock'} = ''; + # If no engine has been choosen yet, select + # a default one (disabled). + if ($cgiparams{'ENGINES'} eq '') { + $cgiparams{'ENGINES'} = 'disabled'; + } + $selected{'ENGINES'}{$cgiparams{'ENGINES'}} = 'SELECTED'; if (1) { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); if ($errormessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); @@ -4217,48 +4505,103 @@ if ($cgiparams{'TYPE'} eq 'net') { - print <    $Lang::tr{'Act as'} + $Lang::tr{'remote host/ip'}: + $Lang::tr{'local subnet'} + $Lang::tr{'remote subnet'} + $Lang::tr{'ovpn subnet'} - $Lang::tr{'protocol'} - - - - $Lang::tr{'destination port'}: - - $Lang::tr{'comp-lzo'}   - - - mssfix   - - $Lang::tr{'openvpn default'}: on - - fragment   - - $Lang::tr{'openvpn default'}: 1300 + + $Lang::tr{'protocol'} + + + $Lang::tr{'destination port'}: + + + + $Lang::tr{'cipher'} + + + + $Lang::tr{'ovpn ha'}: + + + + + $Lang::tr{'ovpn engines'}   + + + + +
+ + Management Port ($Lang::tr{'openvpn default'}: $Lang::tr{'destination port'}):   + + + $Lang::tr{'MTU'}  - - $Lang::tr{'openvpn default'}: udp/tcp 1500/1400 - - Management Port  - - $Lang::tr{'openvpn default'}: $Lang::tr{'destination port'} + + $Lang::tr{'openvpn default'}: udp/tcp 1500/1400 + - - $Lang::tr{'ovpn mtu-disc'} + fragment   + + $Lang::tr{'openvpn default'}: 1300 + + + mssfix   + + $Lang::tr{'openvpn default'}: on + + + $Lang::tr{'comp-lzo'}   + + + + $Lang::tr{'ovpn mtu-disc'} $Lang::tr{'ovpn mtu-disc yes'} $Lang::tr{'ovpn mtu-disc maybe'} @@ -4329,7 +4672,7 @@ if ($cgiparams{'TYPE'} eq 'host') { if ($cgiparams{'TYPE'} eq 'host') { -print < $Lang::tr{'upload a certificate request'} @@ -4354,7 +4697,7 @@ END } else { -print < $Lang::tr{'generate a certificate'}  @@ -4388,7 +4731,7 @@ END ### if ($cgiparams{'TYPE'} eq 'host') { - print <  $Lang::tr{'valid till'} (days): @@ -4396,7 +4739,7 @@ if ($cgiparams{'TYPE'} eq 'host') {   $Lang::tr{'pkcs12 file password'}: -  $Lang::tr{'pkcs12 file password'}:
($Lang::tr{'confirmation'}) +  $Lang::tr{'pkcs12 file password'}:
($Lang::tr{'confirmation'})  
@@ -4404,7 +4747,7 @@ if ($cgiparams{'TYPE'} eq 'host') { END }else{ - print <         @@ -4532,7 +4875,7 @@ END if (&haveOrangeNet() && $selorange == '1'){ print"";$selorange=0;}elsif(&haveOrangeNet() && $selorange == '0'){print"";} if ($selgreen == '1' || $other == '0'){ print"";$set=0;}else{print"";}; - print<DNS1: DNS2: WINS:

@@ -4580,7 +4923,7 @@ END #default setzen if ($cgiparams{'DCIPHER'} eq '') { - $cgiparams{'DCIPHER'} = 'BF-CBC'; + $cgiparams{'DCIPHER'} = 'AES-256-CBC'; } if ($cgiparams{'DDEST_PORT'} eq '') { $cgiparams{'DDEST_PORT'} = '1194'; @@ -4588,10 +4931,13 @@ END if ($cgiparams{'DMTU'} eq '') { $cgiparams{'DMTU'} = '1400'; } + if ($cgiparams{'ENGINES'} eq '') { + $cgiparams{'ENGINES'} = 'disabled'; + } if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; } - $checked{'ENABLED'}{'off'} = ''; + $checked{'ENABLED'}{'off'} = ''; $checked{'ENABLED'}{'on'} = ''; $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED'; $checked{'ENABLED_BLUE'}{'off'} = ''; @@ -4608,19 +4954,38 @@ END $selected{'DPROTOCOL'}{'tcp'} = ''; $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED'; - $selected{'DCIPHER'}{'DES-CBC'} = ''; - $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; + $selected{'DCIPHER'}{'AES-256-CBC'} = ''; + $selected{'DCIPHER'}{'AES-192-CBC'} = ''; + $selected{'DCIPHER'}{'AES-128-CBC'} = ''; $selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; $selected{'DCIPHER'}{'DESX-CBC'} = ''; + $selected{'DCIPHER'}{'SEED-CBC'} = ''; + $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; + $selected{'DCIPHER'}{'CAST5-CBC'} = ''; + $selected{'DCIPHER'}{'BF-CBC'} = ''; $selected{'DCIPHER'}{'RC2-CBC'} = ''; - $selected{'DCIPHER'}{'RC2-40-CBC'} = ''; + $selected{'DCIPHER'}{'DES-CBC'} = ''; $selected{'DCIPHER'}{'RC2-64-CBC'} = ''; - $selected{'DCIPHER'}{'BF-CBC'} = ''; - $selected{'DCIPHER'}{'CAST5-CBC'} = ''; - $selected{'DCIPHER'}{'AES-128-CBC'} = ''; - $selected{'DCIPHER'}{'AES-192-CBC'} = ''; - $selected{'DCIPHER'}{'AES-256-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-40-CBC'} = ''; $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; + + $selected{'DAUTH'}{'whirlpool'} = ''; + $selected{'DAUTH'}{'SHA512'} = ''; + $selected{'DAUTH'}{'SHA384'} = ''; + $selected{'DAUTH'}{'SHA256'} = ''; + $selected{'DAUTH'}{'SHA1'} = ''; + $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; + + $selected{'ENGINES'}{'cryptodev'} = ''; + $selected{'ENGINES'}{'dynamic'} = ''; + $selected{'ENGINES'}{'aesni'} = ''; + $selected{'ENGINES'}{'padlock'} = ''; + $selected{'ENGINES'}{'disabled'} = ''; + $selected{'ENGINES'}{$cgiparams{'ENGINES'}} = 'SELECTED'; + $checked{'DCOMPLZO'}{'off'} = ''; $checked{'DCOMPLZO'}{'on'} = ''; $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; @@ -4640,6 +5005,16 @@ END &Header::closebox(); } + if ($warnmessage) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'}); + print "$warnmessage
"; + print "$Lang::tr{'fwdfw warn1'}
"; + &Header::closebox(); + print"
"; + &Header::closepage(); + exit 0; + } + my $sactive = "
$Lang::tr{'stopped'}
"; my $srunning = "no"; my $activeonrun = ""; @@ -4651,8 +5026,8 @@ END $activeonrun = "disabled='disabled'"; } &Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'}); - print < + print <
    @@ -4684,23 +5059,33 @@ END $Lang::tr{'destination port'}: $Lang::tr{'MTU'}  - + + + $Lang::tr{'cipher'} + + $Lang::tr{'comp-lzo'} - $Lang::tr{'cipher'} - -
+ + +

END ; @@ -4727,153 +5112,7 @@ END } print "
"; &Header::closebox(); - &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}:"); - print < - - $Lang::tr{'name'} - $Lang::tr{'subject'} - $Lang::tr{'action'} - -EOF - ; - if (-f "${General::swroot}/ovpn/ca/cacert.pem") { - my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; - $casubject =~ /Subject: (.*)[\n]/; - $casubject = $1; - $casubject =~ s+/Email+, E+; - $casubject =~ s/ ST=/ S=/; - - print < - $Lang::tr{'root certificate'} - $casubject -
- - -
-
- - -
-   -END - ; - } else { - # display rootcert generation buttons - print < - $Lang::tr{'root certificate'}: - $Lang::tr{'not present'} -   -END - ; - } - - if (-f "${General::swroot}/ovpn/certs/servercert.pem") { - my $hostsubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; - $hostsubject =~ /Subject: (.*)[\n]/; - $hostsubject = $1; - $hostsubject =~ s+/Email+, E+; - $hostsubject =~ s/ ST=/ S=/; - - print < - $Lang::tr{'host certificate'} - $hostsubject -
- - -
-
- - -
-   -END - ; - } else { - # Nothing - print < - $Lang::tr{'host certificate'}: - $Lang::tr{'not present'} -   -END - ; - } - - if (! -f "${General::swroot}/ovpn/ca/cacert.pem") { - print "
"; - print ""; - print "
\n"; - } - if (keys %cahash > 0) { - foreach my $key (keys %cahash) { - if (($key + 1) % 2) { - print "\n"; - } else { - print "\n"; - } - print "$cahash{$key}[0]\n"; - print "$cahash{$key}[1]\n"; - print < - - - - -
- - - -
-
- - - -
-END - ; - } - } - - print ""; - - # If the file contains entries, print Key to action icons - if ( -f "${General::swroot}/ovpn/ca/cacert.pem") { - print < - -   $Lang::tr{'legend'}: -     $Lang::tr{ - $Lang::tr{'show certificate'} -     $Lang::tr{ - $Lang::tr{'download certificate'} - - -END -; - } - -print < - - - - -
$Lang::tr{'ca name'}:

-END -; - - - &Header::closebox(); - if ( $srunning eq "yes" ) { - print "
\n"; - }else{ - print "
\n"; - } if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) { ### @@ -4881,33 +5120,35 @@ END #$Lang::tr{'remark'}
L2089 ### - &Header::openbox('100%', 'LEFT', $Lang::tr{'Client status and controlc' }); - print < + - - - - - - + + + + + + END ; - my $id = 0; - my $gif; - foreach my $key (sort { uc($confighash{$a}[1]) cmp uc($confighash{$b}[1]) } keys %confighash) { - if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } - + my $id = 0; + my $gif; + my $col1=""; + foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { + if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } if ($id % 2) { - print "\n"; + print ""; + $col="bgcolor='$color{'color20'}'"; } else { - print "\n"; + print ""; + $col="bgcolor='$color{'color22'}'"; } - print ""; - print ""; + print ""; + print ""; #if ($confighash{$key}[4] eq 'cert') { #print ""; #} else { @@ -4918,19 +5159,20 @@ END $cavalid = $1; if ($confighash{$key}[32] eq "" && $confighash{$key}[3] eq 'net' ){$confighash{$key}[32]="net-2-net";} if ($confighash{$key}[32] eq "" && $confighash{$key}[3] eq 'host' ){$confighash{$key}[32]="dynamic";} - print ""; - print ""; - - my $active = "
$Lang::tr{'name'}$Lang::tr{'type'}$Lang::tr{'network'}$Lang::tr{'remark'}$Lang::tr{'status'}$Lang::tr{'action'}$Lang::tr{'name'}$Lang::tr{'type'}$Lang::tr{'network'}$Lang::tr{'remark'}$Lang::tr{'status'}$Lang::tr{'action'}
$confighash{$key}[1]" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")$confighash{$key}[1]" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")$confighash{$key}[2]$confighash{$key}[32]$confighash{$key}[25]
$Lang::tr{'capsclosed'}
"; + print "$confighash{$key}[32]"; + print "$confighash{$key}[25]"; + $col1="bgcolor='${Header::colourred}'"; + my $active = "$Lang::tr{'capsclosed'}"; if ($confighash{$key}[0] eq 'off') { - $active = "
$Lang::tr{'capsclosed'}
"; + $col1="bgcolor='${Header::colourblue}'"; + $active = "$Lang::tr{'capsclosed'}"; } else { ### # m.a.d net2net -### - +### + if ($confighash{$key}[3] eq 'net') { if (-e "/var/run/$confighash{$key}[1]n2n.pid") { @@ -4954,39 +5196,41 @@ END #EXITING -- A graceful exit is in progress. #### - if ( $tustate[1] eq 'CONNECTED') { - $active = "
$Lang::tr{'capsopen'}
"; - } else { - $active = "
$tustate[1]
"; + if ($tustate[1] eq 'CONNECTED') { + $col1="bgcolor='${Header::colourgreen}'"; + $active = "$Lang::tr{'capsopen'}"; + }else { + $col1="bgcolor='${Header::colourred}'"; + $active = "$tustate[1]"; + } } - } } - } else { - - my $cn; - my @match = (); - foreach my $line (@status) { - chomp($line); - if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) { - @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line); - if ($match[1] ne "Common Name") { - $cn = $match[1]; - } - $cn =~ s/[_]/ /g; - if ($cn eq "$confighash{$key}[2]") { - $active = "
$Lang::tr{'capsopen'}
"; - } - } - + }else { + + my $cn; + my @match = (); + foreach my $line (@status) { + chomp($line); + if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) { + @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line); + if ($match[1] ne "Common Name") { + $cn = $match[1]; + } + $cn =~ s/[_]/ /g; + if ($cn eq "$confighash{$key}[2]") { + $col1="bgcolor='${Header::colourgreen}'"; + $active = "$Lang::tr{'capsopen'}"; + } + } + } } } -} - print <$active + print <$active -
+ @@ -4994,8 +5238,8 @@ END END ; if ($confighash{$key}[4] eq 'cert') { - print < + print < @@ -5005,16 +5249,16 @@ END print " "; } if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$key}[1].p12") { - print < + print < END ; } elsif ($confighash{$key}[4] eq 'cert') { - print < + print < @@ -5024,18 +5268,18 @@ END print " "; } print < +
-
+
-
+ @@ -5049,45 +5293,215 @@ END # If the config file contains entries, print Key to action icons if ( $id ) { - print < -   $Lang::tr{'legend'}: -   $Lang::tr{ - $Lang::tr{'click to disable'} -     $Lang::tr{ - $Lang::tr{'show certificate'} -     $Lang::tr{ - $Lang::tr{'edit'} -     $Lang::tr{ - $Lang::tr{'remove'} +   $Lang::tr{'legend'}: +   $Lang::tr{ + $Lang::tr{'click to disable'} +     $Lang::tr{ + $Lang::tr{'show certificate'} +     $Lang::tr{ + $Lang::tr{'edit'} +     $Lang::tr{ + $Lang::tr{'remove'} -   -   ?OFF - $Lang::tr{'click to enable'} - ?FLOPPY - $Lang::tr{'download certificate'} - ?RELOAD - $Lang::tr{'dl client arch'} - -
+   +   ?OFF + $Lang::tr{'click to enable'} +     ?FLOPPY + $Lang::tr{'download certificate'} +     ?RELOAD + $Lang::tr{'dl client arch'} + +
END ; } - print < - - + + + + END - ; - &Header::closebox(); -} -&Header::closepage(); + ; + &Header::closebox(); + } + &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}"); + print < + + $Lang::tr{'name'} + $Lang::tr{'subject'} + $Lang::tr{'action'} + +END + ; + my $col1="bgcolor='$color{'color22'}'"; + my $col2="bgcolor='$color{'color20'}'"; + if (-f "${General::swroot}/ovpn/ca/cacert.pem") { + my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; + $casubject =~ /Subject: (.*)[\n]/; + $casubject = $1; + $casubject =~ s+/Email+, E+; + $casubject =~ s/ ST=/ S=/; + print < + $Lang::tr{'root certificate'} + $casubject +
+ + +
+
+ + +
+   +END + ; + } else { + # display rootcert generation buttons + print < + $Lang::tr{'root certificate'}: + $Lang::tr{'not present'} +   +END + ; + } + + if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $hostsubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + $hostsubject =~ /Subject: (.*)[\n]/; + $hostsubject = $1; + $hostsubject =~ s+/Email+, E+; + $hostsubject =~ s/ ST=/ S=/; + + print < + $Lang::tr{'host certificate'} + $hostsubject +
+ + +
+
+ + +
+   +END + ; + } else { + # Nothing + print < + $Lang::tr{'host certificate'}: + $Lang::tr{'not present'} +   +END + ; + } + + if (! -f "${General::swroot}/ovpn/ca/cacert.pem") { + print "
"; + print ""; + print "
\n"; + } + + if (keys %cahash > 0) { + foreach my $key (keys %cahash) { + if (($key + 1) % 2) { + print "\n"; + } else { + print "\n"; + } + print "$cahash{$key}[0]\n"; + print "$cahash{$key}[1]\n"; + print < + + + + +
+ + + +
+
+ + + +
+END + ; + } + } + + print ""; + + # If the file contains entries, print Key to action icons + if ( -f "${General::swroot}/ovpn/ca/cacert.pem") { + print < + +   $Lang::tr{'legend'}: +     $Lang::tr{ + $Lang::tr{'show certificate'} +     $Lang::tr{ + $Lang::tr{'download certificate'} + + +END + ; + } + print < +
+ + + + + + + + + + + + + + + + + + + + +
$Lang::tr{'ca name'}: +
$Lang::tr{'ovpn dh upload'}: +

+END + ; + + if ( $srunning eq "yes" ) { + print "
\n"; + } else { + print "
\n"; + } + &Header::closebox(); +END + ; + +&Header::closepage();