X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=8622f6d63894917946babb7d97ab467115bfb043;hp=95eb67a1ec746530e7e5d75444da3ad4ccda48b7;hb=92b87e17f1497be27cc61038b4852b00e84f5d15;hpb=7c0fce586f18ab3df70de1138f85b5bfc72e1a6e diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 95eb67a1e..8622f6d63 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007 Michael Tremer & Christian Schmidt # +# Copyright (C) 2007-2013 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -18,11 +18,14 @@ # along with this program. If not, see . # # # ############################################################################### - +### +# Based on IPFireCore 55 +### use CGI; use CGI qw/:standard/; use Net::DNS; use Net::Ping; +use Net::Telnet; use File::Copy; use File::Temp qw/ tempfile tempdir /; use strict; @@ -33,10 +36,10 @@ require "${General::swroot}/header.pl"; require "${General::swroot}/countries.pl"; # enable only the following on debugging purpose -use warnings; -use CGI::Carp 'fatalsToBrowser'; +#use warnings; +#use CGI::Carp 'fatalsToBrowser'; #workaround to suppress a warning when a variable is used only once -my @dummy = ( ${Header::colourgreen} ); +my @dummy = ( ${Header::colourgreen}, ${Header::colourblue} ); undef (@dummy); my %color = (); @@ -47,6 +50,9 @@ my %mainsettings = (); ### ### Initialize variables ### +my %ccdconfhash=(); +my %ccdroutehash=(); +my %ccdroute2hash=(); my %netsettings=(); my %cgiparams=(); my %vpnsettings=(); @@ -57,6 +63,11 @@ my %selected=(); my $warnmessage = ''; my $errormessage = ''; my %settings=(); +my $routes_push_file = ''; +my $confighost="${General::swroot}/fwhosts/customhosts"; +my $configgrp="${General::swroot}/fwhosts/customgroups"; +my $customnet="${General::swroot}/fwhosts/customnetworks"; +my $name; &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} = 'off'; $cgiparams{'ENABLED_BLUE'} = 'off'; @@ -70,9 +81,16 @@ $cgiparams{'CA_NAME'} = ''; $cgiparams{'DHCP_DOMAIN'} = ''; $cgiparams{'DHCP_DNS'} = ''; $cgiparams{'DHCP_WINS'} = ''; +$cgiparams{'ROUTES_PUSH'} = ''; $cgiparams{'DCOMPLZO'} = 'off'; $cgiparams{'MSSFIX'} = ''; - +$cgiparams{'number'} = ''; +$cgiparams{'PMTU_DISCOVERY'} = ''; +$routes_push_file = "${General::swroot}/ovpn/routes_push"; +unless (-e $routes_push_file) { system("touch $routes_push_file"); } +unless (-e "${General::swroot}/ovpn/ccd.conf") { system("touch ${General::swroot}/ovpn/ccd.conf"); } +unless (-e "${General::swroot}/ovpn/ccdroute") { system("touch ${General::swroot}/ovpn/ccdroute"); } +unless (-e "${General::swroot}/ovpn/ccdroute2") { system("touch ${General::swroot}/ovpn/ccdroute2"); } &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); @@ -308,9 +326,11 @@ sub disallowreserved } sub writeserverconf { - my %sovpnsettings = (); + my %sovpnsettings = (); + my @temp = (); &General::readhash("${General::swroot}/ovpn/settings", \%sovpnsettings); - + &read_routepushfile; + open(CONF, ">${General::swroot}/ovpn/server.conf") or die "Unable to open ${General::swroot}/ovpn/server.conf: $!"; flock CONF, 2; print CONF "#OpenVPN Server conf\n"; @@ -320,11 +340,11 @@ sub writeserverconf { print CONF "#DAN prepare OpenVPN for listening on blue and orange\n"; print CONF ";local $sovpnsettings{'VPN_IP'}\n"; print CONF "dev $sovpnsettings{'DDEVICE'}\n"; - print CONF "$sovpnsettings{'DDEVICE'}-mtu $sovpnsettings{'DMTU'}\n"; print CONF "proto $sovpnsettings{'DPROTOCOL'}\n"; print CONF "port $sovpnsettings{'DDEST_PORT'}\n"; print CONF "script-security 3 system\n"; print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n"; + print CONF "client-config-dir /var/ipfire/ovpn/ccd\n"; print CONF "tls-server\n"; print CONF "ca /var/ipfire/ovpn/ca/cacert.pem\n"; print CONF "cert /var/ipfire/ovpn/certs/servercert.pem\n"; @@ -332,16 +352,64 @@ sub writeserverconf { print CONF "dh /var/ipfire/ovpn/ca/dh1024.pem\n"; my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'}); print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; - print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n"; - if ($sovpnsettings{CLIENT2CLIENT} eq 'on') { + #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n"; + + # Check if we are using mssfix, fragment or mtu-disc and set the corretct mtu of 1500. + # If we doesn't use one of them, we can use the configured mtu value. + if ($sovpnsettings{'MSSFIX'} eq 'on') + { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; } + elsif ($sovpnsettings{'FRAGMENT'} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') + { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; } + elsif (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') || + ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || + ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) + { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; } + else + { print CONF "$sovpnsettings{'DDEVICE'}-mtu $sovpnsettings{'DMTU'}\n"; } + + if ($vpnsettings{'ROUTES_PUSH'} ne '') { + @temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'}); + foreach (@temp) + { + @tempovpnsubnet = split("\/",&General::ipcidr2msk($_)); + print CONF "push \"route " . $tempovpnsubnet[0]. " " . $tempovpnsubnet[1] . "\"\n"; + } + } +# a.marx ccd + my %ccdconfhash=(); + &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); + foreach my $key (keys %ccdconfhash) { + my $a=$ccdconfhash{$key}[1]; + my ($b,$c) = split (/\//, $a); + print CONF "route $b ".&General::cidrtosub($c)."\n"; + } + my %ccdroutehash=(); + &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); + foreach my $key (keys %ccdroutehash) { + foreach my $i ( 1 .. $#{$ccdroutehash{$key}}){ + my ($a,$b)=split (/\//,$ccdroutehash{$key}[$i]); + print CONF "route $a $b\n"; + } + } +# ccd end + + if ($sovpnsettings{CLIENT2CLIENT} eq 'on') { print CONF "client-to-client\n"; } if ($sovpnsettings{MSSFIX} eq 'on') { print CONF "mssfix\n"; } if ($sovpnsettings{FRAGMENT} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') { - print CONF "fragment $sovpnsettings{'FRAGMENT'}\n"; + print CONF "fragment $sovpnsettings{'FRAGMENT'}\n"; + } + + # Check if a valid operating mode has been choosen and use it. + if (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') || + ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || + ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) { + print CONF "mtu-disc $sovpnsettings{'PMTU_DISCOVERY'}\n"; } + if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) { print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n"; } @@ -387,7 +455,7 @@ sub writeserverconf { close(CONF); } -# + sub emptyserverlog{ if (open(FILE, ">/var/log/ovpnserver.log")) { flock FILE, 2; @@ -397,6 +465,313 @@ sub emptyserverlog{ } +sub delccdnet +{ + my %ccdconfhash = (); + my %ccdhash = (); + my $ccdnetname=$_[0]; + if (-f "${General::swroot}/ovpn/ovpnconfig"){ + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); + foreach my $key (keys %ccdhash) { + if ($ccdhash{$key}[32] eq $ccdnetname) { + $errormessage=$Lang::tr{'ccd err hostinnet'}; + return; + } + } + } + &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); + foreach my $key (keys %ccdconfhash) { + if ($ccdconfhash{$key}[0] eq $ccdnetname){ + delete $ccdconfhash{$key}; + } + } + &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); + + &writeserverconf; + return 0; +} + +sub addccdnet +{ + my %ccdconfhash=(); + my @ccdconf=(); + my $ccdname=$_[0]; + my $ccdnet=$_[1]; + my $subcidr; + my @ip2=(); + my $checkup; + my $ccdip; + my $baseaddress; + + + #check name + if ($ccdname eq '') + { + $errormessage=$errormessage.$Lang::tr{'ccd err name'}."
"; + return + } + + if(!&General::validhostname($ccdname)) + { + $errormessage=$Lang::tr{'ccd err invalidname'}; + return; + } + + ($ccdip,$subcidr) = split (/\//,$ccdnet); + $subcidr=&General::iporsubtocidr($subcidr); + #check subnet + if ($subcidr > 30) + { + $errormessage=$Lang::tr{'ccd err invalidnet'}; + return; + } + #check ip + if (!&General::validipandmask($ccdnet)){ + $errormessage=$Lang::tr{'ccd err invalidnet'}; + return; + } + + $errormessage=&General::checksubnets($ccdname,$ccdnet); + + + if (!$errormessage) { + my %ccdconfhash=(); + $baseaddress=&General::getnetworkip($ccdip,$subcidr); + &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); + my $key = &General::findhasharraykey (\%ccdconfhash); + foreach my $i (0 .. 1) { $ccdconfhash{$key}[$i] = "";} + $ccdconfhash{$key}[0] = $ccdname; + $ccdconfhash{$key}[1] = $baseaddress."/".$subcidr; + &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); + &writeserverconf; + $cgiparams{'ccdname'}=''; + $cgiparams{'ccdsubnet'}=''; + return 1; + } +} + +sub modccdnet +{ + + my $newname=$_[0]; + my $oldname=$_[1]; + my %ccdconfhash=(); + my %ccdhash=(); + &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); + foreach my $key (keys %ccdconfhash) { + if ($ccdconfhash{$key}[0] eq $oldname) { + foreach my $key1 (keys %ccdconfhash) { + if ($ccdconfhash{$key1}[0] eq $newname){ + $errormessage=$errormessage.$Lang::tr{'ccd err netadrexist'}; + return; + }else{ + $ccdconfhash{$key}[0]= $newname; + &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); + last; + } + } + } + } + + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); + foreach my $key (keys %ccdhash) { + if ($ccdhash{$key}[32] eq $oldname) { + $ccdhash{$key}[32]=$newname; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); + last; + } + } + + return 0; +} +sub ccdmaxclients +{ + my $ccdnetwork=$_[0]; + my @octets=(); + my @subnet=(); + @octets=split("\/",$ccdnetwork); + @subnet= split /\./, &General::cidrtosub($octets[1]); + my ($a,$b,$c,$d,$e); + $a=256-$subnet[0]; + $b=256-$subnet[1]; + $c=256-$subnet[2]; + $d=256-$subnet[3]; + $e=($a*$b*$c*$d)/4; + return $e-1; +} + +sub getccdadresses +{ + my $ipin=$_[0]; + my ($ip1,$ip2,$ip3,$ip4)=split /\./, $ipin; + my $cidr=$_[1]; + chomp($cidr); + my $count=$_[2]; + my $hasip=$_[3]; + chomp($hasip); + my @iprange=(); + my %ccdhash=(); + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); + $iprange[0]=$ip1.".".$ip2.".".$ip3.".".2; + for (my $i=1;$i<=$count;$i++) { + my $tmpip=$iprange[$i-1]; + my $stepper=$i*4; + $iprange[$i]= &General::getnextip($tmpip,4); + } + my $r=0; + foreach my $key (keys %ccdhash) { + $r=0; + foreach my $tmp (@iprange){ + my ($net,$sub) = split (/\//,$ccdhash{$key}[33]); + if ($net eq $tmp) { + if ( $hasip ne $ccdhash{$key}[33] ){ + splice (@iprange,$r,1); + } + } + $r++; + } + } + return @iprange; +} + +sub fillselectbox +{ + my $boxname=$_[1]; + my ($ccdip,$subcidr) = split("/",$_[0]); + my $tz=$_[2]; + my @allccdips=&getccdadresses($ccdip,$subcidr,&ccdmaxclients($ccdip."/".$subcidr),$tz); + print""; +} + +sub hostsinnet +{ + my $name=$_[0]; + my %ccdhash=(); + my $i=0; + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); + foreach my $key (keys %ccdhash) { + if ($ccdhash{$key}[32] eq $name){ $i++;} + } + return $i; +} + +sub check_routes_push +{ + my $val=$_[0]; + my ($ip,$cidr) = split (/\//, $val); + ##check for existing routes in routes_push + if (-e "${General::swroot}/ovpn/routes_push") { + open(FILE,"${General::swroot}/ovpn/routes_push"); + while () { + $_=~s/\s*$//g; + + my ($ip2,$cidr2) = split (/\//,"$_"); + my $val2=$ip2."/".&General::iporsubtodec($cidr2); + + if($val eq $val2){ + return 0; + } + #subnetcheck + if (&General::IpInSubnet ($ip,$ip2,&General::iporsubtodec($cidr2))){ + return 0; + } + }; + close(FILE); + } + return 1; +} + +sub check_ccdroute +{ + my %ccdroutehash=(); + my $val=$_[0]; + my ($ip,$cidr) = split (/\//, $val); + #check for existing routes in ccdroute + &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); + foreach my $key (keys %ccdroutehash) { + foreach my $i (1 .. $#{$ccdroutehash{$key}}) { + if (&General::iporsubtodec($val) eq $ccdroutehash{$key}[$i] && $ccdroutehash{$key}[0] ne $cgiparams{'NAME'}){ + return 0; + } + my ($ip2,$cidr2) = split (/\//,$ccdroutehash{$key}[$i]); + #subnetcheck + if (&General::IpInSubnet ($ip,$ip2,$cidr2)&& $ccdroutehash{$key}[0] ne $cgiparams{'NAME'} ){ + return 0; + } + } + } + return 1; +} +sub check_ccdconf +{ + my %ccdconfhash=(); + my $val=$_[0]; + my ($ip,$cidr) = split (/\//, $val); + #check for existing routes in ccdroute + &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); + foreach my $key (keys %ccdconfhash) { + if (&General::iporsubtocidr($val) eq $ccdconfhash{$key}[1]){ + return 0; + } + my ($ip2,$cidr2) = split (/\//,$ccdconfhash{$key}[1]); + #subnetcheck + if (&General::IpInSubnet ($ip,$ip2,&General::cidrtosub($cidr2))){ + return 0; + } + + } + return 1; +} + +### +# m.a.d net2net +### + +sub validdotmask +{ + my $ipdotmask = $_[0]; + if (&General::validip($ipdotmask)) { return 0; } + if (!($ipdotmask =~ /^(.*?)\/(.*?)$/)) { } + my $mask = $2; + if (($mask =~ /\./ )) { return 0; } + return 1; +} + +# ------------------------------------------------------------------- + +sub write_routepushfile +{ + open(FILE, ">$routes_push_file"); + flock(FILE, 2); + if ($vpnsettings{'ROUTES_PUSH'} ne '') { + print FILE $vpnsettings{'ROUTES_PUSH'}; + } + close(FILE); +} + +sub read_routepushfile +{ + if (-e "$routes_push_file") { + open(FILE,"$routes_push_file"); + delete $vpnsettings{'ROUTES_PUSH'}; + while () { $vpnsettings{'ROUTES_PUSH'} .= $_ }; + close(FILE); + $cgiparams{'ROUTES_PUSH'} = $vpnsettings{'ROUTES_PUSH'}; + + } +} + + #hier die refresh page if ( -e "${General::swroot}/ovpn/gencanow") { my $refresh = ''; @@ -432,11 +807,11 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'} || &emptyserverlog(); } # #restart openvpn server - if ($cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}){ +# if ($cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}){ #workarund, till SIGHUP also works when running as nobody - system('/usr/local/bin/openvpnctrl', '-r'); - &emptyserverlog(); - } +# system('/usr/local/bin/openvpnctrl', '-r'); +# &emptyserverlog(); +# } } ### @@ -457,6 +832,9 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'}; $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; + $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; + $vpnsettings{'PMTU_DISCOVERY'} = $cgiparams{'PMTU_DISCOVERY'}; + my @temp=(); if ($cgiparams{'FRAGMENT'} eq '') { delete $vpnsettings{'FRAGMENT'}; @@ -473,8 +851,19 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { } else { $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'}; } + + if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || + ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || + ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { + + if (($cgiparams{'MSSFIX'} eq 'on') || ($cgiparams{'FRAGMENT'} ne '')) { + $errormessage = $Lang::tr{'ovpn mtu-disc with mssfix or fragment'}; + goto ADV_ERROR; + } + } + if ($cgiparams{'DHCP_DOMAIN'} ne ''){ - unless (&General::validfqdn($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) { + unless (&General::validdomainname($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) { $errormessage = $Lang::tr{'invalid input for dhcp domain'}; goto ADV_ERROR; } @@ -488,9 +877,59 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { if ($cgiparams{'DHCP_WINS'} ne ''){ unless (&General::validfqdn($cgiparams{'DHCP_WINS'}) || &General::validip($cgiparams{'DHCP_WINS'})) { $errormessage = $Lang::tr{'invalid input for dhcp wins'}; - goto ADV_ERROR; + goto ADV_ERROR; } } + if ($cgiparams{'ROUTES_PUSH'} ne ''){ + @temp = split(/\n/,$cgiparams{'ROUTES_PUSH'}); + undef $vpnsettings{'ROUTES_PUSH'}; + + foreach my $tmpip (@temp) + { + s/^\s+//g; s/\s+$//g; + + if ($tmpip) + { + $tmpip=~s/\s*$//g; + unless (&General::validipandmask($tmpip)) { + $errormessage = "$tmpip ".$Lang::tr{'ovpn errmsg invalid ip or mask'}; + goto ADV_ERROR; + } + my ($ip, $cidr) = split("\/",&General::ipcidr2msk($tmpip)); + + if ($ip eq $netsettings{'GREEN_NETADDRESS'} && $cidr eq $netsettings{'GREEN_NETMASK'}) { + $errormessage = $Lang::tr{'ovpn errmsg green already pushed'}; + goto ADV_ERROR; + } +# a.marx ccd + my %ccdroutehash=(); + &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); + foreach my $key (keys %ccdroutehash) { + foreach my $i (1 .. $#{$ccdroutehash{$key}}) { + if ( $ip."/".$cidr eq $ccdroutehash{$key}[$i] ){ + $errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ; + goto ADV_ERROR; + } + my ($ip2,$cidr2) = split(/\//,$ccdroutehash{$key}[$i]); + if (&General::IpInSubnet ($ip,$ip2,$cidr2)){ + $errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ; + goto ADV_ERROR; + } + } + } + +# ccd end + + $vpnsettings{'ROUTES_PUSH'} .= $tmpip."\n"; + } + } + &write_routepushfile; + undef $vpnsettings{'ROUTES_PUSH'}; + } + else { + undef $vpnsettings{'ROUTES_PUSH'}; + &write_routepushfile; + } if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 255 )) { $errormessage = $Lang::tr{'invalid input for max clients'}; goto ADV_ERROR; @@ -517,7 +956,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { } ### -# m.a.d Save net2net server config +# m.a.d net2net ### if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq 'net' && $cgiparams{'SIDE'} eq 'server') @@ -525,7 +964,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq 'net' && my @remsubnet = split(/\//,$cgiparams{'REMOTE_SUBNET'}); my @ovsubnettemp = split(/\./,$cgiparams{'OVPN_SUBNET'}); -my $ovsubnet = "@ovsubnettemp[0].@ovsubnettemp[1].@ovsubnettemp[2]"; +my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]"; my $tunmtu = ''; unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";} @@ -534,159 +973,166 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General open(SERVERCONF, ">${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Unable to open ${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf: $!"; flock SERVERCONF, 2; - print SERVERCONF "# n2n Open VPN Server Config by ummeegge und m.a.d\n"; + print SERVERCONF "# IPFire n2n Open VPN Server Config by ummeegge und m.a.d\n"; print SERVERCONF "\n"; - print SERVERCONF "# User Sicherheit\n"; + print SERVERCONF "# User Security\n"; print SERVERCONF "user nobody\n"; print SERVERCONF "group nobody\n"; print SERVERCONF "persist-tun\n"; print SERVERCONF "persist-key\n"; - print SERVERCONF "\n"; - print SERVERCONF "# IP/DNS fuer das Server Gateway - g2g Mode\n"; + print SERVERCONF "script-security 2\n"; + print SERVERCONF "# IP/DNS for remote Server Gateway\n"; print SERVERCONF "remote $cgiparams{'REMOTE'}\n"; - print SERVERCONF "\n"; - print SERVERCONF "# IP Adressen des VPN Tunnels\n"; + print SERVERCONF "float\n"; + print SERVERCONF "# IP adresses of the VPN Subnet\n"; print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n"; - print SERVERCONF "\n"; - print SERVERCONF "# Netzwerk auf dem Client Gateway\n"; - print SERVERCONF "route @remsubnet[0] @remsubnet[1]\n"; - print SERVERCONF "# Device fuer den Tunnel\n"; + print SERVERCONF "# Client Gateway Network\n"; + print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n"; + print SERVERCONF "# tun Device\n"; print SERVERCONF "dev tun\n"; - print SERVERCONF "\n"; - print SERVERCONF "#Port und Protokoll\n"; + print SERVERCONF "# Port and Protokol\n"; print SERVERCONF "port $cgiparams{'DEST_PORT'}\n"; - print SERVERCONF "proto $cgiparams{'PROTOCOL'}\n"; - print SERVERCONF "\n"; - print SERVERCONF "# Paketgroessen\n"; + + if ($cgiparams{'PROTOCOL'} eq 'tcp') { + print SERVERCONF "proto tcp-server\n"; + print SERVERCONF "# Packet size\n"; if ($cgiparams{'MTU'} eq '') {$tunmtu = '1400'} else {$tunmtu = $cgiparams{'MTU'}}; - print SERVERCONF "tun-mtu $tunmtu\n"; - if ($cgiparams{'PROTOCOL'} eq 'udp') { - if ($cgiparams{'FRAGMENT'} eq '') { - print SERVERCONF "fragment 1300\r\n"; - } else { - print SERVERCONF "fragment $cgiparams{'FRAGMENT'}\n" + print SERVERCONF "tun-mtu $tunmtu\n"; } - if ($cgiparams{'MSSFIX'} eq 'on') { - print SERVERCONF "mssfix\n"; + + if ($cgiparams{'PROTOCOL'} eq 'udp') { + print SERVERCONF "proto udp\n"; + print SERVERCONF "# Paketsize\n"; + if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}}; + print SERVERCONF "tun-mtu $tunmtu\n"; + if ($cgiparams{'FRAGMENT'} ne '') {print SERVERCONF "fragment $cgiparams{'FRAGMENT'}\n";} + if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; }; } + + # Check if a valid operating mode has been choosen and use it. + if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || + ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || + ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { + if(($cgiparams{'MSSFIX'} ne 'on') || ($cgiparams{'FRAGMENT'} eq '')) { + if($cgiparams{'MTU'} eq '1500') { + print SERVERCONF "mtu-disc $cgiparams{'PMTU_DISCOVERY'}\n"; + } + } } - print SERVERCONF "\n"; - print SERVERCONF "# Auth Server\n"; + print SERVERCONF "# Auth. Server\n"; print SERVERCONF "tls-server\n"; print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; print SERVERCONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n"; print SERVERCONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n"; print SERVERCONF "dh ${General::swroot}/ovpn/ca/dh1024.pem\n"; - print SERVERCONF "\n"; - print SERVERCONF "# Verschluesselung\n"; + print SERVERCONF "# Cipher\n"; print SERVERCONF "cipher AES-256-CBC\n"; if ($cgiparams{'COMPLZO'} eq 'on') { - print SERVERCONF "# Kompression einschalten\n"; + print SERVERCONF "# Enable Compression\n"; print SERVERCONF "comp-lzo\r\n"; - print SERVERCONF "#\n"; - } - print SERVERCONF "# Debug Level setzen\n"; + } + print SERVERCONF "# Debug Level\n"; print SERVERCONF "verb 3\n"; - print SERVERCONF "\n"; - print SERVERCONF "# Tunnel Ueberwachung\n"; + print SERVERCONF "# Tunnel check\n"; print SERVERCONF "keepalive 10 60\n"; - print SERVERCONF "\n"; - print SERVERCONF "# Als Daemon starten mit Namen ovpnn2n\n"; + print SERVERCONF "# Start as daemon\n"; print SERVERCONF "daemon $cgiparams{'NAME'}n2n\n"; print SERVERCONF "writepid /var/run/$cgiparams{'NAME'}n2n.pid\n"; - print SERVERCONF "\n"; - print SERVERCONF "# Management Interface aktivieren\n"; - print SERVERCONF "#management localhost 4711\n"; + print SERVERCONF "# Activate Management Interface and Port\n"; + if ($cgiparams{'OVPN_MGMT'} eq '') {print SERVERCONF "management localhost $cgiparams{'DEST_PORT'}\n"} + else {print SERVERCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"}; close(SERVERCONF); } ### -# m.a.d Save net2net client config +# m.a.d net2net ### + if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq 'net' && $cgiparams{'SIDE'} eq 'client') { my @ovsubnettemp = split(/\./,$cgiparams{'OVPN_SUBNET'}); - my $ovsubnet = "@ovsubnettemp[0].@ovsubnettemp[1].@ovsubnettemp[2]"; + my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]"; my @remsubnet = split(/\//,$cgiparams{'REMOTE_SUBNET'}); my $tunmtu = ''; - + unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";} unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}", 0770 or die "Unable to create dir $!";} open(CLIENTCONF, ">${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Unable to open ${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf: $!"; flock CLIENTCONF, 2; - print CLIENTCONF "# rewritten n2n Open VPN Client Config by ummeegge und m.a.d\n"; + print CLIENTCONF "# IPFire rewritten n2n Open VPN Client Config by ummeegge und m.a.d\n"; print CLIENTCONF "#\n"; - print CLIENTCONF "# User Sicherheit\n"; + print CLIENTCONF "# User Security\n"; print CLIENTCONF "user nobody\n"; print CLIENTCONF "group nobody\n"; print CLIENTCONF "persist-tun\n"; print CLIENTCONF "persist-key\n"; - print CLIENTCONF "#\n"; - print CLIENTCONF "# IP/DNS fuer das Server Gateway - g2g Mode\n"; + print CLIENTCONF "script-security 2\n"; + print CLIENTCONF "# IP/DNS for remote Server Gateway\n"; print CLIENTCONF "remote $cgiparams{'REMOTE'}\n"; - print CLIENTCONF "#\n"; - print CLIENTCONF "# IP Adressen des VPN Tunnels\n"; + print CLIENTCONF "float\n"; + print CLIENTCONF "# IP adresses of the VPN Subnet\n"; print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n"; - print CLIENTCONF "#\n"; - print CLIENTCONF "# Netzwerk auf dem Server Gateway\n"; - print CLIENTCONF "route @remsubnet[0]/@remsubnet[1]\n"; - print CLIENTCONF "# Device fuer den Tunnel\n"; + print CLIENTCONF "# Server Gateway Network\n"; + print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n"; + print CLIENTCONF "# tun Device\n"; print CLIENTCONF "dev tun\n"; - print CLIENTCONF "#\n"; - print CLIENTCONF "#Port und Protokoll\n"; + print CLIENTCONF "# Port and Protokol\n"; print CLIENTCONF "port $cgiparams{'DEST_PORT'}\n"; - print CLIENTCONF "proto $cgiparams{'PROTOCOL'}\n"; - print CLIENTCONF "#\n"; - print CLIENTCONF "# Paketgroessen\n"; + + if ($cgiparams{'PROTOCOL'} eq 'tcp') { + print CLIENTCONF "proto tcp-client\n"; + print CLIENTCONF "# Packet size\n"; if ($cgiparams{'MTU'} eq '') {$tunmtu = '1400'} else {$tunmtu = $cgiparams{'MTU'}}; - print CLIENTCONF "tun-mtu $tunmtu\n"; - if ($cgiparams{'PROTOCOL'} eq 'udp') { - if ($cgiparams{'FRAGMENT'} eq '') { - print CLIENTCONF "fragment 1300\r\n"; - } else { - print CLIENTCONF "fragment $cgiparams{'FRAGMENT'}\n" + print CLIENTCONF "tun-mtu $tunmtu\n"; } - if ($cgiparams{'MSSFIX'} eq 'on') { - print CLIENTCONF "mssfix\n"; + + if ($cgiparams{'PROTOCOL'} eq 'udp') { + print CLIENTCONF "proto udp\n"; + print CLIENTCONF "# Paketsize\n"; + if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}}; + print CLIENTCONF "tun-mtu $tunmtu\n"; + if ($cgiparams{'FRAGMENT'} ne '') {print CLIENTCONF "fragment $cgiparams{'FRAGMENT'}\n";} + if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; }; } + + # Check if a valid operating mode has been choosen and use it. + if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || + ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || + ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { + if(($cgiparams{'MSSFIX'} ne 'on') || ($cgiparams{'FRAGMENT'} eq '')) { + if ($cgiparams{'MTU'} eq '1500') { + print CLIENTCONF "mtu-disc $cgiparams{'PMTU_DISCOVERY'}\n"; + } + } } - print CLIENTCONF "#\n"; + + print CLIENTCONF "ns-cert-type server\n"; print CLIENTCONF "# Auth. Client\n"; print CLIENTCONF "tls-client\n"; - print CLIENTCONF "#\n"; - print CLIENTCONF "# Verschluesselung\n"; + print CLIENTCONF "# Cipher\n"; print CLIENTCONF "cipher AES-256-CBC\n"; print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n"; - print CLIENTCONF "#\n"; if ($cgiparams{'COMPLZO'} eq 'on') { - print CLIENTCONF "# Kompression einschalten\n"; + print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\r\n"; - print CLIENTCONF "#\n"; - } - print CLIENTCONF "#\n"; + } print CLIENTCONF "# Debug Level\n"; print CLIENTCONF "verb 3\n"; - print CLIENTCONF "#\n"; - print CLIENTCONF "# Tunnel Ueberwachung\n"; + print CLIENTCONF "# Tunnel check\n"; print CLIENTCONF "keepalive 10 60\n"; - print CLIENTCONF "#\n"; - print CLIENTCONF "# Als Daemon starten\n"; + print CLIENTCONF "# Start as daemon\n"; print CLIENTCONF "daemon $cgiparams{'NAME'}n2n\n"; print CLIENTCONF "writepid /var/run/$cgiparams{'NAME'}n2n.pid\n"; - print CLIENTCONF "#\n"; - print CLIENTCONF "# Management Interface aktivieren\n"; - print CLIENTCONF "# management localhost 4711\n"; + print CLIENTCONF "# Activate Management Interface and Port\n"; + if ($cgiparams{'OVPN_MGMT'} eq '') {print CLIENTCONF "management localhost $cgiparams{'DEST_PORT'}\n"} + else {print CLIENTCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"}; close(CLIENTCONF); } -### -# m.a.d Save net2net config end -### - ### ### Save main settings ### @@ -1488,7 +1934,7 @@ END ### ### -# m.a.d net2net Anpassung +# m.a.d net2net ### }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) { @@ -1499,29 +1945,26 @@ END my $n2nactive = `/bin/ps ax|grep $confighash{$cgiparams{'KEY'}}[1]|grep -v grep|awk \'{print \$1}\'`; if ($confighash{$cgiparams{'KEY'}}) { + if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { + $confighash{$cgiparams{'KEY'}}[0] = 'on'; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - - if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { - $confighash{$cgiparams{'KEY'}}[0] = 'on'; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - - if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ + if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); - } - - } else { + } + } else { - $confighash{$cgiparams{'KEY'}}[0] = 'off'; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + $confighash{$cgiparams{'KEY'}}[0] = 'off'; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ + if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ if ($n2nactive ne ''){ - system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]); - } + system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]); + } - } else { + } else { $errormessage = $Lang::tr{'invalid key'}; - } + } } } @@ -1540,8 +1983,8 @@ END my $zippath = "$tempdir/"; ### -# m.a.d net2net DL Client Package -### +# m.a.d net2net +### if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ @@ -1549,77 +1992,82 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ my $zippathname = "$zippath$zipname"; $clientovpn = "$confighash{$cgiparams{'KEY'}}[1].conf"; my @ovsubnettemp = split(/\./,$confighash{$cgiparams{'KEY'}}[27]); - my $ovsubnet = "@ovsubnettemp[0].@ovsubnettemp[1].@ovsubnettemp[2]"; + my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]"; my $tunmtu = ''; + my @remsubnet = split(/\//,$confighash{$cgiparams{'KEY'}}[8]); + my $n2nfragment = ''; open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!"; flock CLIENTCONF, 2; my $zip = Archive::Zip->new(); - print CLIENTCONF "# n2n Open VPN Client Config by ummeegge und m.a.d\n"; + print CLIENTCONF "# IPFire n2n Open VPN Client Config by ummeegge und m.a.d\n"; print CLIENTCONF "# \n"; - print CLIENTCONF "# User Sicherheit\n"; + print CLIENTCONF "# User Security\n"; print CLIENTCONF "user nobody\n"; print CLIENTCONF "group nobody\n"; print CLIENTCONF "persist-tun\n"; print CLIENTCONF "persist-key\n"; - print CLIENTCONF "#\n"; - print CLIENTCONF "# IP/DNS fuer das Server Gateway - g2g Mode\n"; + print CLIENTCONF "script-security 2\n"; + print CLIENTCONF "# IP/DNS for remote Server Gateway\n"; print CLIENTCONF "remote $vpnsettings{'VPN_IP'}\n"; - print CLIENTCONF "#\n"; - print CLIENTCONF "# IP Adressen des VPN Tunnels\n"; + print CLIENTCONF "float\n"; + print CLIENTCONF "# IP adresses of the VPN Subnet\n"; print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n"; - print CLIENTCONF "#\n"; - print CLIENTCONF "# Netzwerk auf dem Server Gateway\n"; - print CLIENTCONF "route $confighash{$cgiparams{'KEY'}}[8]\n"; - print CLIENTCONF "# Device fuer den Tunnel\n"; + print CLIENTCONF "# Server Gateway Network\n"; + print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n"; + print CLIENTCONF "# tun Device\n"; print CLIENTCONF "dev $vpnsettings{'DDEVICE'}\n"; - print CLIENTCONF "#\n"; - print CLIENTCONF "#Port und Protokoll\n"; + print CLIENTCONF "# Port and Protokoll\n"; print CLIENTCONF "port $confighash{$cgiparams{'KEY'}}[29]\n"; - print CLIENTCONF "proto $confighash{$cgiparams{'KEY'}}[28]\n"; - print CLIENTCONF "#\n"; - print CLIENTCONF "# Paketgroessen\n"; + + if ($confighash{$cgiparams{'KEY'}}[28] eq 'tcp') { + print CLIENTCONF "proto tcp-client\n"; + print CLIENTCONF "# Packet size\n"; if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1400'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]}; - print CLIENTCONF "tun-mtu $tunmtu\n"; - if ($confighash{$cgiparams{'KEY'}}[28] eq 'udp') { - if ($cgiparams{'FRAGMENT'} eq '') { - print CLIENTCONF "fragment 1300\r\n"; - } else { - print CLIENTCONF "fragment $cgiparams{'FRAGMENT'}\n" + print CLIENTCONF "tun-mtu $tunmtu\n"; } - if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') { - print CLIENTCONF "mssfix\n"; + + if ($confighash{$cgiparams{'KEY'}}[28] eq 'udp') { + print CLIENTCONF "proto udp\n"; + print CLIENTCONF "# Paketsize\n"; + if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1500'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]}; + print CLIENTCONF "tun-mtu $tunmtu\n"; + if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment $confighash{$cgiparams{'KEY'}}[24]\n";} + if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";} } + if (($confighash{$cgiparams{'KEY'}}[38] eq 'yes') || + ($confighash{$cgiparams{'KEY'}}[38] eq 'maybe') || + ($confighash{$cgiparams{'KEY'}}[38] eq 'no' )) { + if (($confighash{$cgiparams{'KEY'}}[23] ne 'on') || ($confighash{$cgiparams{'KEY'}}[24] eq '')) { + if ($tunmtu eq '1500' ) { + print CLIENTCONF "mtu-disc $confighash{$cgiparams{'KEY'}}[38]\n"; + } + } } - print CLIENTCONF "#\n"; + print CLIENTCONF "ns-cert-type server\n"; print CLIENTCONF "# Auth. Client\n"; print CLIENTCONF "tls-client\n"; - print CLIENTCONF "#\n"; - print CLIENTCONF "# Verschluesselung\n"; + print CLIENTCONF "# Cipher\n"; print CLIENTCONF "cipher AES-256-CBC\n"; if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; } - print CLIENTCONF "#\n"; if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') { - print CLIENTCONF "# Kompression einschalten\n"; + print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\r\n"; - print CLIENTCONF "#\n"; - } + } print CLIENTCONF "# Debug Level\n"; print CLIENTCONF "verb 3\n"; - print CLIENTCONF "#\n"; - print CLIENTCONF "# Tunnel Ueberwachung\n"; + print CLIENTCONF "# Tunnel check\n"; print CLIENTCONF "keepalive 10 60\n"; - print CLIENTCONF "#\n"; - print CLIENTCONF "# Als Daemon starten\n"; + print CLIENTCONF "# Start as daemon\n"; print CLIENTCONF "daemon $confighash{$cgiparams{'KEY'}}[1]n2n\n"; print CLIENTCONF "writepid /var/run/$confighash{$cgiparams{'KEY'}}[1]n2n.pid\n"; - print CLIENTCONF "#\n"; - print CLIENTCONF "# Management Interface aktivieren\n"; - print CLIENTCONF "# management localhost 4711\n"; + print CLIENTCONF "# Activate Management Interface and Port\n"; + if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"} + else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"}; print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n"; @@ -1642,7 +2090,7 @@ else $clientovpn = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.ovpn"; ### -# m.a.d net2net DL Client Package end +# m.a.d net2net ### open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!"; @@ -1650,12 +2098,26 @@ else my $zip = Archive::Zip->new(); - print CLIENTCONF "#OpenVPN Server conf\r\n"; + print CLIENTCONF "#OpenVPN Client conf\r\n"; print CLIENTCONF "tls-client\r\n"; print CLIENTCONF "client\r\n"; + print CLIENTCONF "nobind\r\n"; print CLIENTCONF "dev $vpnsettings{'DDEVICE'}\r\n"; print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n"; - print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu $vpnsettings{'DMTU'}\r\n"; + + # Check if we are using fragment, mssfix or mtu-disc and set MTU to 1500 + # or use configured value. + if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) + { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu 1500\r\n"; } + elsif ($vpnsettings{MSSFIX} eq 'on') + { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu 1500\r\n"; } + elsif (($vpnsettings{'PMTU_DISCOVERY'} eq 'yes') || + ($vpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || + ($vpnsettings{'PMTU_DISCOVERY'} eq 'no' )) + { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu 1500\r\n"; } + else + { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu $vpnsettings{'DMTU'}\r\n"; } + if ( $vpnsettings{'ENABLED'} eq 'on'){ print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n"; if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){ @@ -1699,6 +2161,15 @@ else if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) { print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n"; } + + # Check if a valid operating mode has been choosen and use it. + if (($vpnsettings{'PMTU_DISCOVERY'} eq 'yes') || + ($vpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || + ($vpnsettings{'PMTU_DISCOVERY'} eq 'no' )) { + if(($vpnsettings{MSSFIX} ne 'on') || ($vpnsettings{FRAGMENT} eq '')) { + print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\r\n"; + } + } close(CLIENTCONF); $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n"; @@ -1732,8 +2203,9 @@ else my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; ### -# m.a.d net2net Anpassung +# m.a.d net2net ### + if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf"); @@ -1743,15 +2215,43 @@ else rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!"; } -### -# m.a.d net2net Anpassung end -### unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); - unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + +# A.Marx CCD delete ccd files and routes + + + if (-f "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]") + { + unlink "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]"; + } + + &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); + foreach my $key (keys %ccdroutehash) { + if ($ccdroutehash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){ + delete $ccdroutehash{$key}; + } + } + &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); + + &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash); + foreach my $key (keys %ccdroute2hash) { + if ($ccdroute2hash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){ + delete $ccdroute2hash{$key}; + } + } + &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash); + &writeserverconf; + + +# CCD end + + delete $confighash{$cgiparams{'KEY'}}; my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + #&writeserverconf(); } else { $errormessage = $Lang::tr{'invalid key'}; @@ -1818,8 +2318,11 @@ else %cgiparams = (); %cahash = (); %confighash = (); + my $disabled; &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams); - + read_routepushfile; + + # if ($cgiparams{'CLIENT2CLIENT'} eq '') { # $cgiparams{'CLIENT2CLIENT'} = 'on'; # } @@ -1827,7 +2330,6 @@ ADV_ERROR: if ($cgiparams{'MAX_CLIENTS'} eq '') { $cgiparams{'MAX_CLIENTS'} = '100'; } - if ($cgiparams{'KEEPALIVE_1'} eq '') { $cgiparams{'KEEPALIVE_1'} = '10'; } @@ -1835,7 +2337,10 @@ ADV_ERROR: $cgiparams{'KEEPALIVE_2'} = '60'; } if ($cgiparams{'LOG_VERB'} eq '') { - $cgiparams{'LOG_VERB'} = '3'; + $cgiparams{'LOG_VERB'} = '3'; + } + if ($cgiparams{'PMTU_DISCOVERY'} eq '') { + $cgiparams{'PMTU_DISCOVERY'} = 'off'; } $checked{'CLIENT2CLIENT'}{'off'} = ''; $checked{'CLIENT2CLIENT'}{'on'} = ''; @@ -1847,6 +2352,7 @@ ADV_ERROR: $checked{'MSSFIX'}{'off'} = ''; $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; + $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\''; $selected{'LOG_VERB'}{'1'} = ''; $selected{'LOG_VERB'}{'2'} = ''; $selected{'LOG_VERB'}{'3'} = ''; @@ -1860,9 +2366,7 @@ ADV_ERROR: $selected{'LOG_VERB'}{'11'} = ''; $selected{'LOG_VERB'}{'0'} = ''; $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; - - - + &Header::showhttpheaders(); &Header::openpage($Lang::tr{'status ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); @@ -1875,7 +2379,7 @@ ADV_ERROR: &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'}); print < - +
@@ -1884,7 +2388,7 @@ ADV_ERROR: - + @@ -1893,6 +2397,25 @@ ADV_ERROR: + + + + + + + +
$Lang::tr{'dhcp-options'}
Domain
DNS
WINS
$Lang::tr{'ovpn routes push options'}
$Lang::tr{'ovpn routes push'} +
@@ -1901,7 +2424,7 @@ ADV_ERROR: $Lang::tr{'misc-options'} - + Client-To-Client @@ -1916,7 +2439,7 @@ ADV_ERROR: - Keppalive
+ Keepalive
(ping/ping-restart) @@ -1924,13 +2447,21 @@ ADV_ERROR: fragment
- Default: 1300 - + Default: 1300 + mssfix Default: on - + + + + $Lang::tr{'ovpn mtu-disc'} + $Lang::tr{'ovpn mtu-disc yes'} + $Lang::tr{'ovpn mtu-disc maybe'} + $Lang::tr{'ovpn mtu-disc no'} + $Lang::tr{'ovpn mtu-disc off'} +