X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=9dd901138cf2c8ca51014cb59c9e0ea6425a6510;hp=af2f6e353cc2fbc1b01b231fe3e8e69279b3cadf;hb=b368a2f84d7a99c37cf19194ffa167d30363a63d;hpb=115340d291bf0f0fc3c64fca893d863867f268c4 diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi old mode 100644 new mode 100755 index af2f6e353..9dd901138 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1,24 +1,36 @@ #!/usr/bin/perl -# based on SmoothWall and IPCop CGIs -# -# This code is distributed under the terms of the GPL -# Main idea from zeroconcept -# ZERNINA-VERSION:0.9.7a9 -# (c) 2005 Ufuk Altinkaynak -# -# Ipcop and OpenVPN eas as one two three.. -# - +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2011 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### +### +# Based on IPFireCore 55 +### use CGI; use CGI qw/:standard/; use Net::DNS; +use Net::Ping; +use Net::Telnet; use File::Copy; use File::Temp qw/ tempfile tempdir /; use strict; use Archive::Zip qw(:ERROR_CODES :CONSTANTS); -use Net::Ping; require '/var/ipfire/general-functions.pl'; -require '/srv/web/ipfire/cgi-bin/ovpnfunc.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; require "${General::swroot}/countries.pl"; @@ -27,14 +39,20 @@ require "${General::swroot}/countries.pl"; #use warnings; #use CGI::Carp 'fatalsToBrowser'; #workaround to suppress a warning when a variable is used only once -my @dummy = ( ${Header::colourgreen} ); +my @dummy = ( ${Header::colourgreen}, ${Header::colourblue} ); undef (@dummy); - +my %color = (); +my %mainsettings = (); +&General::readhash("${General::swroot}/main/settings", \%mainsettings); +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); ### ### Initialize variables ### +my %ccdconfhash=(); +my %ccdroutehash=(); +my %ccdroute2hash=(); my %netsettings=(); my %cgiparams=(); my %vpnsettings=(); @@ -45,7 +63,7 @@ my %selected=(); my $warnmessage = ''; my $errormessage = ''; my %settings=(); -my $zerinaclient = ''; +my $routes_push_file = ''; &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} = 'off'; $cgiparams{'ENABLED_BLUE'} = 'off'; @@ -59,13 +77,736 @@ $cgiparams{'CA_NAME'} = ''; $cgiparams{'DHCP_DOMAIN'} = ''; $cgiparams{'DHCP_DNS'} = ''; $cgiparams{'DHCP_WINS'} = ''; +$cgiparams{'ROUTES_PUSH'} = ''; $cgiparams{'DCOMPLZO'} = 'off'; +$cgiparams{'MSSFIX'} = ''; +$cgiparams{'number'} = ''; +$cgiparams{'PMTU_DISCOVERY'} = ''; +$routes_push_file = "${General::swroot}/ovpn/routes_push"; +unless (-e $routes_push_file) { system("touch $routes_push_file"); } +unless (-e "${General::swroot}/ovpn/ccd.conf") { system("touch ${General::swroot}/ovpn/ccd.conf"); } +unless (-e "${General::swroot}/ovpn/ccdroute") { system("touch ${General::swroot}/ovpn/ccdroute"); } +unless (-e "${General::swroot}/ovpn/ccdroute2") { system("touch ${General::swroot}/ovpn/ccdroute2"); } + &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'}); # prepare openvpn config file ### ### Useful functions ### +sub haveOrangeNet +{ + if ($netsettings{'CONFIG_TYPE'} == 2) {return 1;} + if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;} + return 0; +} + +sub haveBlueNet +{ + if ($netsettings{'CONFIG_TYPE'} == 3) {return 1;} + if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;} + return 0; +} + +sub sizeformat{ + my $bytesize = shift; + my $i = 0; + + while(abs($bytesize) >= 1024){ + $bytesize=$bytesize/1024; + $i++; + last if($i==6); + } + + my @units = ("Bytes","KB","MB","GB","TB","PB","EB"); + my $newsize=(int($bytesize*100 +0.5))/100; + return("$newsize $units[$i]"); +} + +sub valid_dns_host { + my $hostname = $_[0]; + unless ($hostname) { return "No hostname"}; + my $res = new Net::DNS::Resolver; + my $query = $res->search("$hostname"); + if ($query) { + foreach my $rr ($query->answer) { + ## Potential bug - we are only looking at A records: + return 0 if $rr->type eq "A"; + } + } else { + return $res->errorstring; + } +} + +sub cleanssldatabase +{ + if (open(FILE, ">${General::swroot}/ovpn/certs/serial")) { + print FILE "01"; + close FILE; + } + if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt")) { + print FILE ""; + close FILE; + } + unlink ("${General::swroot}/ovpn/certs/index.txt.old"); + unlink ("${General::swroot}/ovpn/certs/serial.old"); + unlink ("${General::swroot}/ovpn/certs/01.pem"); +} + +sub newcleanssldatabase +{ + if (! -s "${General::swroot}/ovpn/certs/serial" ) { + open(FILE, ">${General::swroot}(ovpn/certs/serial"); + print FILE "01"; + close FILE; + } + if (! -s ">${General::swroot}/ovpn/certs/index.txt") { + system ("touch ${General::swroot}/ovpn/certs/index.txt"); + } + unlink ("${General::swroot}/ovpn/certs/index.txt.old"); + unlink ("${General::swroot}/ovpn/certs/serial.old"); +} + +sub deletebackupcert +{ + if (open(FILE, "${General::swroot}/ovpn/certs/serial.old")) { + my $hexvalue = ; + chomp $hexvalue; + close FILE; + unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem"); + } +} + +sub checkportfw { + my $KEY2 = $_[0]; # key2 + my $SRC_PORT = $_[1]; # src_port + my $PROTOCOL = $_[2]; # protocol + my $SRC_IP = $_[3]; # sourceip + + my $pfwfilename = "${General::swroot}/portfw/config"; + open(FILE, $pfwfilename) or die 'Unable to open config file.'; + my @pfwcurrent = ; + close(FILE); + my $pfwkey1 = 0; # used for finding last sequence number used + foreach my $pfwline (@pfwcurrent) + { + my @pfwtemp = split(/\,/,$pfwline); + + chomp ($pfwtemp[8]); + if ($KEY2 eq "0"){ # if key2 is 0 then it is a portfw addition + if ( $SRC_PORT eq $pfwtemp[3] && + $PROTOCOL eq $pfwtemp[2] && + $SRC_IP eq $pfwtemp[7]) + { + $errormessage = "$Lang::tr{'source port in use'} $SRC_PORT"; + } + # Check if key2 = 0, if it is then it is a port forward entry and we want the sequence number + if ( $pfwtemp[1] eq "0") { + $pfwkey1=$pfwtemp[0]; + } + # Darren Critchley - Duplicate or overlapping Port range check + if ($pfwtemp[1] eq "0" && + $PROTOCOL eq $pfwtemp[2] && + $SRC_IP eq $pfwtemp[7] && + $errormessage eq '') + { + &portchecks($SRC_PORT, $pfwtemp[5]); +# &portchecks($pfwtemp[3], $pfwtemp[5]); +# &portchecks($pfwtemp[3], $SRC_IP); + } + } + } +# $errormessage="$KEY2 $SRC_PORT $PROTOCOL $SRC_IP"; + + return; +} + +sub checkportoverlap +{ + my $portrange1 = $_[0]; # New port range + my $portrange2 = $_[1]; # existing port range + my @tempr1 = split(/\:/,$portrange1); + my @tempr2 = split(/\:/,$portrange2); + + unless (&checkportinc($tempr1[0], $portrange2)){ return 0;} + unless (&checkportinc($tempr1[1], $portrange2)){ return 0;} + + unless (&checkportinc($tempr2[0], $portrange1)){ return 0;} + unless (&checkportinc($tempr2[1], $portrange1)){ return 0;} + + return 1; # Everything checks out! +} + +# Darren Critchley - we want to make sure that a port entry is not within an already existing range +sub checkportinc +{ + my $port1 = $_[0]; # Port + my $portrange2 = $_[1]; # Port range + my @tempr1 = split(/\:/,$portrange2); + + if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) { + return 1; + } else { + return 0; + } +} +# Darren Critchley - Duplicate or overlapping Port range check +sub portchecks +{ + my $p1 = $_[0]; # New port range + my $p2 = $_[1]; # existing port range +# $_ = $_[0]; + our ($prtrange1, $prtrange2); + $prtrange1 = 0; +# if (m/:/ && $prtrange1 == 1) { # comparing two port ranges +# unless (&checkportoverlap($p1,$p2)) { +# $errormessage = "$Lang::tr{'source port overlaps'} $p1"; +# } +# } + if (m/:/ && $prtrange1 == 0 && $errormessage eq '') { # compare one port to a range + unless (&checkportinc($p2,$p1)) { + $errormessage = "$Lang::tr{'srcprt within existing'} $p1"; + } + } + $prtrange1 = 1; + if (! m/:/ && $prtrange1 == 1 && $errormessage eq '') { # compare one port to a range + unless (&checkportinc($p1,$p2)) { + $errormessage = "$Lang::tr{'srcprt range overlaps'} $p2"; + } + } + return; +} + +# Darren Critchley - certain ports are reserved for IPFire +# TCP 67,68,81,222,445 +# UDP 67,68 +# Params passed in -> port, rangeyn, protocol +sub disallowreserved +{ + # port 67 and 68 same for tcp and udp, don't bother putting in an array + my $msg = ""; + my @tcp_reserved = (81,222,445); + my $prt = $_[0]; # the port or range + my $ryn = $_[1]; # tells us whether or not it is a port range + my $prot = $_[2]; # protocol + my $srcdst = $_[3]; # source or destination + if ($ryn) { # disect port range + if ($srcdst eq "src") { + $msg = "$Lang::tr{'rsvd src port overlap'}"; + } else { + $msg = "$Lang::tr{'rsvd dst port overlap'}"; + } + my @tmprng = split(/\:/,$prt); + unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; } + unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; } + if ($prot eq "tcp") { + foreach my $prange (@tcp_reserved) { + unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; } + } + } + } else { + if ($srcdst eq "src") { + $msg = "$Lang::tr{'reserved src port'}"; + } else { + $msg = "$Lang::tr{'reserved dst port'}"; + } + if ($prt == 67) { $errormessage="$msg 67"; return; } + if ($prt == 68) { $errormessage="$msg 68"; return; } + if ($prot eq "tcp") { + foreach my $prange (@tcp_reserved) { + if ($prange == $prt) { $errormessage="$msg $prange"; return; } + } + } + } + return; +} + +sub writeserverconf { + my %sovpnsettings = (); + my @temp = (); + &General::readhash("${General::swroot}/ovpn/settings", \%sovpnsettings); + &read_routepushfile; + + open(CONF, ">${General::swroot}/ovpn/server.conf") or die "Unable to open ${General::swroot}/ovpn/server.conf: $!"; + flock CONF, 2; + print CONF "#OpenVPN Server conf\n"; + print CONF "\n"; + print CONF "daemon openvpnserver\n"; + print CONF "writepid /var/run/openvpn.pid\n"; + print CONF "#DAN prepare OpenVPN for listening on blue and orange\n"; + print CONF ";local $sovpnsettings{'VPN_IP'}\n"; + print CONF "dev $sovpnsettings{'DDEVICE'}\n"; + print CONF "proto $sovpnsettings{'DPROTOCOL'}\n"; + print CONF "port $sovpnsettings{'DDEST_PORT'}\n"; + print CONF "script-security 3 system\n"; + print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n"; + print CONF "client-config-dir /var/ipfire/ovpn/ccd\n"; + print CONF "tls-server\n"; + print CONF "ca /var/ipfire/ovpn/ca/cacert.pem\n"; + print CONF "cert /var/ipfire/ovpn/certs/servercert.pem\n"; + print CONF "key /var/ipfire/ovpn/certs/serverkey.pem\n"; + print CONF "dh /var/ipfire/ovpn/ca/dh1024.pem\n"; + my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'}); + print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; + #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n"; + + # Check if we are using mssfix, fragment or mtu-disc and set the corretct mtu of 1500. + # If we doesn't use one of them, we can use the configured mtu value. + if ($sovpnsettings{'MSSFIX'} eq 'on') + { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; } + elsif ($sovpnsettings{'FRAGMENT'} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') + { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; } + elsif (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') || + ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || + ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) + { print CONF "$sovpnsettings{'DDEVICE'}-mtu 1500\n"; } + else + { print CONF "$sovpnsettings{'DDEVICE'}-mtu $sovpnsettings{'DMTU'}\n"; } + + if ($vpnsettings{'ROUTES_PUSH'} ne '') { + @temp = split(/\n/,$vpnsettings{'ROUTES_PUSH'}); + foreach (@temp) + { + @tempovpnsubnet = split("\/",&General::ipcidr2msk($_)); + print CONF "push \"route " . $tempovpnsubnet[0]. " " . $tempovpnsubnet[1] . "\"\n"; + } + } +# a.marx ccd + my %ccdconfhash=(); + &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); + foreach my $key (keys %ccdconfhash) { + my $a=$ccdconfhash{$key}[1]; + my ($b,$c) = split (/\//, $a); + print CONF "route $b ".&General::cidrtosub($c)."\n"; + } + my %ccdroutehash=(); + &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); + foreach my $key (keys %ccdroutehash) { + foreach my $i ( 1 .. $#{$ccdroutehash{$key}}){ + my ($a,$b)=split (/\//,$ccdroutehash{$key}[$i]); + print CONF "route $a $b\n"; + } + } +# ccd end + + if ($sovpnsettings{CLIENT2CLIENT} eq 'on') { + print CONF "client-to-client\n"; + } + if ($sovpnsettings{MSSFIX} eq 'on') { + print CONF "mssfix\n"; + } + if ($sovpnsettings{FRAGMENT} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp') { + print CONF "fragment $sovpnsettings{'FRAGMENT'}\n"; + } + + # Check if a valid operating mode has been choosen and use it. + if (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') || + ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || + ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) { + print CONF "mtu-disc $sovpnsettings{'PMTU_DISCOVERY'}\n"; + } + + if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) { + print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n"; + } + print CONF "status-version 1\n"; + print CONF "status /var/log/ovpnserver.log 30\n"; + print CONF "cipher $sovpnsettings{DCIPHER}\n"; + if ($sovpnsettings{DCOMPLZO} eq 'on') { + print CONF "comp-lzo\n"; + } + if ($sovpnsettings{REDIRECT_GW_DEF1} eq 'on') { + print CONF "push \"redirect-gateway def1\"\n"; + } + if ($sovpnsettings{DHCP_DOMAIN} ne '') { + print CONF "push \"dhcp-option DOMAIN $sovpnsettings{DHCP_DOMAIN}\"\n"; + } + + if ($sovpnsettings{DHCP_DNS} ne '') { + print CONF "push \"dhcp-option DNS $sovpnsettings{DHCP_DNS}\"\n"; + } + + if ($sovpnsettings{DHCP_WINS} ne '') { + print CONF "push \"dhcp-option WINS $sovpnsettings{DHCP_WINS}\"\n"; + } + + if ($sovpnsettings{DHCP_WINS} eq '') { + print CONF "max-clients 100\n"; + } + if ($sovpnsettings{DHCP_WINS} ne '') { + print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n"; + } + print CONF "tls-verify /var/ipfire/ovpn/verify\n"; + print CONF "crl-verify /var/ipfire/ovpn/crls/cacrl.pem\n"; + print CONF "user nobody\n"; + print CONF "group nobody\n"; + print CONF "persist-key\n"; + print CONF "persist-tun\n"; + if ($sovpnsettings{LOG_VERB} ne '') { + print CONF "verb $sovpnsettings{LOG_VERB}\n"; + } else { + print CONF "verb 3\n"; + } + print CONF "\n"; + + close(CONF); +} + +sub emptyserverlog{ + if (open(FILE, ">/var/log/ovpnserver.log")) { + flock FILE, 2; + print FILE ""; + close FILE; + } + +} + +sub delccdnet +{ + my %ccdconfhash = (); + my %ccdhash = (); + my $ccdnetname=$_[0]; + if (-f "${General::swroot}/ovpn/ovpnconfig"){ + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); + foreach my $key (keys %ccdhash) { + if ($ccdhash{$key}[32] eq $ccdnetname) { + $errormessage=$Lang::tr{'ccd err hostinnet'}; + return; + } + } + } + &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); + foreach my $key (keys %ccdconfhash) { + if ($ccdconfhash{$key}[0] eq $ccdnetname){ + delete $ccdconfhash{$key}; + } + } + &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); + + &writeserverconf; + return 0; +} + +sub addccdnet +{ + my %ccdconfhash=(); + my @ccdconf=(); + my $ccdname=$_[0]; + my $ccdnet=$_[1]; + my $ovpnsubnet=$_[2]; + my $subcidr; + my @ip2=(); + my $checkup; + my $ccdip; + my $baseaddress; + + + #check name + if ($ccdname eq '') + { + $errormessage=$errormessage.$Lang::tr{'ccd err name'}."
"; + return + } + + if(!&General::validhostname($ccdname)) + { + $errormessage=$Lang::tr{'ccd err invalidname'}; + return; + } + + ($ccdip,$subcidr) = split (/\//,$ccdnet); + $subcidr=&General::iporsubtocidr($subcidr); + #check subnet + if ($subcidr > 30) + { + $errormessage=$Lang::tr{'ccd err invalidnet'}; + return; + } + #check ip + if (!&General::validipandmask($ccdnet)){ + $errormessage=$Lang::tr{'ccd err invalidnet'}; + return; + } + + + #check if we try to use same network as ovpn server + if (&General::iporsubtocidr($ccdnet) eq &General::iporsubtocidr($ovpnsubnet)) { + $errormessage=$errormessage.$Lang::tr{'ccd err isovpnnet'}."
"; + } + + #check if we use a name/subnet that already exists + &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); + foreach my $key (keys %ccdconfhash) { + @ccdconf=split(/\//,$ccdconfhash{$key}[1]); + if ($ccdname eq $ccdconfhash{$key}[0]) {$errormessage=$errormessage.$Lang::tr{'ccd err nameexist'}."
";} + my ($newip,$newsub) = split(/\//,$ccdnet); + if (&General::IpInSubnet($newip,$ccdconf[0],&General::iporsubtodec($ccdconf[1]))) {$errormessage=$errormessage.$Lang::tr{'ccd err issubnet'}."
";} + + } + #check if we use one of ipfire's networks (green,orange,blue) + my %ownnet=(); + &General::readhash("${General::swroot}/ethernet/settings", \%ownnet); + if (($ownnet{'GREEN_NETADDRESS'} ne '' && $ownnet{'GREEN_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ownnet{'GREEN_NETADDRESS'},$ccdip,&General::iporsubtodec($subcidr))){ $errormessage=$Lang::tr{'ccd err green'};} + if (($ownnet{'ORANGE_NETADDRESS'} ne '' && $ownnet{'ORANGE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ownnet{'ORANGE_NETADDRESS'},$ccdip,&General::iporsubtodec($subcidr))){ $errormessage=$Lang::tr{'ccd err orange'};} + if (($ownnet{'BLUE_NETADDRESS'} ne '' && $ownnet{'BLUE_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ownnet{'BLUE_NETADDRESS'},$ccdip,&General::iporsubtodec($subcidr))){ $errormessage=$Lang::tr{'ccd err blue'};} + if (($ownnet{'RED_NETADDRESS'} ne '' && $ownnet{'RED_NETADDRESS'} ne '0.0.0.0') && &General::IpInSubnet($ownnet{'RED_NETADDRESS'},$ccdip,&General::iporsubtodec($subcidr))){ $errormessage=$Lang::tr{'ccd err red'};} + + + if (!$errormessage) { + my %ccdconfhash=(); + $baseaddress=&General::getnetworkip($ccdip,$subcidr); + &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); + my $key = &General::findhasharraykey (\%ccdconfhash); + foreach my $i (0 .. 1) { $ccdconfhash{$key}[$i] = "";} + $ccdconfhash{$key}[0] = $ccdname; + $ccdconfhash{$key}[1] = $baseaddress."/".$subcidr; + &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); + &writeserverconf; + $cgiparams{'ccdname'}=''; + $cgiparams{'ccdsubnet'}=''; + return 1; + } +} + +sub modccdnet +{ + + my $newname=$_[0]; + my $oldname=$_[1]; + my %ccdconfhash=(); + my %ccdhash=(); + &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); + foreach my $key (keys %ccdconfhash) { + if ($ccdconfhash{$key}[0] eq $oldname) { + foreach my $key1 (keys %ccdconfhash) { + if ($ccdconfhash{$key1}[0] eq $newname){ + $errormessage=$errormessage.$Lang::tr{'ccd err netadrexist'}; + return; + }else{ + $ccdconfhash{$key}[0]= $newname; + &General::writehasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); + last; + } + } + } + } + + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); + foreach my $key (keys %ccdhash) { + if ($ccdhash{$key}[32] eq $oldname) { + $ccdhash{$key}[32]=$newname; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); + last; + } + } + + return 0; +} +sub ccdmaxclients +{ + my $ccdnetwork=$_[0]; + my @octets=(); + my @subnet=(); + @octets=split("\/",$ccdnetwork); + @subnet= split /\./, &General::cidrtosub($octets[1]); + my ($a,$b,$c,$d,$e); + $a=256-$subnet[0]; + $b=256-$subnet[1]; + $c=256-$subnet[2]; + $d=256-$subnet[3]; + $e=($a*$b*$c*$d)/4; + return $e-1; +} + +sub getccdadresses +{ + my $ipin=$_[0]; + my ($ip1,$ip2,$ip3,$ip4)=split /\./, $ipin; + my $cidr=$_[1]; + chomp($cidr); + my $count=$_[2]; + my $hasip=$_[3]; + chomp($hasip); + my @iprange=(); + my %ccdhash=(); + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); + $iprange[0]=$ip1.".".$ip2.".".$ip3.".".2; + for (my $i=0;$i<=$count-1;$i++) { + my $tmpip=$iprange[$i-1]; + my $stepper=$i*4; + $iprange[$i]= &General::getnextip($tmpip,4); + } + my $r=0; + foreach my $key (keys %ccdhash) { + $r=0; + foreach my $tmp (@iprange){ + my ($net,$sub) = split (/\//,$ccdhash{$key}[33]); + if ($net eq $tmp) { + if ( $hasip ne $ccdhash{$key}[33] ){ + splice (@iprange,$r,1); + } + } + $r++; + } + } + return @iprange; +} + +sub fillselectbox +{ + my $boxname=$_[1]; + my ($ccdip,$subcidr) = split("/",$_[0]); + my $tz=$_[2]; + my @allccdips=&getccdadresses($ccdip,$subcidr,&ccdmaxclients($ccdip."/".$subcidr),$tz); + print""; +} + +sub hostsinnet +{ + my $name=$_[0]; + my %ccdhash=(); + my $i=0; + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); + foreach my $key (keys %ccdhash) { + if ($ccdhash{$key}[32] eq $name){ $i++;} + } + return $i; +} + +sub check_routes_push +{ + my $val=$_[0]; + my ($ip,$cidr) = split (/\//, $val); + ##check for existing routes in routes_push + if (-e "${General::swroot}/ovpn/routes_push") { + open(FILE,"${General::swroot}/ovpn/routes_push"); + while () { + $_=~s/\s*$//g; + + my ($ip2,$cidr2) = split (/\//,"$_"); + my $val2=$ip2."/".&General::iporsubtodec($cidr2); + + if($val eq $val2){ + return 0; + } + #subnetcheck + if (&General::IpInSubnet ($ip,$ip2,&General::iporsubtodec($cidr2))){ + return 0; + } + }; + close(FILE); + } + return 1; +} + +sub check_ccdroute +{ + my %ccdroutehash=(); + my $val=$_[0]; + my ($ip,$cidr) = split (/\//, $val); + #check for existing routes in ccdroute + &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); + foreach my $key (keys %ccdroutehash) { + foreach my $i (1 .. $#{$ccdroutehash{$key}}) { + if (&General::iporsubtodec($val) eq $ccdroutehash{$key}[$i] && $ccdroutehash{$key}[0] ne $cgiparams{'NAME'}){ + return 0; + } + my ($ip2,$cidr2) = split (/\//,$ccdroutehash{$key}[$i]); + #subnetcheck + if (&General::IpInSubnet ($ip,$ip2,$cidr2)&& $ccdroutehash{$key}[0] ne $cgiparams{'NAME'} ){ + return 0; + } + } + } + return 1; +} +sub check_ccdconf +{ + my %ccdconfhash=(); + my $val=$_[0]; + my ($ip,$cidr) = split (/\//, $val); + #check for existing routes in ccdroute + &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); + foreach my $key (keys %ccdconfhash) { + if (&General::iporsubtocidr($val) eq $ccdconfhash{$key}[1]){ + return 0; + } + my ($ip2,$cidr2) = split (/\//,$ccdconfhash{$key}[1]); + #subnetcheck + if (&General::IpInSubnet ($ip,$ip2,&General::cidrtosub($cidr2))){ + return 0; + } + + } + return 1; +} + +### +# m.a.d net2net +### + +sub validdotmask +{ + my $ipdotmask = $_[0]; + if (&General::validip($ipdotmask)) { return 0; } + if (!($ipdotmask =~ /^(.*?)\/(.*?)$/)) { } + my $mask = $2; + if (($mask =~ /\./ )) { return 0; } + return 1; +} + +# ------------------------------------------------------------------- + +sub write_routepushfile +{ + open(FILE, ">$routes_push_file"); + flock(FILE, 2); + if ($vpnsettings{'ROUTES_PUSH'} ne '') { + print FILE $vpnsettings{'ROUTES_PUSH'}; + } + close(FILE); +} + +sub read_routepushfile +{ + if (-e "$routes_push_file") { + open(FILE,"$routes_push_file"); + delete $vpnsettings{'ROUTES_PUSH'}; + while () { $vpnsettings{'ROUTES_PUSH'} .= $_ }; + close(FILE); + $cgiparams{'ROUTES_PUSH'} = $vpnsettings{'ROUTES_PUSH'}; + + } +} + + +#hier die refresh page +if ( -e "${General::swroot}/ovpn/gencanow") { + my $refresh = ''; + $refresh = ""; + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'OVPN'}, 1, $refresh); + &Header::openbigbox('100%', 'center'); + &Header::openbox('100%', 'left', "$Lang::tr{'generate root/host certificates'}:"); + print "\n\n"; + print "Please be patient this realy can take some time on older hardware...\n"; + &Header::closebox(); + &Header::closebigbox(); + &Header::closepage(); + exit (0); +} +##hier die refresh page + ### ### OpenVPN Server Control @@ -73,30 +814,22 @@ $cgiparams{'DCOMPLZO'} = 'off'; if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'} || $cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'} || $cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}) { - my $serveractive = `/bin/ps ax|grep server.conf|grep -v grep|awk \'{print \$1}\'`; #start openvpn server if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'}){ - &Ovpnfunc::emptyserverlog(); + &emptyserverlog(); system('/usr/local/bin/openvpnctrl', '-s'); } #stop openvpn server if ($cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'}){ - if ($serveractive ne ''){ - system('/usr/local/bin/openvpnctrl', '-kn2n', $serveractive); - } system('/usr/local/bin/openvpnctrl', '-k'); - &Ovpnfunc::emptyserverlog(); + &emptyserverlog(); } # #restart openvpn server - if ($cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}){ +# if ($cgiparams{'ACTION'} eq $Lang::tr{'restart ovpn server'}){ #workarund, till SIGHUP also works when running as nobody - if ($serveractive ne ''){ - system('/usr/local/bin/openvpnctrl', '-kn2n', $serveractive); - } - system('/usr/local/bin/openvpnctrl', '-k'); - &Ovpnfunc::emptyserverlog(); - system('/usr/local/bin/openvpnctrl', '-s'); - } +# system('/usr/local/bin/openvpnctrl', '-r'); +# &emptyserverlog(); +# } } ### @@ -117,33 +850,36 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'}; $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; - #additional push route - $vpnsettings{'AD_ROUTE1'} = $cgiparams{'AD_ROUTE1'}; - $vpnsettings{'AD_ROUTE2'} = $cgiparams{'AD_ROUTE2'}; - $vpnsettings{'AD_ROUTE3'} = $cgiparams{'AD_ROUTE3'}; - #additional push route - - ################################################################################# - # Added by Philipp Jenni # - # # - # Contact: philipp.jenni-at-gmx.ch # - # Date: 2006-04-22 # - # Description: Add the FAST-IO Parameter from OpenVPN to the Zerina Config # - # Add the NICE Parameter from OpenVPN to the Zerina Config # - # Add the MTU-DISC Parameter from OpenVPN to the Zerina Config # - # Add the MSSFIX Parameter from OpenVPN to the Zerina Config # - # Add the FRAMGMENT Parameter from OpenVPN to the Zerina Config # - ################################################################################# - $vpnsettings{'EXTENDED_FASTIO'} = $cgiparams{'EXTENDED_FASTIO'}; - $vpnsettings{'EXTENDED_NICE'} = $cgiparams{'EXTENDED_NICE'}; - $vpnsettings{'EXTENDED_MTUDISC'} = $cgiparams{'EXTENDED_MTUDISC'}; - $vpnsettings{'EXTENDED_MSSFIX'} = $cgiparams{'EXTENDED_MSSFIX'}; - $vpnsettings{'EXTENDED_FRAGMENT'} = $cgiparams{'EXTENDED_FRAGMENT'}; - ################################################################################# - # End of Inserted Data # - ################################################################################# - + $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; + $vpnsettings{'PMTU_DISCOVERY'} = $cgiparams{'PMTU_DISCOVERY'}; + my @temp=(); + if ($cgiparams{'FRAGMENT'} eq '') { + delete $vpnsettings{'FRAGMENT'}; + } else { + if ($cgiparams{'FRAGMENT'} !~ /^[0-9]+$/) { + $errormessage = "Incorrect value, please insert only numbers."; + goto ADV_ERROR; + } else { + $vpnsettings{'FRAGMENT'} = $cgiparams{'FRAGMENT'}; + } + } + if ($cgiparams{'MSSFIX'} ne 'on') { + delete $vpnsettings{'MSSFIX'}; + } else { + $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'}; + } + + if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || + ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || + ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { + + if (($cgiparams{'MSSFIX'} eq 'on') || ($cgiparams{'FRAGMENT'} ne '')) { + $errormessage = $Lang::tr{'ovpn mtu-disc with mssfix or fragment'}; + goto ADV_ERROR; + } + } + if ($cgiparams{'DHCP_DOMAIN'} ne ''){ unless (&General::validfqdn($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) { $errormessage = $Lang::tr{'invalid input for dhcp domain'}; @@ -159,28 +895,59 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { if ($cgiparams{'DHCP_WINS'} ne ''){ unless (&General::validfqdn($cgiparams{'DHCP_WINS'}) || &General::validip($cgiparams{'DHCP_WINS'})) { $errormessage = $Lang::tr{'invalid input for dhcp wins'}; - goto ADV_ERROR; + goto ADV_ERROR; } } - if ($cgiparams{'AD_ROUTE1'} ne ''){ - if (! &General::validipandmask($cgiparams{'AD_ROUTE1'})) { - $errormessage = $Lang::tr{'route subnet is invalid'}; - goto ADV_ERROR; - } - } - if ($cgiparams{'AD_ROUTE2'} ne ''){ - if (! &General::validipandmask($cgiparams{'AD_ROUTE2'})) { - $errormessage = $Lang::tr{'route subnet is invalid'}; - goto ADV_ERROR; - } - } - if ($cgiparams{'AD_ROUTE3'} ne ''){ - if (! &General::validipandmask($cgiparams{'AD_ROUTE3'})) { - $errormessage = $Lang::tr{'route subnet is invalid'}; - goto ADV_ERROR; + if ($cgiparams{'ROUTES_PUSH'} ne ''){ + @temp = split(/\n/,$cgiparams{'ROUTES_PUSH'}); + undef $vpnsettings{'ROUTES_PUSH'}; + + foreach my $tmpip (@temp) + { + s/^\s+//g; s/\s+$//g; + + if ($tmpip) + { + $tmpip=~s/\s*$//g; + unless (&General::validipandmask($tmpip)) { + $errormessage = "$tmpip ".$Lang::tr{'ovpn errmsg invalid ip or mask'}; + goto ADV_ERROR; + } + my ($ip, $cidr) = split("\/",&General::ipcidr2msk($tmpip)); + + if ($ip eq $netsettings{'GREEN_NETADDRESS'} && $cidr eq $netsettings{'GREEN_NETMASK'}) { + $errormessage = $Lang::tr{'ovpn errmsg green already pushed'}; + goto ADV_ERROR; + } +# a.marx ccd + my %ccdroutehash=(); + &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); + foreach my $key (keys %ccdroutehash) { + foreach my $i (1 .. $#{$ccdroutehash{$key}}) { + if ( $ip."/".$cidr eq $ccdroutehash{$key}[$i] ){ + $errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ; + goto ADV_ERROR; + } + my ($ip2,$cidr2) = split(/\//,$ccdroutehash{$key}[$i]); + if (&General::IpInSubnet ($ip,$ip2,$cidr2)){ + $errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ; + goto ADV_ERROR; + } + } + } + +# ccd end + + $vpnsettings{'ROUTES_PUSH'} .= $tmpip."\n"; } } - + &write_routepushfile; + undef $vpnsettings{'ROUTES_PUSH'}; + } + else { + undef $vpnsettings{'ROUTES_PUSH'}; + &write_routepushfile; + } if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 255 )) { $errormessage = $Lang::tr{'invalid input for max clients'}; goto ADV_ERROR; @@ -203,47 +970,258 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { } &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); - &Ovpnfunc::writeserverconf();#hier ok + &writeserverconf();#hier ok +} + +### +# m.a.d net2net +### + +if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq 'net' && $cgiparams{'SIDE'} eq 'server') +{ + +my @remsubnet = split(/\//,$cgiparams{'REMOTE_SUBNET'}); +my @ovsubnettemp = split(/\./,$cgiparams{'OVPN_SUBNET'}); +my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]"; +my $tunmtu = ''; + +unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";} +unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}", 0770 or die "Unable to create dir $!";} + + open(SERVERCONF, ">${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Unable to open ${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf: $!"; + + flock SERVERCONF, 2; + print SERVERCONF "# IPFire n2n Open VPN Server Config by ummeegge und m.a.d\n"; + print SERVERCONF "\n"; + print SERVERCONF "# User Security\n"; + print SERVERCONF "user nobody\n"; + print SERVERCONF "group nobody\n"; + print SERVERCONF "persist-tun\n"; + print SERVERCONF "persist-key\n"; + print SERVERCONF "script-security 2\n"; + print SERVERCONF "# IP/DNS for remote Server Gateway\n"; + print SERVERCONF "remote $cgiparams{'REMOTE'}\n"; + print SERVERCONF "float\n"; + print SERVERCONF "# IP adresses of the VPN Subnet\n"; + print SERVERCONF "ifconfig $ovsubnet.1 $ovsubnet.2\n"; + print SERVERCONF "# Client Gateway Network\n"; + print SERVERCONF "route $remsubnet[0] $remsubnet[1]\n"; + print SERVERCONF "# tun Device\n"; + print SERVERCONF "dev tun\n"; + print SERVERCONF "# Port and Protokol\n"; + print SERVERCONF "port $cgiparams{'DEST_PORT'}\n"; + + if ($cgiparams{'PROTOCOL'} eq 'tcp') { + print SERVERCONF "proto tcp-server\n"; + print SERVERCONF "# Packet size\n"; + if ($cgiparams{'MTU'} eq '') {$tunmtu = '1400'} else {$tunmtu = $cgiparams{'MTU'}}; + print SERVERCONF "tun-mtu $tunmtu\n"; + } + + if ($cgiparams{'PROTOCOL'} eq 'udp') { + print SERVERCONF "proto udp\n"; + print SERVERCONF "# Paketsize\n"; + if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}}; + print SERVERCONF "tun-mtu $tunmtu\n"; + if ($cgiparams{'FRAGMENT'} ne '') {print SERVERCONF "fragment $cgiparams{'FRAGMENT'}\n";} + if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; }; + } + + # Check if a valid operating mode has been choosen and use it. + if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || + ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || + ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { + if(($cgiparams{'MSSFIX'} ne 'on') || ($cgiparams{'FRAGMENT'} eq '')) { + if($cgiparams{'MTU'} eq '1500') { + print SERVERCONF "mtu-disc $cgiparams{'PMTU_DISCOVERY'}\n"; + } + } + } + print SERVERCONF "# Auth. Server\n"; + print SERVERCONF "tls-server\n"; + print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; + print SERVERCONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n"; + print SERVERCONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n"; + print SERVERCONF "dh ${General::swroot}/ovpn/ca/dh1024.pem\n"; + print SERVERCONF "# Cipher\n"; + print SERVERCONF "cipher AES-256-CBC\n"; + if ($cgiparams{'COMPLZO'} eq 'on') { + print SERVERCONF "# Enable Compression\n"; + print SERVERCONF "comp-lzo\r\n"; + } + print SERVERCONF "# Debug Level\n"; + print SERVERCONF "verb 3\n"; + print SERVERCONF "# Tunnel check\n"; + print SERVERCONF "keepalive 10 60\n"; + print SERVERCONF "# Start as daemon\n"; + print SERVERCONF "daemon $cgiparams{'NAME'}n2n\n"; + print SERVERCONF "writepid /var/run/$cgiparams{'NAME'}n2n.pid\n"; + print SERVERCONF "# Activate Management Interface and Port\n"; + if ($cgiparams{'OVPN_MGMT'} eq '') {print SERVERCONF "management localhost $cgiparams{'DEST_PORT'}\n"} + else {print SERVERCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"}; + close(SERVERCONF); + } +### +# m.a.d net2net +### + +if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq 'net' && $cgiparams{'SIDE'} eq 'client') +{ + my @ovsubnettemp = split(/\./,$cgiparams{'OVPN_SUBNET'}); + my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]"; + my @remsubnet = split(/\//,$cgiparams{'REMOTE_SUBNET'}); + my $tunmtu = ''; + +unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";} +unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}", 0770 or die "Unable to create dir $!";} + + open(CLIENTCONF, ">${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Unable to open ${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf: $!"; + + flock CLIENTCONF, 2; + print CLIENTCONF "# IPFire rewritten n2n Open VPN Client Config by ummeegge und m.a.d\n"; + print CLIENTCONF "#\n"; + print CLIENTCONF "# User Security\n"; + print CLIENTCONF "user nobody\n"; + print CLIENTCONF "group nobody\n"; + print CLIENTCONF "persist-tun\n"; + print CLIENTCONF "persist-key\n"; + print CLIENTCONF "script-security 2\n"; + print CLIENTCONF "# IP/DNS for remote Server Gateway\n"; + print CLIENTCONF "remote $cgiparams{'REMOTE'}\n"; + print CLIENTCONF "float\n"; + print CLIENTCONF "# IP adresses of the VPN Subnet\n"; + print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n"; + print CLIENTCONF "# Server Gateway Network\n"; + print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n"; + print CLIENTCONF "# tun Device\n"; + print CLIENTCONF "dev tun\n"; + print CLIENTCONF "# Port and Protokol\n"; + print CLIENTCONF "port $cgiparams{'DEST_PORT'}\n"; + + if ($cgiparams{'PROTOCOL'} eq 'tcp') { + print CLIENTCONF "proto tcp-client\n"; + print CLIENTCONF "# Packet size\n"; + if ($cgiparams{'MTU'} eq '') {$tunmtu = '1400'} else {$tunmtu = $cgiparams{'MTU'}}; + print CLIENTCONF "tun-mtu $tunmtu\n"; + } + + if ($cgiparams{'PROTOCOL'} eq 'udp') { + print CLIENTCONF "proto udp\n"; + print CLIENTCONF "# Paketsize\n"; + if ($cgiparams{'MTU'} eq '') {$tunmtu = '1500'} else {$tunmtu = $cgiparams{'MTU'}}; + print CLIENTCONF "tun-mtu $tunmtu\n"; + if ($cgiparams{'FRAGMENT'} ne '') {print CLIENTCONF "fragment $cgiparams{'FRAGMENT'}\n";} + if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; }; + } + + # Check if a valid operating mode has been choosen and use it. + if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || + ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || + ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { + if(($cgiparams{'MSSFIX'} ne 'on') || ($cgiparams{'FRAGMENT'} eq '')) { + if ($cgiparams{'MTU'} eq '1500') { + print CLIENTCONF "mtu-disc $cgiparams{'PMTU_DISCOVERY'}\n"; + } + } + } + + print CLIENTCONF "ns-cert-type server\n"; + print CLIENTCONF "# Auth. Client\n"; + print CLIENTCONF "tls-client\n"; + print CLIENTCONF "# Cipher\n"; + print CLIENTCONF "cipher AES-256-CBC\n"; + print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n"; + if ($cgiparams{'COMPLZO'} eq 'on') { + print CLIENTCONF "# Enable Compression\n"; + print CLIENTCONF "comp-lzo\r\n"; + } + print CLIENTCONF "# Debug Level\n"; + print CLIENTCONF "verb 3\n"; + print CLIENTCONF "# Tunnel check\n"; + print CLIENTCONF "keepalive 10 60\n"; + print CLIENTCONF "# Start as daemon\n"; + print CLIENTCONF "daemon $cgiparams{'NAME'}n2n\n"; + print CLIENTCONF "writepid /var/run/$cgiparams{'NAME'}n2n.pid\n"; + print CLIENTCONF "# Activate Management Interface and Port\n"; + if ($cgiparams{'OVPN_MGMT'} eq '') {print CLIENTCONF "management localhost $cgiparams{'DEST_PORT'}\n"} + else {print CLIENTCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"}; + close(CLIENTCONF); + +} + ### ### Save main settings ### -if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') { + + +if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cgiparams{'KEY'} eq '') { &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); - &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too, #DAN this value has to leave. if ($cgiparams{'ENABLED'} eq 'on'){ unless (&General::validfqdn($cgiparams{'VPN_IP'}) || &General::validip($cgiparams{'VPN_IP'})) { $errormessage = $Lang::tr{'invalid input for hostname'}; - goto SETTINGS_ERROR; + goto SETTINGS_ERROR; } } if ($cgiparams{'ENABLED'} eq 'on'){ - $errormessage = &Ovpnfunc::disallowreserved($cgiparams{'DDEST_PORT'},0,$cgiparams{'DPROTOCOL'},"dest"); + &disallowreserved($cgiparams{'DDEST_PORT'},0,$cgiparams{'DPROTOCOL'},"dest"); } if ($errormessage) { goto SETTINGS_ERROR; } if ($cgiparams{'ENABLED'} eq 'on'){ - $errormessage = &Ovpnfunc::checkportfw(0,$cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'},'0.0.0.0'); + &checkportfw(0,$cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'},'0.0.0.0'); } if ($errormessage) { goto SETTINGS_ERROR; } if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) { - $errormessage = $Lang::tr{'ovpn subnet is invalid'}; - goto SETTINGS_ERROR; - } - my @tmpovpnsubnet = split("\/",$cgiparams{'DOVPN_SUBNET'}); - $tmpovpnsubnet[1] = &Ovpnfunc::cidrormask($tmpovpnsubnet[1]); - $cgiparams{'DOVPN_SUBNET'} = "$tmpovpnsubnet[0]/$tmpovpnsubnet[1]";#convert from cidr - #plausi1 - $errormessage = &Ovpnfunc::ovelapplausi($tmpovpnsubnet[0],$tmpovpnsubnet[1]); - #plausi1 + $errormessage = $Lang::tr{'ovpn subnet is invalid'}; + goto SETTINGS_ERROR; + } + my @tmpovpnsubnet = split("\/",$cgiparams{'DOVPN_SUBNET'}); + + if (&General::IpInSubnet ( $netsettings{'RED_ADDRESS'}, + $tmpovpnsubnet[0], $tmpovpnsubnet[1])) { + $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire RED Network $netsettings{'RED_ADDRESS'}"; + goto SETTINGS_ERROR; + } + + if (&General::IpInSubnet ( $netsettings{'GREEN_ADDRESS'}, + $tmpovpnsubnet[0], $tmpovpnsubnet[1])) { + $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Green Network $netsettings{'GREEN_ADDRESS'}"; + goto SETTINGS_ERROR; + } + + if (&General::IpInSubnet ( $netsettings{'BLUE_ADDRESS'}, + $tmpovpnsubnet[0], $tmpovpnsubnet[1])) { + $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Blue Network $netsettings{'BLUE_ADDRESS'}"; + goto SETTINGS_ERROR; + } + + if (&General::IpInSubnet ( $netsettings{'ORANGE_ADDRESS'}, + $tmpovpnsubnet[0], $tmpovpnsubnet[1])) { + $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Orange Network $netsettings{'ORANGE_ADDRESS'}"; + goto SETTINGS_ERROR; + } + open(ALIASES, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.'; + while () + { + chomp($_); + my @tempalias = split(/\,/,$_); + if ($tempalias[1] eq 'on') { + if (&General::IpInSubnet ($tempalias[0] , + $tmpovpnsubnet[0], $tmpovpnsubnet[1])) { + $errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire alias entry $tempalias[0]"; + } + } + } + close(ALIASES); if ($errormessage ne ''){ - goto SETTINGS_ERROR; + goto SETTINGS_ERROR; } if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { $errormessage = $Lang::tr{'invalid input'}; @@ -255,17 +1233,9 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg } unless (&General::validport($cgiparams{'DDEST_PORT'})) { - $errormessage = $Lang::tr{'invalid port'}; - goto SETTINGS_ERROR; + $errormessage = $Lang::tr{'invalid port'}; + goto SETTINGS_ERROR; } - #hhh - foreach my $dkey (keys %confighash) {#Check if there is no other entry with this name - if ($confighash{$dkey}[14] eq $cgiparams{'DPROTOCOL'} && $confighash{$dkey}[15] eq $cgiparams{'DDEST_PORT'}){ - $errormessage = "Choosed Protocol/Port combination is already used by connection: $confighash{$dkey}[1]"; - goto SETTINGS_ERROR; - } - } - #hhh $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'}; $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'}; $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; @@ -278,9 +1248,14 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; +#wrtie enable + + if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");} + if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_orange 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_orange 2>/dev/null");} + if ( $vpnsettings{'ENABLED'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable 2>/dev/null");} #new settings for daemon &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); - &Ovpnfunc::writeserverconf();#hier ok + &writeserverconf();#hier ok SETTINGS_ERROR: ### ### Reset all step 2 @@ -290,25 +1265,26 @@ SETTINGS_ERROR: &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); foreach my $key (keys %confighash) { - if ($confighash{$key}[4] eq 'cert') { - delete $confighash{$cgiparams{'$key'}}; - } + if ($confighash{$key}[4] eq 'cert') { + delete $confighash{$cgiparams{'$key'}}; + } } while ($file = glob("${General::swroot}/ovpn/ca/*")) { - unlink $file + unlink $file } while ($file = glob("${General::swroot}/ovpn/certs/*")) { - unlink $file + unlink $file } while ($file = glob("${General::swroot}/ovpn/crls/*")) { - unlink $file + unlink $file } - &Ovpnfunc::cleanssldatabase(); + &cleanssldatabase(); if (open(FILE, ">${General::swroot}/ovpn/caconfig")) { print FILE ""; close FILE; } &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + #&writeserverconf(); ### ### Reset all step 1 ### @@ -355,34 +1331,34 @@ END # Check if there is no other entry with this name foreach my $key (keys %cahash) { - if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) { - $errormessage = $Lang::tr{'a ca certificate with this name already exists'}; - goto UPLOADCA_ERROR; - } + if ($cahash{$key}[0] eq $cgiparams{'CA_NAME'}) { + $errormessage = $Lang::tr{'a ca certificate with this name already exists'}; + goto UPLOADCA_ERROR; + } } if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto UPLOADCA_ERROR; + $errormessage = $Lang::tr{'there was no file upload'}; + goto UPLOADCA_ERROR; } # Move uploaded ca to a temporary file (my $fh, my $filename) = tempfile( ); if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto UPLOADCA_ERROR; + $errormessage = $!; + goto UPLOADCA_ERROR; } my $temp = `/usr/bin/openssl x509 -text -in $filename`; - if ($temp !~ /CA:TRUE/i) { - $errormessage = $Lang::tr{'not a valid ca certificate'}; - unlink ($filename); - goto UPLOADCA_ERROR; + if ($temp !~ /CA:TRUE/i) { + $errormessage = $Lang::tr{'not a valid ca certificate'}; + unlink ($filename); + goto UPLOADCA_ERROR; } else { - move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem"); - if ($? ne 0) { - $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; - unlink ($filename); - goto UPLOADCA_ERROR; - } + move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem"); + if ($? ne 0) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + unlink ($filename); + goto UPLOADCA_ERROR; + } } my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem`; @@ -396,13 +1372,33 @@ END $cahash{$key}[0] = $cgiparams{'CA_NAME'}; $cahash{$key}[1] = $casubject; &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash); +# system('/usr/local/bin/ipsecctrl', 'R'); + UPLOADCA_ERROR: ### ### Display ca certificate ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show ca certificate'}) { - &Ovpnfunc::displayca($cgiparams{'KEY'}); + &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash); + + if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', $errormessage); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:"); + my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } else { + $errormessage = $Lang::tr{'invalid key'}; + } + ### ### Download ca certificate ### @@ -429,15 +1425,22 @@ END foreach my $key (keys %confighash) { my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`; if ($test =~ /: OK/) { + # Delete connection +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'D', $key); +# } unlink ("${General::swroot}/ovpn//certs/$confighash{$key}[1]cert.pem"); unlink ("${General::swroot}/ovpn/certs/$confighash{$key}[1].p12"); delete $confighash{$key}; &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); +# &writeipsecfiles(); } } unlink ("${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); delete $cahash{$cgiparams{'KEY'}}; &General::writehasharray("${General::swroot}/ovpn/caconfig", \%cahash); +# system('/usr/local/bin/ipsecctrl', 'R'); } else { $errormessage = $Lang::tr{'invalid key'}; } @@ -489,8 +1492,27 @@ END ### ### Display root certificate ### -}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} || $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) { - &Ovpnfunc::displayroothost($cgiparams{'ACTION'}); +}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} || + $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) { + my $output; + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) { + &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:"); + $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; + } else { + &Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:"); + $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + } + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + ### ### Download root certificate ### @@ -718,7 +1740,7 @@ END (my $state = $cgiparams{'ROOTCERT_STATE'}) =~ s/^\s*$/\./; # refresh - #system ('/usr/bin/touch', "${General::swroot}/ovpn/gencanow"); + #system ('/bin/touch', "${General::swroot}/ovpn/gencanow"); # Create the CA certificate my $pid = open(OPENSSL, "|-"); @@ -799,11 +1821,11 @@ END unlink ("${General::swroot}/ovpn/serverkey.pem"); unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); unlink ("${General::swroot}/ovpn/certs/servercert.pem"); - &Ovpnfunc::newcleanssldatabase(); + &newcleanssldatabase(); goto ROOTCERT_ERROR; } else { unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); - &Ovpnfunc::deletebackupcert(); + &deletebackupcert(); } # Create an empty CRL @@ -816,8 +1838,10 @@ END unlink ("${General::swroot}/ovpn/certs/servercert.pem"); unlink ("${General::swroot}/ovpn/ca/cacert.pem"); unlink ("${General::swroot}/ovpn/crls/cacrl.pem"); - &Ovpnfunc::cleanssldatabase(); + &cleanssldatabase(); goto ROOTCERT_ERROR; +# } else { +# &cleanssldatabase(); } # Create Diffie Hellmann Parameter system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache', @@ -830,8 +1854,10 @@ END unlink ("${General::swroot}/ovpn/ca/cacert.pem"); unlink ("${General::swroot}/ovpn/crls/cacrl.pem"); unlink ("${General::swroot}/ovpn/ca/dh1024.pem"); - &Ovpnfunc::cleanssldatabase(); + &cleanssldatabase(); goto ROOTCERT_ERROR; +# } else { +# &cleanssldatabase(); } goto ROOTCERT_SUCCESS; } @@ -916,63 +1942,176 @@ END ROOTCERT_SUCCESS: system ("chmod 600 ${General::swroot}/ovpn/certs/serverkey.pem"); +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLE_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'S'); +# } ### ### Enable/Disable connection ### + +### +# m.a.d net2net +### + }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) { + + &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); +# my $n2nactive = ''; + my $n2nactive = `/bin/ps ax|grep $confighash{$cgiparams{'KEY'}}[1]|grep -v grep|awk \'{print \$1}\'`; + if ($confighash{$cgiparams{'KEY'}}) { - my $n2nactive = `/bin/ps ax|grep $confighash{$cgiparams{'KEY'}}[1].conf|grep -v grep|awk \'{print \$1}\'`; if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { $confighash{$cgiparams{'KEY'}}[0] = 'on'; &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - if ($n2nactive eq ''){ - system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); - } else { - system('/usr/local/bin/openvpnctrl', '-kn2n', $n2nactive); - system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); - } + + if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ + system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); + } } else { + $confighash{$cgiparams{'KEY'}}[0] = 'off'; &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - if ($n2nactive ne ''){ - system('/usr/local/bin/openvpnctrl', '-kn2n', $n2nactive); - } - } - } else { - $errormessage = $Lang::tr{'invalid key'}; - } + + if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ + if ($n2nactive ne ''){ + system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]); + } + + } else { + $errormessage = $Lang::tr{'invalid key'}; + } + } + } ### ### Download OpenVPN client package ### + + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'dl client arch'}) { &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); my $file = ''; my $clientovpn = ''; my @fileholder; - my $uhost3 = ''; - my $uhost = `/bin/uname -n`; - if ($uhost ne '') { - my @uhost2 = split /\./, $uhost; - $uhost3 = $uhost2[0]; - } else { - $uhost3 = "IPFire"; - } my $tempdir = tempdir( CLEANUP => 1 ); my $zippath = "$tempdir/"; - my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-TO-$uhost3.zip"; - my $zippathname = "$zippath$zipname"; - #anna - if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ - $zerinaclient = 'true'; - &Ovpnfunc::writenet2netconf($cgiparams{'KEY'},$zerinaclient); - exit(0); - } - $clientovpn = "$confighash{$cgiparams{'KEY'}}[1]-TO-$uhost3.ovpn"; - open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $clientovpn $!"; + +### +# m.a.d net2net +### + +if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ + + my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-Client.zip"; + my $zippathname = "$zippath$zipname"; + $clientovpn = "$confighash{$cgiparams{'KEY'}}[1].conf"; + my @ovsubnettemp = split(/\./,$confighash{$cgiparams{'KEY'}}[27]); + my $ovsubnet = "$ovsubnettemp[0].$ovsubnettemp[1].$ovsubnettemp[2]"; + my $tunmtu = ''; + my @remsubnet = split(/\//,$confighash{$cgiparams{'KEY'}}[8]); + my $n2nfragment = ''; + + open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!"; + flock CLIENTCONF, 2; + + my $zip = Archive::Zip->new(); + print CLIENTCONF "# IPFire n2n Open VPN Client Config by ummeegge und m.a.d\n"; + print CLIENTCONF "# \n"; + print CLIENTCONF "# User Security\n"; + print CLIENTCONF "user nobody\n"; + print CLIENTCONF "group nobody\n"; + print CLIENTCONF "persist-tun\n"; + print CLIENTCONF "persist-key\n"; + print CLIENTCONF "script-security 2\n"; + print CLIENTCONF "# IP/DNS for remote Server Gateway\n"; + print CLIENTCONF "remote $vpnsettings{'VPN_IP'}\n"; + print CLIENTCONF "float\n"; + print CLIENTCONF "# IP adresses of the VPN Subnet\n"; + print CLIENTCONF "ifconfig $ovsubnet.2 $ovsubnet.1\n"; + print CLIENTCONF "# Server Gateway Network\n"; + print CLIENTCONF "route $remsubnet[0] $remsubnet[1]\n"; + print CLIENTCONF "# tun Device\n"; + print CLIENTCONF "dev $vpnsettings{'DDEVICE'}\n"; + print CLIENTCONF "# Port and Protokoll\n"; + print CLIENTCONF "port $confighash{$cgiparams{'KEY'}}[29]\n"; + + if ($confighash{$cgiparams{'KEY'}}[28] eq 'tcp') { + print CLIENTCONF "proto tcp-client\n"; + print CLIENTCONF "# Packet size\n"; + if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1400'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]}; + print CLIENTCONF "tun-mtu $tunmtu\n"; + } + + if ($confighash{$cgiparams{'KEY'}}[28] eq 'udp') { + print CLIENTCONF "proto udp\n"; + print CLIENTCONF "# Paketsize\n"; + if ($confighash{$cgiparams{'KEY'}}[31] eq '') {$tunmtu = '1500'} else {$tunmtu = $confighash{$cgiparams{'KEY'}}[31]}; + print CLIENTCONF "tun-mtu $tunmtu\n"; + if ($confighash{$cgiparams{'KEY'}}[24] ne '') {print CLIENTCONF "fragment $confighash{$cgiparams{'KEY'}}[24]\n";} + if ($confighash{$cgiparams{'KEY'}}[23] eq 'on') {print CLIENTCONF "mssfix\n";} + } + if (($confighash{$cgiparams{'KEY'}}[38] eq 'yes') || + ($confighash{$cgiparams{'KEY'}}[38] eq 'maybe') || + ($confighash{$cgiparams{'KEY'}}[38] eq 'no' )) { + if (($confighash{$cgiparams{'KEY'}}[23] ne 'on') || ($confighash{$cgiparams{'KEY'}}[24] eq '')) { + if ($tunmtu eq '1500' ) { + print CLIENTCONF "mtu-disc $confighash{$cgiparams{'KEY'}}[38]\n"; + } + } + } + print CLIENTCONF "ns-cert-type server\n"; + print CLIENTCONF "# Auth. Client\n"; + print CLIENTCONF "tls-client\n"; + print CLIENTCONF "# Cipher\n"; + print CLIENTCONF "cipher AES-256-CBC\n"; + if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { + print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; + } + if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') { + print CLIENTCONF "# Enable Compression\n"; + print CLIENTCONF "comp-lzo\r\n"; + } + print CLIENTCONF "# Debug Level\n"; + print CLIENTCONF "verb 3\n"; + print CLIENTCONF "# Tunnel check\n"; + print CLIENTCONF "keepalive 10 60\n"; + print CLIENTCONF "# Start as daemon\n"; + print CLIENTCONF "daemon $confighash{$cgiparams{'KEY'}}[1]n2n\n"; + print CLIENTCONF "writepid /var/run/$confighash{$cgiparams{'KEY'}}[1]n2n.pid\n"; + print CLIENTCONF "# Activate Management Interface and Port\n"; + if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"} + else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"}; + print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n"; + + + close(CLIENTCONF); + + $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n"; + my $status = $zip->writeToFileNamed($zippathname); + + open(DLFILE, "<$zippathname") or die "Unable to open $zippathname: $!"; + @fileholder = ; + print "Content-Type:application/x-download\n"; + print "Content-Disposition:attachment;filename=$zipname\n\n"; + print @fileholder; + exit (0); +} +else +{ + my $zipname = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.zip"; + my $zippathname = "$zippath$zipname"; + $clientovpn = "$confighash{$cgiparams{'KEY'}}[1]-TO-IPFire.ovpn"; + +### +# m.a.d net2net +### + + open(CLIENTCONF, ">$tempdir/$clientovpn") or die "Unable to open tempfile: $!"; flock CLIENTCONF, 2; my $zip = Archive::Zip->new(); @@ -980,42 +2119,52 @@ END print CLIENTCONF "#OpenVPN Client conf\r\n"; print CLIENTCONF "tls-client\r\n"; print CLIENTCONF "client\r\n"; + print CLIENTCONF "nobind\n"; print CLIENTCONF "dev $vpnsettings{'DDEVICE'}\r\n"; - if ($vpnsettings{'DPROTOCOL'} eq 'tcp') { - print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}-client\r\n"; - } else { - print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n"; - } - print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu $vpnsettings{'DMTU'}\r\n"; + print CLIENTCONF "proto $vpnsettings{'DPROTOCOL'}\r\n"; + + # Check if we are using fragment, mssfix or mtu-disc and set MTU to 1500 + # or use configured value. + if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) + { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu 1500\n"; } + elsif ($vpnsettings{MSSFIX} eq 'on') + { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu 1500\n"; } + elsif (($vpnsettings{'PMTU_DISCOVERY'} eq 'yes') || + ($vpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || + ($vpnsettings{'PMTU_DISCOVERY'} eq 'no' )) + { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu 1500\n"; } + else + { print CLIENTCONF "$vpnsettings{'DDEVICE'}-mtu $vpnsettings{'DMTU'}\r\n"; } + if ( $vpnsettings{'ENABLED'} eq 'on'){ print CLIENTCONF "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\r\n"; - if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&Ovpnfunc::haveBlueNet())){ - print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Blue interface\r\n"; - print CLIENTCONF ";remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; - } - if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&Ovpnfunc::haveOrangeNet())){ - print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n"; - print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; - } - } elsif ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&Ovpnfunc::haveBlueNet())){ - print CLIENTCONF "remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; - if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&Ovpnfunc::haveOrangeNet())){ - print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n"; - print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; - } - } elsif ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&Ovpnfunc::haveOrangeNet())){ - print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; + if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){ + print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Blue interface\r\n"; + print CLIENTCONF ";remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; + } + if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){ + print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n"; + print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; + } + } elsif ( $vpnsettings{'ENABLED_BLUE'} eq 'on' && (&haveBlueNet())){ + print CLIENTCONF "remote $netsettings{'BLUE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; + if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){ + print CLIENTCONF "#Coment the above line and uncoment the next line, if you want to connect on the Orange interface\r\n"; + print CLIENTCONF ";remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; + } + } elsif ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' && (&haveOrangeNet())){ + print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; } if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { - print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; - $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; + print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; } else { - print CLIENTCONF "ca cacert.pem\r\n"; - print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n"; - print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n"; - $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; - $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; + print CLIENTCONF "ca cacert.pem\r\n"; + print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n"; + print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n"; + $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; if ($vpnsettings{DCOMPLZO} eq 'on') { @@ -1023,7 +2172,24 @@ END } print CLIENTCONF "verb 3\r\n"; print CLIENTCONF "ns-cert-type server\r\n"; + print CLIENTCONF "tls-remote $vpnsettings{ROOTCERT_HOSTNAME}\r\n"; + if ($vpnsettings{MSSFIX} eq 'on') { + print CLIENTCONF "mssfix\r\n"; + } + if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) { + print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n"; + } + + # Check if a valid operating mode has been choosen and use it. + if (($vpnsettings{'PMTU_DISCOVERY'} eq 'yes') || + ($vpnsettings{'PMTU_DISCOVERY'} eq 'maybe') || + ($vpnsettings{'PMTU_DISCOVERY'} eq 'no' )) { + if(($vpnsettings{MSSFIX} ne 'on') || ($vpnsettings{FRAGMENT} eq '')) { + print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\n"; + } + } close(CLIENTCONF); + $zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n"; my $status = $zip->writeToFileNamed($zippathname); @@ -1033,32 +2199,83 @@ END print "Content-Disposition:attachment;filename=$zipname\n\n"; print @fileholder; exit (0); - + } + + + ### ### Remove connection ### + + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) { &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - if ($confighash{$cgiparams{'KEY'}}) { - if ($confighash{$cgiparams{'KEY'}}[19] eq 'yes') { - &Ovpnfunc::killconnection($cgiparams{'KEY'}); - &Ovpnfunc::removenet2netconf($cgiparams{'KEY'}); - delete $confighash{$cgiparams{'KEY'}}; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - } else { - my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; - unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); - unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); - &Ovpnfunc::killconnection($cgiparams{'KEY'}); - &Ovpnfunc::removenet2netconf($cgiparams{'KEY'}); - delete $confighash{$cgiparams{'KEY'}}; - my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - } + + if ($confighash{$cgiparams{'KEY'}}) { +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}); +# } +# + my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; + +### +# m.a.d net2net +### + + if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { + + my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf"); + my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + unlink ($certfile) or die "Removing $certfile fail: $!"; + unlink ($conffile) or die "Removing $conffile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!"; + +} + + unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + +# A.Marx CCD delete ccd files and routes + + + if (-f "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]") + { + unlink "${General::swroot}/ovpn/ccd/$confighash{$cgiparams{'KEY'}}[2]"; + } + + &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); + foreach my $key (keys %ccdroutehash) { + if ($ccdroutehash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){ + delete $ccdroutehash{$key}; + } + } + &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); + + &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash); + foreach my $key (keys %ccdroute2hash) { + if ($ccdroute2hash{$key}[0] eq $confighash{$cgiparams{'KEY'}}[1]){ + delete $ccdroute2hash{$key}; + } + } + &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash); + &writeserverconf; + + +# CCD end + + + delete $confighash{$cgiparams{'KEY'}}; + my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + + #&writeserverconf(); } else { - $errormessage = $Lang::tr{'invalid key'}; + $errormessage = $Lang::tr{'invalid key'}; } + + ### ### Download PKCS12 file ### @@ -1077,36 +2294,38 @@ END &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', ''); - &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; - &Header::closebox(); - print ""; - &Header::closebigbox(); - &Header::closepage(); - exit(0); + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:"); + my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit(0); } ### ### Display Certificate Revoke List ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show crl'}) { +# &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + if ( -f "${General::swroot}/ovpn/crls/cacrl.pem") { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', ''); - &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:"); - my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; - &Header::closebox(); - print ""; - &Header::closebigbox(); - &Header::closepage(); - exit(0); + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:"); + my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`; + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit(0); } ### @@ -1117,31 +2336,38 @@ END %cgiparams = (); %cahash = (); %confighash = (); + my $disabled; &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams); - + read_routepushfile; + + +# if ($cgiparams{'CLIENT2CLIENT'} eq '') { +# $cgiparams{'CLIENT2CLIENT'} = 'on'; +# } ADV_ERROR: if ($cgiparams{'MAX_CLIENTS'} eq '') { - $cgiparams{'MAX_CLIENTS'} = '100'; + $cgiparams{'MAX_CLIENTS'} = '100'; } - if ($cgiparams{'KEEPALIVE_1'} eq '') { - $cgiparams{'KEEPALIVE_1'} = '10'; + $cgiparams{'KEEPALIVE_1'} = '10'; } if ($cgiparams{'KEEPALIVE_2'} eq '') { - $cgiparams{'KEEPALIVE_2'} = '60'; + $cgiparams{'KEEPALIVE_2'} = '60'; } if ($cgiparams{'LOG_VERB'} eq '') { - $cgiparams{'LOG_VERB'} = '3'; + $cgiparams{'LOG_VERB'} = '3'; } - if ($cgiparams{'EXTENDED_NICE'} eq '') { - $cgiparams{'EXTENDED_NICE'} = '0'; - } $checked{'CLIENT2CLIENT'}{'off'} = ''; $checked{'CLIENT2CLIENT'}{'on'} = ''; $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED'; $checked{'REDIRECT_GW_DEF1'}{'off'} = ''; $checked{'REDIRECT_GW_DEF1'}{'on'} = ''; $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED'; + $selected{'ENGINES'}{$cgiparams{'ENGINES'}} = 'SELECTED'; + $checked{'MSSFIX'}{'off'} = ''; + $checked{'MSSFIX'}{'on'} = ''; + $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; + $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\''; $selected{'LOG_VERB'}{'1'} = ''; $selected{'LOG_VERB'}{'2'} = ''; $selected{'LOG_VERB'}{'3'} = ''; @@ -1155,49 +2381,20 @@ ADV_ERROR: $selected{'LOG_VERB'}{'11'} = ''; $selected{'LOG_VERB'}{'0'} = ''; $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; - - ################################################################################# - # Added by Philipp Jenni # - # # - # Contact: philipp.jenni-at-gmx.ch # - # Date: 2006-04-22 # - # Description: Definitions to set the FASTIO Checkbox # - # Definitions to set the MTUDISC Checkbox # - # Definitions to set the NICE Selectionbox # - ################################################################################# - $checked{'EXTENDED_FASTIO'}{'off'} = ''; - $checked{'EXTENDED_FASTIO'}{'on'} = ''; - $checked{'EXTENDED_FASTIO'}{$cgiparams{'EXTENDED_FASTIO'}} = 'CHECKED'; - $checked{'EXTENDED_MTUDISC'}{'off'} = ''; - $checked{'EXTENDED_MTUDISC'}{'on'} = ''; - $checked{'EXTENDED_MTUDISC'}{$cgiparams{'EXTENDED_MTUDISC'}} = 'CHECKED'; - $selected{'EXTENDED_NICE'}{'-13'} = ''; - $selected{'EXTENDED_NICE'}{'-10'} = ''; - $selected{'EXTENDED_NICE'}{'-7'} = ''; - $selected{'EXTENDED_NICE'}{'-3'} = ''; - $selected{'EXTENDED_NICE'}{'0'} = ''; - $selected{'EXTENDED_NICE'}{'3'} = ''; - $selected{'EXTENDED_NICE'}{'7'} = ''; - $selected{'EXTENDED_NICE'}{'10'} = ''; - $selected{'EXTENDED_NICE'}{'13'} = ''; - $selected{'EXTENDED_NICE'}{$cgiparams{'EXTENDED_NICE'}} = 'SELECTED'; - ################################################################################# - # End of inserted Data # - ################################################################################# - + &Header::showhttpheaders(); &Header::openpage($Lang::tr{'status ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); if ($errormessage) { - &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); - print "$errormessage\n"; - print " \n"; - &Header::closebox(); + &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); + print "$errormessage\n"; + print " \n"; + &Header::closebox(); } &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'}); print < - + +
@@ -1206,7 +2403,7 @@ ADV_ERROR: - + @@ -1215,38 +2412,34 @@ ADV_ERROR: - -
$Lang::tr{'dhcp-options'}
Domain
DNS
WINS
-
- - - - - + - - - - - + - - - - - - + + +
$Lang::tr{'add-route'}
$Lang::tr{'subnet'} 1$Lang::tr{'ovpn routes push options'}
$Lang::tr{'subnet'} 2
$Lang::tr{'subnet'} 3$Lang::tr{'ovpn routes push'} +
- - + @@ -1258,85 +2451,58 @@ ADV_ERROR: - - - - - + - - + + + + - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + +
$Lang::tr{'misc-options'}
Client-To-Client
Max-Clients
Keppalive (ping/ping-restart)
Keppalive
+ (ping/ping-restart)
$Lang::tr{'ovpn_processprio'} - -
$Lang::tr{'ovpn_fastio'} - -
$Lang::tr{'ovpn_mtudisc'} - -
$Lang::tr{'ovpn_mssfix'} - -
$Lang::tr{'ovpn_fragment'} - -
fragment
Default: 1300
mssfixDefault: on
$Lang::tr{'ovpn mtu-disc'} $Lang::tr{'ovpn mtu-disc yes'} $Lang::tr{'ovpn mtu-disc maybe'} $Lang::tr{'ovpn mtu-disc no'} $Lang::tr{'ovpn mtu-disc off'}
- - +
+ + + + + + + + +
Crypto-Engines
Engines: +
+-->
- + @@ -1351,42 +2517,164 @@ ADV_ERROR: - - - - - -
$Lang::tr{'log-options'}
VERB
-
+ +
+END + +if ( -e "/var/run/openvpn.pid"){ +print"
$Lang::tr{'attention'}:
+ $Lang::tr{'server restart'}

+
"; + print<   - +   END -; +; + + +}else{ - &Header::closebox(); - &Header::closebigbox(); - &Header::closepage(); - exit(0); +print< + +   + + +   + + + +END +; +} + &Header::closebox(); +# print ""; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + + +# A.Marx CCD Add,delete or edit CCD net + +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ccd net'} || + $cgiparams{'ACTION'} eq $Lang::tr{'ccd add'} || + $cgiparams{'ACTION'} eq "kill" || + $cgiparams{'ACTION'} eq "edit" || + $cgiparams{'ACTION'} eq 'editsave'){ + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ccd net'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + + if ($cgiparams{'ACTION'} eq "kill"){ + &delccdnet($cgiparams{'net'}); + } + + if ($cgiparams{'ACTION'} eq 'editsave'){ + my ($a,$b) =split (/\|/,$cgiparams{'ccdname'}); + if ( $a ne $b){ &modccdnet($a,$b);} + } + + if ($cgiparams{'ACTION'} eq $Lang::tr{'ccd add'}) { + &addccdnet($cgiparams{'ccdname'},$cgiparams{'ccdsubnet'},$cgiparams{'DOVPN_SUBNET'}); + } + if ($errormessage) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); + print "$errormessage"; + print " "; + &Header::closebox(); + } +if ($cgiparams{'ACTION'} eq "edit"){ + + &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd modify'}); + + print < +
+ $Lang::tr{'ccd name'}: + $Lang::tr{'ccd subnet'}: +
+ + +
+END +; + &Header::closebox(); + + &Header::openbox('100%', 'LEFT',$Lang::tr{'ccd net'} ); + print < + + $Lang::tr{'ccd name'}$Lang::tr{'network'}$Lang::tr{'ccd used'} +END +; +} +else{ + if (! -e "/var/run/openvpn.pid"){ + &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd add'}); + print < +
+ $Lang::tr{'ccd hint'}

+ + $Lang::tr{'ccd name'}: + $Lang::tr{'ccd subnet'}: +
+ +
+END + + &Header::closebox(); +} + &Header::openbox('100%', 'LEFT',$Lang::tr{'ccd net'} ); + print < + + $Lang::tr{'ccd name'}$Lang::tr{'network'}$Lang::tr{'ccd used'} +END +; +} + my %ccdconfhash=(); + &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); + my @ccdconf=(); + my $count=0; + foreach my $key (keys %ccdconfhash) { + @ccdconf=($ccdconfhash{$key}[0],$ccdconfhash{$key}[1]); + $count++; + my $ccdhosts = &hostsinnet($ccdconf[0]); + if ($count % 2){ print" ";} + else{ print" ";} + print"$ccdconf[0]$ccdconf[1]$ccdhosts/".(&ccdmaxclients($ccdconf[1])+1).""; +print < + + + + + +
+ + + +
+END +; + } + print ""; + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit(0); +#END CCD + ### ### Openvpn Connections Statistics ### @@ -1431,6 +2719,7 @@ END @match = split( /^Updated,(.+)/, $line); $status = $match[1]; } +#gian if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) { @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line); if ($match[1] ne "Common Name") { @@ -1438,8 +2727,8 @@ END $userlookup{$match[2]} = $uid; $users[$uid]{'CommonName'} = $match[1]; $users[$uid]{'RealAddress'} = $match[2]; - $users[$uid]{'BytesReceived'} = &Ovpnfunc::sizeformat($match[3]); - $users[$uid]{'BytesSent'} = &Ovpnfunc::sizeformat($match[4]); + $users[$uid]{'BytesReceived'} = &sizeformat($match[3]); + $users[$uid]{'BytesSent'} = &sizeformat($match[4]); $users[$uid]{'Since'} = $match[5]; $users[$uid]{'Proto'} = $proto; $uid++; @@ -1460,9 +2749,9 @@ END if ($user2 >= 1){ for (my $idx = 1; $idx <= $user2; $idx++){ if ($idx % 2) { - print "\n"; + print "\n"; } else { - print "\n"; + print "\n"; } print "$users[$idx-1]{'CommonName'}"; print "$users[$idx-1]{'RealAddress'}"; @@ -1497,11 +2786,43 @@ END ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download certificate'}) { &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { - print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n"; - print "Content-Type: application/octet-stream\r\n\r\n"; - print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; - exit (0); + print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n"; + print "Content-Type: application/octet-stream\r\n\r\n"; + print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; + exit (0); + } + +### +### Enable/Disable connection +### + +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) { + + &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + + if ($confighash{$cgiparams{'KEY'}}) { + if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { + $confighash{$cgiparams{'KEY'}}[0] = 'on'; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + #&writeserverconf(); +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); +# } + } else { + $confighash{$cgiparams{'KEY'}}[0] = 'off'; +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}); +# } + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + #&writeserverconf(); + } + } else { + $errormessage = $Lang::tr{'invalid key'}; } ### @@ -1512,60 +2833,123 @@ END &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); if ($confighash{$cgiparams{'KEY'}}) { +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}); +# } } else { - $errormessage = $Lang::tr{'invalid key'}; + $errormessage = $Lang::tr{'invalid key'}; + } + +### +### Remove connection +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) { + &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + + if ($confighash{$cgiparams{'KEY'}}) { +# if ($vpnsettings{'ENABLED'} eq 'on' || +# $vpnsettings{'ENABLED_BLUE'} eq 'on') { +# system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}); +# } + unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + unlink ("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + delete $confighash{$cgiparams{'KEY'}}; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + #&writeserverconf(); + } else { + $errormessage = $Lang::tr{'invalid key'}; } +#test33 ### ### Choose between adding a host-net or net-net connection ### + +### +# m.a.d net2net +### + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') { &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); &Header::showhttpheaders(); &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); - &Header::openbox('100%', 'LEFT', "Net to Net $Lang::tr{'connection type'}"); + &Header::openbox('100%', 'LEFT', $Lang::tr{'connection type'}); + +if ( -s "${General::swroot}/ovpn/settings") { + print <$Lang::tr{'connection type'}:
- - +
+ + + - - - - + + + + + + + + +
$Lang::tr{'host to net vpn'}
$Lang::tr{'net to net vpn'}
upload a ZERINA Net-to-Net package
$Lang::tr{'net to net vpn'} (Upload Client Package)
 
 Import Connection Name
 Default : Client Packagename
* $Lang::tr{'this field may be blank'}
+END + ; + + +} else { + print <$Lang::tr{'connection type'}:
+ + +
$Lang::tr{'host to net vpn'}
END ; + +} + &Header::closebox(); &Header::closebigbox(); &Header::closepage(); exit (0); - + ### -### uploading a ZERINA n2n connection package +# m.a.d net2net ### -} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'TYPE'} eq 'zerinan2n')){ - my @zerinaconf; + +} elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'TYPE'} eq 'net2net')){ + + my @firen2nconf; my @confdetails; my $uplconffilename =''; + my $uplconffilename2 =''; my $uplp12name = ''; - my $complzoactive =''; + my $uplp12name2 = ''; my @rem_subnet; my @rem_subnet2; my @tmposupnet3; my $key; + my @n2nname; + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); -# Move uploaded ZERINA n2n package to a temporary file + +# Check if a file is uploaded + if (ref ($cgiparams{'FH'}) ne 'Fh') { $errormessage = $Lang::tr{'there was no file upload'}; - goto ZERINA_ERROR; + goto N2N_ERROR; } - # Move uploaded ca to a temporary file + +# Move uploaded IPfire n2n package to temporary file + (my $fh, my $filename) = tempfile( ); if (copy ($cgiparams{'FH'}, $fh) != 1) { $errormessage = $!; - goto ZERINA_ERROR; + goto N2N_ERROR; } my $zip = Archive::Zip->new(); @@ -1573,16 +2957,18 @@ END my $status = $zip->read( $zipName ); if ($status != AZ_OK) { $errormessage = "Read of $zipName failed\n"; - goto ZERINA_ERROR; + goto N2N_ERROR; } - #my $tempdir = tempdir( CLEANUP => 1 ); - my $tempdir = tempdir(); + + my $tempdir = tempdir( CLEANUP => 1 ); my @files = $zip->memberNames(); for(@files) { $zip->extractMemberWithoutPaths($_,"$tempdir/$_"); } my $countfiles = @files; - # see if we have 2 files + +# Check if we have not more then 2 files + if ( $countfiles == 2){ foreach (@files){ if ( $_ =~ /.conf$/){ @@ -1594,102 +2980,190 @@ END } if (($uplconffilename eq '') || ($uplp12name eq '')){ $errormessage = "Either no *.conf or no *.p12 file found\n"; - goto ZERINA_ERROR; + goto N2N_ERROR; } + open(FILE, "$tempdir/$uplconffilename") or die 'Unable to open*.conf file'; - @zerinaconf = ; + @firen2nconf = ; close (FILE); - chomp(@zerinaconf); + chomp(@firen2nconf); + } else { - # only 2 files are allowed + $errormessage = "Filecount does not match only 2 files are allowed\n"; - goto ZERINA_ERROR; - } - #prepare imported data not elegant, will be changed later - my $ufuk = (@zerinaconf); - push(@confdetails, substr($zerinaconf[0],4));#dev tun 0 - push(@confdetails, substr($zerinaconf[1],8));#mtu value 1 - push(@confdetails, substr($zerinaconf[2],6));#protocol 2 - if ($confdetails[2] eq 'tcp-client' || $confdetails[2] eq 'tcp-server') { - $confdetails[2] = 'tcp'; - } - push(@confdetails, substr($zerinaconf[3],5));#port 3 - push(@confdetails, substr($zerinaconf[4],9));#ovpn subnet 4 - push(@confdetails, substr($zerinaconf[5],7));#remote ip 5 - push(@confdetails, $zerinaconf[6]); #tls-server/tls-client 6 - push(@confdetails, substr($zerinaconf[7],7));#pkcs12 name 7 - push(@confdetails, substr($zerinaconf[$ufuk-1],1));#remote subnet 8 - push(@confdetails, substr($zerinaconf[9],10));#keepalive 9 - push(@confdetails, substr($zerinaconf[10],7));#cipher 10 - if ($ufuk == 14) { - push(@confdetails, $zerinaconf[$ufuk-3]);#complzo 11 - $complzoactive = "on"; - } else { - $complzoactive = "off"; + goto N2N_ERROR; + } + +### +# m.a.d net2net +### + + if ($cgiparams{'n2nname'} ne ''){ + + $uplconffilename2 = "$cgiparams{'n2nname'}.conf"; + $uplp12name2 = "$cgiparams{'n2nname'}.p12"; + $n2nname[0] = $cgiparams{'n2nname'}; + my @n2nname2 = split(/\./,$uplconffilename); + $n2nname2[0] =~ s/\n|\r//g; + my $input1 = "${General::swroot}/ovpn/certs/$uplp12name"; + my $output1 = "${General::swroot}/ovpn/certs/$uplp12name2"; + my $input2 = "$n2nname2[0]n2n"; + my $output2 = "$n2nname[0]n2n"; + my $filename = "$tempdir/$uplconffilename"; + open(FILE, "< $filename") or die 'Unable to open config file.'; + my @current = ; + close(FILE); + foreach (@current) {s/$input1/$output1/g;} + foreach (@current) {s/$input2/$output2/g;} + open (OUT, "> $filename") || die 'Unable to open config file.'; + print OUT @current; + close OUT; + + }else{ + $uplconffilename2 = $uplconffilename; + $uplp12name2 = $uplp12name; + @n2nname = split(/\./,$uplconffilename); + $n2nname[0] =~ s/\n|\r//g; + } + unless(-d "${General::swroot}/ovpn/n2nconf/"){mkdir "${General::swroot}/ovpn/n2nconf", 0755 or die "Unable to create dir $!";} + unless(-d "${General::swroot}/ovpn/n2nconf/$n2nname[0]"){mkdir "${General::swroot}/ovpn/n2nconf/$n2nname[0]", 0770 or die "Unable to create dir $!";} + + move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2"); + + if ($? ne 0) { + $errormessage = "*.conf move failed: $!"; + unlink ($filename); + goto N2N_ERROR; + } + + move("$tempdir/$uplp12name", "${General::swroot}/ovpn/certs/$uplp12name2"); + chmod 0600, "${General::swroot}/ovpn/certs/$uplp12name"; + + if ($? ne 0) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + unlink ($filename); + goto N2N_ERROR; } - push(@confdetails, substr($zerinaconf[$ufuk-2],5));#verb 12 - push(@confdetails, substr($zerinaconf[8],6));#localsubnet 13 - #push(@confdetails, substr($uplconffilename,0,-5));#connection Name 14 - push(@confdetails, substr($uplp12name,0,-4));#connection Name 14 - #chomp(@confdetails); - foreach my $dkey (keys %confighash) {#Check if there is no other entry with this name - if ($confighash{$dkey}[1] eq $confdetails[$ufuk]) { + +my $complzoactive; +my $mssfixactive; +my $n2nfragment; +my @n2nmtudisc = split(/ /, (grep { /^mtu-disc/ } @firen2nconf)[0]);; +my @n2nproto2 = split(/ /, (grep { /^proto/ } @firen2nconf)[0]); +my @n2nproto = split(/-/, $n2nproto2[1]); +my @n2nport = split(/ /, (grep { /^port/ } @firen2nconf)[0]); +my @n2ntunmtu = split(/ /, (grep { /^tun-mtu/ } @firen2nconf)[0]); +my @n2ncomplzo = grep { /^comp-lzo/ } @firen2nconf; +if ($n2ncomplzo[0] =~ /comp-lzo/){$complzoactive = "on";} else {$complzoactive = "off";} +my @n2nmssfix = grep { /^mssfix/ } @firen2nconf; +if ($n2nmssfix[0] =~ /mssfix/){$mssfixactive = "on";} else {$mssfixactive = "off";} +#my @n2nmssfix = split(/ /, (grep { /^mssfix/ } @firen2nconf)[0]); +my @n2nfragment = split(/ /, (grep { /^fragment/ } @firen2nconf)[0]); +my @n2nremote = split(/ /, (grep { /^remote/ } @firen2nconf)[0]); +my @n2novpnsuball = split(/ /, (grep { /^ifconfig/ } @firen2nconf)[0]); +my @n2novpnsub = split(/\./,$n2novpnsuball[1]); +my @n2nremsub = split(/ /, (grep { /^route/ } @firen2nconf)[0]); +my @n2nmgmt = split(/ /, (grep { /^management/ } @firen2nconf)[0]); +my @n2nlocalsub = split(/ /, (grep { /^# remsub/ } @firen2nconf)[0]); + + +### +# m.a.d delete CR and LF from arrays for this chomp doesnt work +### + +$n2nremote[1] =~ s/\n|\r//g; +$n2novpnsub[0] =~ s/\n|\r//g; +$n2novpnsub[1] =~ s/\n|\r//g; +$n2novpnsub[2] =~ s/\n|\r//g; +$n2nproto[0] =~ s/\n|\r//g; +$n2nport[1] =~ s/\n|\r//g; +$n2ntunmtu[1] =~ s/\n|\r//g; +$n2nremsub[1] =~ s/\n|\r//g; +$n2nremsub[2] =~ s/\n|\r//g; +$n2nlocalsub[2] =~ s/\n|\r//g; +$n2nfragment[1] =~ s/\n|\r//g; +$n2nmgmt[2] =~ s/\n|\r//g; +$n2nmtudisc[1] =~ s/\n|\r//g; +chomp ($complzoactive); +chomp ($mssfixactive); + +### +# m.a.d net2net +### + +### +# Check if there is no other entry with this name +### + + foreach my $dkey (keys %confighash) { + if ($confighash{$dkey}[1] eq $n2nname[0]) { $errormessage = $Lang::tr{'a connection with this name already exists'}; - goto ZERINA_ERROR; + unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!"; + unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!"; + goto N2N_ERROR; } } - if ($confdetails[$ufuk] eq 'server') { - $errormessage = $Lang::tr{'server reserved'}; - goto ZERINA_ERROR; + +### +# Check if OpenVPN Subnet is valid +### + +foreach my $dkey (keys %confighash) { + if ($confighash{$dkey}[27] eq "$n2novpnsub[0].$n2novpnsub[1].$n2novpnsub[2].0/255.255.255.0") { + $errormessage = 'The OpenVPN Subnet is already in use'; + unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!"; + unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!"; + goto N2N_ERROR; + } } - @rem_subnet2 = split(/ /,$confdetails[4]); - @tmposupnet3 = split /\./,$rem_subnet2[0]; - $errormessage = &Ovpnfunc::ovelapplausi("$tmposupnet3[0].$tmposupnet3[1].$tmposupnet3[2].0","255.255.255.0"); - if ($errormessage ne ''){ - goto ZERINA_ERROR; + +### +# Check im Dest Port is vaild +### + +foreach my $dkey (keys %confighash) { + if ($confighash{$dkey}[29] eq $n2nport[1] ) { + $errormessage = 'The OpenVPN Port is already in use'; + unlink ("${General::swroot}/ovpn/n2nconf/$n2nname[0]/$n2nname[0].conf") or die "Removing Configfile fail: $!"; + unlink ("${General::swroot}/ovpn/certs/$n2nname[0].p12") or die "Removing Certfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$n2nname[0]") || die "Removing Directory fail: $!"; + goto N2N_ERROR; + } } - $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 42) { $confighash{$key}[$i] = "";} + + + $key = &General::findhasharraykey (\%confighash); + + foreach my $i (0 .. 39) { $confighash{$key}[$i] = "";} + $confighash{$key}[0] = 'off'; - $confighash{$key}[1] = $confdetails[$ufuk]; - #$confighash{$key}[2] = $confdetails[7]; - $confighash{$key}[2] = $confdetails[$ufuk]; + $confighash{$key}[1] = $n2nname[0]; + $confighash{$key}[2] = $n2nname[0]; $confighash{$key}[3] = 'net'; $confighash{$key}[4] = 'cert'; $confighash{$key}[6] = 'client'; - $confighash{$key}[8] = $confdetails[8]; - @rem_subnet = split(/ /,$confdetails[$ufuk-1]); - $confighash{$key}[11] = "$rem_subnet[0]/$rem_subnet[1]"; - $confighash{$key}[10] = $confdetails[5]; - $confighash{$key}[25] = 'imported'; - $confighash{$key}[12] = 'red'; - my @tmposupnet = split(/ /,$confdetails[4]); - my @tmposupnet2 = split /\./,$tmposupnet[0]; - $confighash{$key}[13] = "$tmposupnet2[0].$tmposupnet2[1].$tmposupnet2[2].0/255.255.255.0"; - $confighash{$key}[14] = $confdetails[2]; - $confighash{$key}[15] = $confdetails[3]; - $confighash{$key}[16] = $complzoactive; - $confighash{$key}[17] = $confdetails[1]; - $confighash{$key}[18] = '';# nn2nvpn_ip - $confighash{$key}[19] = 'yes';# nn2nvpn_ip - $confighash{$key}[20] = $confdetails[10]; - $cgiparams{'KEY'} = $key; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - mkdir("${General::swroot}/ovpn/n2nconf/$confdetails[$ufuk]", 0770); - move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$confdetails[$ufuk]/$uplconffilename"); - if ($? ne 0) { - $errormessage = "*.conf move failed: $!"; - unlink ($filename); - goto ZERINA_ERROR; - } - move("$tempdir/$uplp12name", "${General::swroot}/ovpn/n2nconf/$confdetails[$ufuk]/$uplp12name"); - if ($? ne 0) { - $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; - unlink ($filename); - goto ZERINA_ERROR; - } - ZERINA_ERROR: + $confighash{$key}[8] = $n2nlocalsub[2]; + $confighash{$key}[10] = $n2nremote[1]; + $confighash{$key}[11] = "$n2nremsub[1]/$n2nremsub[2]"; + $confighash{$key}[22] = $n2nmgmt[2]; + $confighash{$key}[23] = $mssfixactive; + $confighash{$key}[24] = $n2nfragment[1]; + $confighash{$key}[25] = 'IPFire n2n Client'; + $confighash{$key}[26] = 'red'; + $confighash{$key}[27] = "$n2novpnsub[0].$n2novpnsub[1].$n2novpnsub[2].0/255.255.255.0"; + $confighash{$key}[28] = $n2nproto[0]; + $confighash{$key}[29] = $n2nport[1]; + $confighash{$key}[30] = $complzoactive; + $confighash{$key}[31] = $n2ntunmtu[1]; + $confighash{$key}[38] = $n2nmtudisc[1]; + + + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + + N2N_ERROR: &Header::showhttpheaders(); &Header::openpage('Validate imported configuration', 1, ''); @@ -1699,576 +3173,925 @@ END print "$errormessage"; print " "; &Header::closebox(); - } else { - &Header::openbox('100%', 'LEFT', 'Validate imported configuration'); + + } else + { + &Header::openbox('100%', 'LEFT', 'import ipfire net2net config'); } if ($errormessage eq ''){ print < -   -   - $Lang::tr{'name'}: - $confdetails[$ufuk] - $Lang::tr{'Act as'} - $confdetails[6] - $Lang::tr{'remote host/ip'}: - $confdetails[5] - $Lang::tr{'local subnet'} - $confighash{$key}[8] - $Lang::tr{'remote subnet'} - $confighash{$key}[11] - $Lang::tr{'ovpn subnet'} - $confighash{$key}[$ufuk-1] - $Lang::tr{'protocol'} - $confdetails[2] - $Lang::tr{'destination port'}: - $confdetails[3] - $Lang::tr{'comp-lzo'} - $complzoactive - $Lang::tr{'cipher'} - $confdetails[10] - $Lang::tr{'MTU'}  - $confdetails[1] + + + + + + + + + + + + + + + + + + + +
  
$Lang::tr{'name'}:$n2nname[0]
  
$Lang::tr{'Act as'}$confighash{$key}[6]
Remote Host $confighash{$key}[10]
$Lang::tr{'local subnet'}$confighash{$key}[8]
$Lang::tr{'remote subnet'}$confighash{$key}[11]
$Lang::tr{'ovpn subnet'}$confighash{$key}[27]
$Lang::tr{'protocol'}$confighash{$key}[28]
$Lang::tr{'destination port'}:$confighash{$key}[29]
$Lang::tr{'comp-lzo'}$confighash{$key}[30]
MSSFIX $confighash{$key}[23]
Fragment $confighash{$key}[24]
$Lang::tr{'MTU'}$confighash{$key}[31]
$Lang::tr{'ovpn mtu-disc'}$confighash{$key}[38]
Management Port $confighash{$key}[22]
  
END ; - &Header::closebox(); } + if ($errormessage) { print ""; } else { - print "
"; - print ""; - print ""; - print "
"; + print "
"; + print ""; + print ""; + print "
"; } &Header::closebigbox(); &Header::closepage(); exit(0); + +## +### Accept IPFire n2n Package Settings ### -### Approve Zerina n2n -### -} elsif (($cgiparams{'ACTION'} eq 'Approved') && ($cgiparams{'TYPE'} eq 'zerinan2n')){ - &Ovpnfunc::writenet2netconf($cgiparams{'KEY'},$zerinaclient); + + } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'TYPE'} eq 'net2netakn')){ + ### -### Discard Zerina n2n +### Discard and Rollback IPFire n2n Package Settings ### -} elsif (($cgiparams{'ACTION'} eq 'Discard') && ($cgiparams{'TYPE'} eq 'zerinan2n')){ - &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); - &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - if ($confighash{$cgiparams{'KEY'}}) { - &Ovpnfunc::removenet2netconf(); - delete $confighash{$cgiparams{'KEY'}}; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - } else { + } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'cancel'}) && ($cgiparams{'TYPE'} eq 'net2netakn')){ + + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + +if ($confighash{$cgiparams{'KEY'}}) { + + my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf"); + my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + unlink ($certfile) or die "Removing $certfile fail: $!"; + unlink ($conffile) or die "Removing $conffile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]") || die "Kann Verzeichnis nicht loeschen: $!"; + delete $confighash{$cgiparams{'KEY'}}; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + + } else { $errormessage = $Lang::tr{'invalid key'}; - } + } + + +### +# m.a.d net2net +### + + ### ### Adding a new connection ### } elsif (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) || ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) || ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq '')) { - + &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); if ($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) { if (! $confighash{$cgiparams{'KEY'}}[0]) { - $errormessage = $Lang::tr{'invalid key'}; - goto VPNCONF_END; - } - $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0]; - $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1]; - $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; - $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; - $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; - $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6]; - $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8]; - $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; - $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11]; - $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; - $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[12]; - $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[13];#new fields - $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[14]; - $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[15]; - $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[16]; - $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[17]; - $cgiparams{'N2NVPN_IP'} = $confighash{$cgiparams{'KEY'}}[18];#new fields - $cgiparams{'ZERINA_CLIENT'} = $confighash{$cgiparams{'KEY'}}[19];#new fields - $cgiparams{'CIPHER'} = $confighash{$cgiparams{'KEY'}}[20];#new fields - if ($cgiparams{'ZERINA_CLIENT'} eq ''){ - $cgiparams{'ZERINA_CLIENT'} = 'no'; - } - } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {#ab hiere error uebernehmen - $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); - # n2n error - if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { - $errormessage = $Lang::tr{'connection type is invalid'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) { - $errormessage = $Lang::tr{'name must only contain characters'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault|server)$/) { - $errormessage = $Lang::tr{'name is invalid'}; - goto VPNCONF_ERROR; - } - if (length($cgiparams{'NAME'}) >60) { - $errormessage = $Lang::tr{'name too long'}; - goto VPNCONF_ERROR; + $errormessage = $Lang::tr{'invalid key'}; + goto VPNCONF_END; } - if (! $cgiparams{'KEY'}) {# Check if there is no other entry with this name - foreach my $key (keys %confighash) { - if ($confighash{$key}[1] eq $cgiparams{'NAME'}) { - $errormessage = $Lang::tr{'a connection with this name already exists'}; - goto VPNCONF_ERROR; - } + $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0]; + $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1]; + $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; + $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; + $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; + $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6]; + $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8]; + $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; + $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11]; + $cgiparams{'OVPN_MGMT'} = $confighash{$cgiparams{'KEY'}}[22]; + $cgiparams{'MSSFIX'} = $confighash{$cgiparams{'KEY'}}[23]; + $cgiparams{'FRAGMENT'} = $confighash{$cgiparams{'KEY'}}[24]; + $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; + $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26]; + $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[27]; + $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[28]; + $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[29]; + $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[30]; + $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[31]; + $cgiparams{'CHECK1'} = $confighash{$cgiparams{'KEY'}}[32]; + my $name=$cgiparams{'CHECK1'} ; + $cgiparams{$name} = $confighash{$cgiparams{'KEY'}}[33]; + $cgiparams{'RG'} = $confighash{$cgiparams{'KEY'}}[34]; + $cgiparams{'CCD_DNS1'} = $confighash{$cgiparams{'KEY'}}[35]; + $cgiparams{'CCD_DNS2'} = $confighash{$cgiparams{'KEY'}}[36]; + $cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37]; + $cgiparams{'PMTU_DISCOVERY'} = $confighash{$cgiparams{'KEY'}}[38]; + } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { + $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); + +#A.Marx CCD check iroute field and convert it to decimal +if ($cgiparams{'TYPE'} eq 'host') { + my @temp=(); + my %ccdroutehash=(); + my $keypoint=0; + if ($cgiparams{'IR'} ne ''){ + @temp = split("\n",$cgiparams{'IR'}); + &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); + #find key to use + foreach my $key (keys %ccdroutehash) { + if ($ccdroutehash{$key}[0] eq $cgiparams{'NAME'}) { + $keypoint=$key; + delete $ccdroutehash{$key}; + }else{ + $keypoint = &General::findhasharraykey (\%ccdroutehash); } - } - if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) { - $errormessage = $Lang::tr{'invalid input for remote host/ip'}; - goto VPNCONF_ERROR; } - if ($cgiparams{'REMOTE'}) { - if (! &General::validip($cgiparams{'REMOTE'})) { - if (! &General::validfqdn ($cgiparams{'REMOTE'})) { - $errormessage = $Lang::tr{'invalid input for remote host/ip'}; - goto VPNCONF_ERROR; - } else { - if (&Ovpnfunc::valid_dns_host($cgiparams{'REMOTE'})) { - $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}"; + $ccdroutehash{$keypoint}[0]=$cgiparams{'NAME'}; + my $i=1; + my $val=0; + foreach $val (@temp){ + chomp($val); + $val=~s/\s*$//g; + my($ip,$cidr) = split(/\//,$val); + $ip=&General::getnetworkip($ip,&General::iporsubtocidr($cidr)); + $cidr=&General::iporsubtodec($cidr); + + #check if iroute exists in ccdroute + foreach my $key (keys %ccdroutehash) { + foreach my $oldiroute ( 1 .. $#{$ccdroutehash{$key}}){ + if ($ccdroutehash{$key}[$oldiroute] eq "$ip/$cidr") { + $errormessage=$Lang::tr{'ccd err irouteexist'}; + goto VPNCONF_ERROR; } } } - } - if ($cgiparams{'TYPE'} ne 'host') { - unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) { - $errormessage = $Lang::tr{'local subnet is invalid'}; + + #check for existing network IP's + if (&General::IpInSubnet ($ip,$netsettings{GREEN_NETADDRESS},$netsettings{GREEN_NETMASK}) && $netsettings{GREEN_NETADDRESS} ne '0.0.0.0') + { + $errormessage=$Lang::tr{'ccd err green'}; + goto VPNCONF_ERROR; + }elsif(&General::IpInSubnet ($ip,$netsettings{RED_NETADDRESS},$netsettings{RED_NETMASK}) && $netsettings{RED_NETADDRESS} ne '0.0.0.0') + { + $errormessage=$Lang::tr{'ccd err red'}; + goto VPNCONF_ERROR; + }elsif(&General::IpInSubnet ($ip,$netsettings{BLUE_NETADDRESS},$netsettings{BLUE_NETMASK}) && $netsettings{BLUE_NETADDRESS} ne '0.0.0.0' && $netsettings{BLUE_NETADDRESS} gt '') + { + $errormessage=$Lang::tr{'ccd err blue'}; + goto VPNCONF_ERROR; + }elsif(&General::IpInSubnet ($ip,$netsettings{ORANGE_NETADDRESS},$netsettings{ORANGE_NETMASK}) && $netsettings{ORANGE_NETADDRESS} ne '0.0.0.0' && $netsettings{ORANGE_NETADDRESS} gt '' ) + { + $errormessage=$Lang::tr{'ccd err orange'}; + goto VPNCONF_ERROR; + } + + if (&General::validipandmask($val)){ + $ccdroutehash{$keypoint}[$i] = $ip."/".$cidr; + }else{ + $errormessage=$errormessage."Route ".$Lang::tr{'ccd invalid'}." ($ip/$cidr)"; goto VPNCONF_ERROR; } + $i++; } - #hier1 - my @tmpovpnsubnet = split("\/",$cgiparams{'LOCAL_SUBNET'}); - $tmpovpnsubnet[1] = &Ovpnfunc::cidrormask($tmpovpnsubnet[1]); - $cgiparams{'LOCAL_SUBNET'} = "$tmpovpnsubnet[0]/$tmpovpnsubnet[1]";#convert from cidr - #hier1 - if ($cgiparams{'REMOTE'} eq '') {# Check if there is no other entry without IP-address and PSK - foreach my $key (keys %confighash) { - if(($cgiparams{'KEY'} ne $key) && ($confighash{$key}[4] eq 'psk' || $cgiparams{'AUTH'} eq 'psk') && $confighash{$key}[10] eq '') { - $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'}; - goto VPNCONF_ERROR; - } + &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); + &writeserverconf; + }else{ + &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); + foreach my $key (keys %ccdroutehash) { + if ($ccdroutehash{$key}[0] eq $cgiparams{'NAME'}) { + delete $ccdroutehash{$key}; + &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); + &writeserverconf; } + } + } + undef @temp; + #check route field and convert it to decimal + my $val=0; + my $i=1; + &General::readhasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash); + #find key to use + foreach my $key (keys %ccdroute2hash) { + if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}) { + $keypoint=$key; + delete $ccdroute2hash{$key}; + }else{ + $keypoint = &General::findhasharraykey (\%ccdroute2hash); + &General::writehasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); + &writeserverconf; } - if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) { - $errormessage = $Lang::tr{'remote subnet is invalid'}; - goto VPNCONF_ERROR; + } + $ccdroute2hash{$keypoint}[0]=$cgiparams{'NAME'}; + if ($cgiparams{'IFROUTE'} eq ''){$cgiparams{'IFROUTE'} = $Lang::tr{'ccd none'};} + @temp = split(/\|/,$cgiparams{'IFROUTE'}); + my %ownnet=(); + &General::readhash("${General::swroot}/ethernet/settings", \%ownnet); + foreach $val (@temp){ + chomp($val); + $val=~s/\s*$//g; + if ($val eq $Lang::tr{'green'}) + { + $val=$ownnet{GREEN_NETADDRESS}."/".$ownnet{GREEN_NETMASK}; } - #hier2 - my @tmpovpnsubnet = split("\/",$cgiparams{'REMOTE_SUBNET'}); - $tmpovpnsubnet[1] = &Ovpnfunc::cidrormask($tmpovpnsubnet[1]); - $cgiparams{'REMOTE_SUBNET'} = "$tmpovpnsubnet[0]/$tmpovpnsubnet[1]";#convert from cidr - #hier2 - if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto VPNCONF_ERROR; + if ($val eq $Lang::tr{'blue'}) + { + $val=$ownnet{BLUE_NETADDRESS}."/".$ownnet{BLUE_NETMASK}; } - if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) { - $errormessage = $Lang::tr{'invalid input'}; - goto VPNCONF_ERROR; + if ($val eq $Lang::tr{'orange'}) + { + $val=$ownnet{ORANGE_NETADDRESS}."/".$ownnet{ORANGE_NETMASK}; } - if ($cgiparams{'ENABLED'} eq 'on'){ - $errormessage = &Ovpnfunc::disallowreserved($cgiparams{'DEST_PORT'},0,$cgiparams{'PROTOCOL'},"dest"); - } - if ($errormessage) { goto VPNCONF_ERROR; } - - if ($cgiparams{'ENABLED'} eq 'on'){ - $errormessage = &Ovpnfunc::checkportfw(0,$cgiparams{'DEST_PORT'},$cgiparams{'PROTOCOL'},'0.0.0.0'); - } - if ($errormessage) { goto VPNCONF_ERROR; } -#raul - if ($cgiparams{'TYPE'} eq 'net') { - if (! &General::validipandmask($cgiparams{'OVPN_SUBNET'})) { - $errormessage = $Lang::tr{'ovpn subnet is invalid'}; - goto VPNCONF_ERROR; - } - #hier3 - my @tmpovpnsubnet = split("\/",$cgiparams{'OVPN_SUBNET'}); - $tmpovpnsubnet[1] = &Ovpnfunc::cidrormask($tmpovpnsubnet[1]); - $cgiparams{'OVPN_SUBNET'} = "$tmpovpnsubnet[0]/$tmpovpnsubnet[1]";#convert from cidr - #hier3 - #plausi2 - $errormessage = &Ovpnfunc::ovelapplausi($tmpovpnsubnet[0],$tmpovpnsubnet[1]); - #plausi2 - if ($errormessage ne ''){ - goto VPNCONF_ERROR; - } - if ((length($cgiparams{'MTU'})==0) || (($cgiparams{'MTU'}) < 1000 )) { - $errormessage = $Lang::tr{'invalid mtu input'}; - goto VPNCONF_ERROR; - } - unless (&General::validport($cgiparams{'DEST_PORT'})) { - $errormessage = $Lang::tr{'invalid port'}; + my ($ip,$cidr) = split (/\//, $val); + + if ($val ne $Lang::tr{'ccd none'}) + { + if (! &check_routes_push($val)){$errormessage=$errormessage."Route $val ".$Lang::tr{'ccd err routeovpn2'}." ($val)";goto VPNCONF_ERROR;} + if (! &check_ccdroute($val)){$errormessage=$errormessage."
Route $val ".$Lang::tr{'ccd err inuse'}." ($val)" ;goto VPNCONF_ERROR;} + if (! &check_ccdconf($val)){$errormessage=$errormessage."
Route $val ".$Lang::tr{'ccd err routeovpn'}." ($val)";goto VPNCONF_ERROR;} + if (&General::validipandmask($val)){ + $val=$ip."/".&General::iporsubtodec($cidr); + $ccdroute2hash{$keypoint}[$i] = $val; + }else{ + $errormessage=$errormessage."Route ".$Lang::tr{'ccd invalid'}." ($val)"; goto VPNCONF_ERROR; } - # check protcol/port overlap against existing connections gian - foreach my $dkey (keys %confighash) {#Check if there is no other entry with this name - if ($dkey ne $cgiparams{'KEY'}) { - if ($confighash{$dkey}[14] eq $cgiparams{'PROTOCOL'} && $confighash{$dkey}[15] eq $cgiparams{'DEST_PORT'}){ - #if ($confighash{$dkey}[14] eq 'on') { - $errormessage = "Choosed Protocol/Port combination is already used by connection: $confighash{$dkey}[1]"; - goto VPNCONF_ERROR; - #} else { - # $warnmessage = "Choosed Protcol/Port combination is used by inactive connection: $confighash{$dkey}[1]"; - #} - } - } - } - #check protcol/port overlap against RWserver gian - if ($vpnsettings{'ENABLED'} eq 'on') { - if ($vpnsettings{'DPROTOCOL'} eq $cgiparams{'PROTOCOL'} && $vpnsettings{'DDEST_PORT'} eq $cgiparams{'DEST_PORT'}){ - $errormessage = "Choosed Protocol/Port combination is already used OpenVPN Roadwarrior Server"; - goto VPNCONF_ERROR; - } - } + }else{ + $ccdroute2hash{$keypoint}[$i]=''; } - if ($cgiparams{'AUTH'} eq 'psk') { - #removed - } elsif ($cgiparams{'AUTH'} eq 'certreq') { - # { - if ($cgiparams{'KEY'}) { - $errormessage = $Lang::tr{'cant change certificates'}; - goto VPNCONF_ERROR; - } - if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; - goto VPNCONF_ERROR; - } - (my $fh, my $filename) = tempfile( );# Move uploaded certificate request to a temporary file - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto VPNCONF_ERROR; - } - # Sign the certificate request and move it - # Sign the host certificate request - system('/usr/bin/openssl', 'ca', '-days', '999999', - '-batch', '-notext', - '-in', $filename, - '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - unlink ($filename); - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); - &Ovpnfunc::newcleanssldatabase(); - goto VPNCONF_ERROR; - } else { - unlink ($filename); - &Ovpnfunc::deletebackupcert(); - } - my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; - $temp =~ /Subject:.*CN=(.*)[\n]/; - $temp = $1; - $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; - $cgiparams{'CERT_NAME'} = $temp; - $cgiparams{'CERT_NAME'} =~ s/,//g; - $cgiparams{'CERT_NAME'} =~ s/\'//g; - if ($cgiparams{'CERT_NAME'} eq '') { - $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; - goto VPNCONF_ERROR; - } - } elsif ($cgiparams{'AUTH'} eq 'certfile') { - if ($cgiparams{'KEY'}) { - $errormessage = $Lang::tr{'cant change certificates'}; - goto VPNCONF_ERROR; - } - if (ref ($cgiparams{'FH'}) ne 'Fh') { - $errormessage = $Lang::tr{'there was no file upload'}; + $i++; + } + &General::writehasharray("${General::swroot}/ovpn/ccdroute2", \%ccdroute2hash); + + #check dns1 ip + if ($cgiparams{'CCD_DNS1'} ne '' && ! &General::validip($cgiparams{'CCD_DNS1'})) { + $errormessage=$errormessage."
".$Lang::tr{'invalid input for dhcp dns'}." 1"; goto VPNCONF_ERROR; - } - (my $fh, my $filename) = tempfile( );# Move uploaded certificate to a temporary file - if (copy ($cgiparams{'FH'}, $fh) != 1) { - $errormessage = $!; - goto VPNCONF_ERROR; - } - my $validca = 0;# Verify the certificate has a valid CA and move it - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/cacert.pem $filename`; - if ($test =~ /: OK/) { - $validca = 1; - } else { - foreach my $key (keys %cahash) { - $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem $filename`; - if ($test =~ /: OK/) { - $validca = 1; - } - } - } - if (! $validca) { - $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'}; - unlink ($filename); - goto VPNCONF_ERROR; - } else { - move($filename, "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); - if ($? ne 0) { - $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; - unlink ($filename); - goto VPNCONF_ERROR; - } - } - my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; - $temp =~ /Subject:.*CN=(.*)[\n]/; - $temp = $1; - $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; - $cgiparams{'CERT_NAME'} = $temp; - $cgiparams{'CERT_NAME'} =~ s/,//g; - $cgiparams{'CERT_NAME'} =~ s/\'//g; - if ($cgiparams{'CERT_NAME'} eq '') { - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); - $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; - goto VPNCONF_ERROR; - } - } elsif ($cgiparams{'AUTH'} eq 'certgen'){ - if ($cgiparams{'KEY'}) { - $errormessage = $Lang::tr{'cant change certificates'}; - goto VPNCONF_ERROR; - } - if (length($cgiparams{'CERT_NAME'}) >60) {# Validate input since the form was submitted - $errormessage = $Lang::tr{'name too long'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { - $errormessage = $Lang::tr{'invalid input for name'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) { - $errormessage = $Lang::tr{'invalid input for e-mail address'}; - goto VPNCONF_ERROR; - } - if (length($cgiparams{'CERT_EMAIL'}) > 40) { - $errormessage = $Lang::tr{'e-mail address too long'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { - $errormessage = $Lang::tr{'invalid input for department'}; - goto VPNCONF_ERROR; - } - if (length($cgiparams{'CERT_ORGANIZATION'}) >60) { - $errormessage = $Lang::tr{'organization too long'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { - $errormessage = $Lang::tr{'invalid input for organization'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { - $errormessage = $Lang::tr{'invalid input for city'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { - $errormessage = $Lang::tr{'invalid input for state or province'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) { - $errormessage = $Lang::tr{'invalid input for country'}; - goto VPNCONF_ERROR; - } - if ($cgiparams{'CERT_PASS1'} ne '' && $cgiparams{'CERT_PASS2'} ne ''){ - if (length($cgiparams{'CERT_PASS1'}) < 5) { - $errormessage = $Lang::tr{'password too short'}; - goto VPNCONF_ERROR; - } - } - if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) { - $errormessage = $Lang::tr{'passwords do not match'}; - goto VPNCONF_ERROR; - } - (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;# Replace empty strings with a . - (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./; - (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./; - my $pid = open(OPENSSL, "|-");# Create the Host certificate request client - $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto VPNCONF_ERROR;}; - if ($pid) { # parent - print OPENSSL "$cgiparams{'CERT_COUNTRY'}\n"; - print OPENSSL "$state\n"; - print OPENSSL "$city\n"; - print OPENSSL "$cgiparams{'CERT_ORGANIZATION'}\n"; - print OPENSSL "$ou\n"; - print OPENSSL "$cgiparams{'CERT_NAME'}\n"; - print OPENSSL "$cgiparams{'CERT_EMAIL'}\n"; - print OPENSSL ".\n"; - print OPENSSL ".\n"; - close (OPENSSL); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}req.pem"); - goto VPNCONF_ERROR; - } - } else { # child - unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-newkey', 'rsa:1024', - '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", - '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { - $errormessage = "$Lang::tr{'cant start openssl'}: $!"; - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); - goto VPNCONF_ERROR; - } - } - # Sign the host certificate request - system('/usr/bin/openssl', 'ca', '-days', '999999', - '-batch', '-notext', - '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", - '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); - &Ovpnfunc::newcleanssldatabase(); - goto VPNCONF_ERROR; - } else { - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); - &Ovpnfunc::deletebackupcert(); - } - # Create the pkcs12 file - system('/usr/bin/openssl', 'pkcs12', '-export', - '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", - '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", - '-name', $cgiparams{'NAME'}, - '-passout', "pass:$cgiparams{'CERT_PASS1'}", - '-certfile', "${General::swroot}/ovpn/ca/cacert.pem", - '-caname', "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA", - '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12"); - if ($?) { - $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12"); - goto VPNCONF_ERROR; - } else { - unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); - } - } elsif ($cgiparams{'AUTH'} eq 'cert') { - ;# Nothing, just editing - } else { - $errormessage = $Lang::tr{'invalid input for authentication method'}; + } + #check dns2 ip + if ($cgiparams{'CCD_DNS2'} ne '' && ! &General::validip($cgiparams{'CCD_DNS2'})) { + $errormessage=$errormessage."
".$Lang::tr{'invalid input for dhcp dns'}." 2"; + goto VPNCONF_ERROR; + } + #check wins ip + if ($cgiparams{'CCD_WINS'} ne '' && ! &General::validip($cgiparams{'CCD_WINS'})) { + $errormessage=$errormessage."
".$Lang::tr{'invalid input for dhcp wins'}; goto VPNCONF_ERROR; + } +} + +#CCD End + + + if ($cgiparams{'TYPE'} !~ /^(host|net)$/) { + $errormessage = $Lang::tr{'connection type is invalid'}; + if ($cgiparams{'TYPE'} eq 'net') { + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + } + goto VPNCONF_ERROR; + } + + + if ($cgiparams{'NAME'} !~ /^[a-zA-Z0-9]+$/) { + $errormessage = $Lang::tr{'name must only contain characters'}; + if ($cgiparams{'TYPE'} eq 'net') { + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + } + goto VPNCONF_ERROR; + } + + if ($cgiparams{'NAME'} =~ /^(host|01|block|private|clear|packetdefault)$/) { + $errormessage = $Lang::tr{'name is invalid'}; + if ($cgiparams{'TYPE'} eq 'net') { + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + } + goto VPNCONF_ERROR; + } + + if (length($cgiparams{'NAME'}) >60) { + $errormessage = $Lang::tr{'name too long'}; + if ($cgiparams{'TYPE'} eq 'net') { + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + } + goto VPNCONF_ERROR; + } + +### +# m.a.d net2net +### + +if ($cgiparams{'TYPE'} eq 'net') { + + if ($cgiparams{'DEST_PORT'} eq $vpnsettings{'DDEST_PORT'}) { + $errormessage = $Lang::tr{'openvpn destination port used'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; } - if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) {# Check if there is no other entry with this common name - foreach my $key (keys %confighash) { - if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) { - $errormessage = $Lang::tr{'a connection with this common name already exists'}; - goto VPNCONF_ERROR; - } - } + + if ($cgiparams{'DEST_PORT'} eq '') { + $errormessage = $Lang::tr{'openvpn destination port used'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; } - my $key = $cgiparams{'KEY'};# Save the config - if (! $key) { - $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 42) { $confighash{$key}[$i] = "";} + if ($cgiparams{'OVPN_SUBNET'} eq $vpnsettings{'DOVPN_SUBNET'}) { + $errormessage = $Lang::tr{'openvpn subnet is used'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; } - $confighash{$key}[0] = $cgiparams{'ENABLED'}; - $confighash{$key}[1] = $cgiparams{'NAME'}; - if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') { - $confighash{$key}[2] = $cgiparams{'CERT_NAME'}; + + if (($cgiparams{'PROTOCOL'} eq 'tcp') && ($cgiparams{'MSSFIX'} eq 'on')) { + $errormessage = $Lang::tr{'openvpn mssfix allowed with udp'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; + } + + if (($cgiparams{'PROTOCOL'} eq 'tcp') && ($cgiparams{'FRAGMENT'} ne '')) { + $errormessage = $Lang::tr{'openvpn fragment allowed with udp'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; + } + + if (($cgiparams{'PMTU_DISCOVERY'} ne 'off') && ($cgiparams{'MTU'} ne '1500')) { + $errormessage = $Lang::tr{'ovpn mtu-disc and mtu not 1500'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'PMTU_DISCOVERY'} ne 'off') { + if (($cgiparams{'FRAGMENT'} ne '') || ($cgiparams{'MSSFIX'} eq 'on')) { + $errormessage = $Lang::tr{'ovpn mtu-disc with mssfix or fragment'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; + } + } + + if ( &validdotmask ($cgiparams{'LOCAL_SUBNET'})) { + $errormessage = $Lang::tr{'openvpn prefix local subnet'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; + } + + if ( &validdotmask ($cgiparams{'OVPN_SUBNET'})) { + $errormessage = $Lang::tr{'openvpn prefix openvpn subnet'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; + } + + if ( &validdotmask ($cgiparams{'REMOTE_SUBNET'})) { + $errormessage = $Lang::tr{'openvpn prefix remote subnet'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'OVPN_MGMT'} eq '') { + $cgiparams{'OVPN_MGMT'} = $cgiparams{'DEST_PORT'}; } - $confighash{$key}[3] = $cgiparams{'TYPE'}; - if ($cgiparams{'AUTH'} eq 'psk') { - $confighash{$key}[4] = 'psk'; - $confighash{$key}[5] = $cgiparams{'PSK'}; + +} + +# if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) { +# $errormessage = $Lang::tr{'ipfire side is invalid'}; +# goto VPNCONF_ERROR; +# } + + # Check if there is no other entry with this name + if (! $cgiparams{'KEY'}) { + foreach my $key (keys %confighash) { + if ($confighash{$key}[1] eq $cgiparams{'NAME'}) { + $errormessage = $Lang::tr{'a connection with this name already exists'}; + if ($cgiparams{'TYPE'} eq 'net') { + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + } + goto VPNCONF_ERROR; + } + } + } + + if (($cgiparams{'TYPE'} eq 'net') && (! $cgiparams{'REMOTE'})) { + $errormessage = $Lang::tr{'invalid input for remote host/ip'}; + if ($cgiparams{'TYPE'} eq 'net') { + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + } + goto VPNCONF_ERROR; + } + + if ($cgiparams{'REMOTE'}) { + if (! &General::validip($cgiparams{'REMOTE'})) { + if (! &General::validfqdn ($cgiparams{'REMOTE'})) { + $errormessage = $Lang::tr{'invalid input for remote host/ip'}; + if ($cgiparams{'TYPE'} eq 'net') { + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + } + goto VPNCONF_ERROR; } else { - $confighash{$key}[4] = 'cert'; + if (&valid_dns_host($cgiparams{'REMOTE'})) { + $warnmessage = "$Lang::tr{'check vpn lr'} $cgiparams{'REMOTE'}. $Lang::tr{'dns check failed'}"; + if ($cgiparams{'TYPE'} eq 'net') { + + } + } } - if ($cgiparams{'TYPE'} eq 'net') { - $confighash{$key}[6] = $cgiparams{'SIDE'}; - $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'}; - if ( $cgiparams{'SIDE'} eq 'client') { - $confighash{$key}[19] = 'yes'; - } else{ - $confighash{$key}[19] = 'no'; - } + } + } + if ($cgiparams{'TYPE'} ne 'host') { + unless (&General::validipandmask($cgiparams{'LOCAL_SUBNET'})) { + $errormessage = $Lang::tr{'local subnet is invalid'}; + if ($cgiparams{'TYPE'} eq 'net') { + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + } + goto VPNCONF_ERROR;} + } + # Check if there is no other entry without IP-address and PSK + if ($cgiparams{'REMOTE'} eq '') { + foreach my $key (keys %confighash) { + if(($cgiparams{'KEY'} ne $key) && + ($confighash{$key}[4] eq 'psk' || $cgiparams{'AUTH'} eq 'psk') && + $confighash{$key}[10] eq '') { + $errormessage = $Lang::tr{'you can only define one roadwarrior connection when using pre-shared key authentication'}; + goto VPNCONF_ERROR; } - $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'}; - $confighash{$key}[10] = $cgiparams{'REMOTE'}; - $confighash{$key}[25] = $cgiparams{'REMARK'}; - $confighash{$key}[12] = $cgiparams{'INTERFACE'}; - $confighash{$key}[13] = $cgiparams{'OVPN_SUBNET'};# new fields - $confighash{$key}[14] = $cgiparams{'PROTOCOL'}; - $confighash{$key}[15] = $cgiparams{'DEST_PORT'}; - $confighash{$key}[16] = $cgiparams{'COMPLZO'}; - $confighash{$key}[17] = $cgiparams{'MTU'}; - $confighash{$key}[18] = $cgiparams{'N2NVPN_IP'};# new fileds - $confighash{$key}[19] = $cgiparams{'ZERINA_CLIENT'};# new fileds - $confighash{$key}[20] = $cgiparams{'CIPHER'}; - - #default n2n advanced - $confighash{$key}[26] = '10';#keepalive ping - $confighash{$key}[27] = '60';#keepalive restart - $confighash{$key}[28] = '0';#nice - $confighash{$key}[42] = '3';#verb - #default n2n advanced - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - &Ovpnfunc::writenet2netconf($key,$zerinaclient); - #ppp - my $n2nactive = `/bin/ps ax|grep $cgiparams{'NAME'}.conf|grep -v grep|awk \'{print \$1}\'`; - if ($cgiparams{'ENABLED'}) { - if ($n2nactive eq ''){ - system('/usr/local/bin/openvpnctrl', '-sn2n', $cgiparams{'NAME'}); - } else { - system('/usr/local/bin/openvpnctrl', '-kn2n', $n2nactive); - system('/usr/local/bin/openvpnctrl', '-sn2n', $cgiparams{'NAME'}); - } - } else { - if ($n2nactive ne ''){ - system('/usr/local/bin/openvpnctrl', '-kn2n', $cgiparams{'NAME'}); - } + } + } + if (($cgiparams{'TYPE'} eq 'net') && (! &General::validipandmask($cgiparams{'REMOTE_SUBNET'}))) { + $errormessage = $Lang::tr{'remote subnet is invalid'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; + } + + if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'EDIT_ADVANCED'} !~ /^(on|off)$/) { + $errormessage = $Lang::tr{'invalid input'}; + goto VPNCONF_ERROR; + } + +#fixplausi + if ($cgiparams{'AUTH'} eq 'psk') { +# if (! length($cgiparams{'PSK'}) ) { +# $errormessage = $Lang::tr{'pre-shared key is too short'}; +# goto VPNCONF_ERROR; +# } +# if ($cgiparams{'PSK'} =~ /['",&]/) { +# $errormessage = $Lang::tr{'invalid characters found in pre-shared key'}; +# goto VPNCONF_ERROR; +# } + } elsif ($cgiparams{'AUTH'} eq 'certreq') { + if ($cgiparams{'KEY'}) { + $errormessage = $Lang::tr{'cant change certificates'}; + goto VPNCONF_ERROR; + } + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto VPNCONF_ERROR; + } + + # Move uploaded certificate request to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto VPNCONF_ERROR; + } + + # Sign the certificate request and move it + # Sign the host certificate request + system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}", + '-batch', '-notext', + '-in', $filename, + '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", + '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + unlink ($filename); + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); + &newcleanssldatabase(); + goto VPNCONF_ERROR; + } else { + unlink ($filename); + &deletebackupcert(); + } + + my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; + $temp =~ /Subject:.*CN=(.*)[\n]/; + $temp = $1; + $temp =~ s+/Email+, E+; + $temp =~ s/ ST=/ S=/; + $cgiparams{'CERT_NAME'} = $temp; + $cgiparams{'CERT_NAME'} =~ s/,//g; + $cgiparams{'CERT_NAME'} =~ s/\'//g; + if ($cgiparams{'CERT_NAME'} eq '') { + $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; + goto VPNCONF_ERROR; + } + } elsif ($cgiparams{'AUTH'} eq 'certfile') { + if ($cgiparams{'KEY'}) { + $errormessage = $Lang::tr{'cant change certificates'}; + goto VPNCONF_ERROR; + } + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto VPNCONF_ERROR; + } + # Move uploaded certificate to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto VPNCONF_ERROR; + } + + # Verify the certificate has a valid CA and move it + my $validca = 0; + my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/cacert.pem $filename`; + if ($test =~ /: OK/) { + $validca = 1; + } else { + foreach my $key (keys %cahash) { + $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem $filename`; + if ($test =~ /: OK/) { + $validca = 1; + } + } + } + if (! $validca) { + $errormessage = $Lang::tr{'certificate does not have a valid ca associated with it'}; + unlink ($filename); + goto VPNCONF_ERROR; + } else { + move($filename, "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); + if ($? ne 0) { + $errormessage = "$Lang::tr{'certificate file move failed'}: $!"; + unlink ($filename); + goto VPNCONF_ERROR; + } + } + + my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; + $temp =~ /Subject:.*CN=(.*)[\n]/; + $temp = $1; + $temp =~ s+/Email+, E+; + $temp =~ s/ ST=/ S=/; + $cgiparams{'CERT_NAME'} = $temp; + $cgiparams{'CERT_NAME'} =~ s/,//g; + $cgiparams{'CERT_NAME'} =~ s/\'//g; + if ($cgiparams{'CERT_NAME'} eq '') { + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); + $errormessage = $Lang::tr{'could not retrieve common name from certificate'}; + goto VPNCONF_ERROR; + } + } elsif ($cgiparams{'AUTH'} eq 'certgen') { + if ($cgiparams{'KEY'}) { + $errormessage = $Lang::tr{'cant change certificates'}; + goto VPNCONF_ERROR; + } + # Validate input since the form was submitted + if (length($cgiparams{'CERT_NAME'}) >60) { + $errormessage = $Lang::tr{'name too long'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { + $errormessage = $Lang::tr{'invalid input for name'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) { + $errormessage = $Lang::tr{'invalid input for e-mail address'}; + goto VPNCONF_ERROR; + } + if (length($cgiparams{'CERT_EMAIL'}) > 40) { + $errormessage = $Lang::tr{'e-mail address too long'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_OU'} ne '' && $cgiparams{'CERT_OU'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { + $errormessage = $Lang::tr{'invalid input for department'}; + goto VPNCONF_ERROR; + } + if (length($cgiparams{'CERT_ORGANIZATION'}) >60) { + $errormessage = $Lang::tr{'organization too long'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_ORGANIZATION'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { + $errormessage = $Lang::tr{'invalid input for organization'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_CITY'} ne '' && $cgiparams{'CERT_CITY'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { + $errormessage = $Lang::tr{'invalid input for city'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_STATE'} ne '' && $cgiparams{'CERT_STATE'} !~ /^[a-zA-Z0-9 ,\.\-_]*$/) { + $errormessage = $Lang::tr{'invalid input for state or province'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_COUNTRY'} !~ /^[A-Z]*$/) { + $errormessage = $Lang::tr{'invalid input for country'}; + goto VPNCONF_ERROR; + } + if ($cgiparams{'CERT_PASS1'} ne '' && $cgiparams{'CERT_PASS2'} ne ''){ + if (length($cgiparams{'CERT_PASS1'}) < 5) { + $errormessage = $Lang::tr{'password too short'}; + goto VPNCONF_ERROR; + } + } + if ($cgiparams{'CERT_PASS1'} ne $cgiparams{'CERT_PASS2'}) { + $errormessage = $Lang::tr{'passwords do not match'}; + goto VPNCONF_ERROR; + } + + # Replace empty strings with a . + (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./; + (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./; + (my $state = $cgiparams{'CERT_STATE'}) =~ s/^\s*$/\./; + + # Create the Host certificate request client + my $pid = open(OPENSSL, "|-"); + $SIG{ALRM} = sub { $errormessage = $Lang::tr{'broken pipe'}; goto VPNCONF_ERROR;}; + if ($pid) { # parent + print OPENSSL "$cgiparams{'CERT_COUNTRY'}\n"; + print OPENSSL "$state\n"; + print OPENSSL "$city\n"; + print OPENSSL "$cgiparams{'CERT_ORGANIZATION'}\n"; + print OPENSSL "$ou\n"; + print OPENSSL "$cgiparams{'CERT_NAME'}\n"; + print OPENSSL "$cgiparams{'CERT_EMAIL'}\n"; + print OPENSSL ".\n"; + print OPENSSL ".\n"; + close (OPENSSL); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}ovpn/certs/$cgiparams{'NAME'}req.pem"); + goto VPNCONF_ERROR; } - if ($cgiparams{'EDIT_ADVANCED'} eq 'on') { - $cgiparams{'KEY'} = $key; - $cgiparams{'ACTION'} = $Lang::tr{'advanced'}; + } else { # child + unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', + '-newkey', 'rsa:1024', + '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", + '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", + '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { + $errormessage = "$Lang::tr{'cant start openssl'}: $!"; + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); + goto VPNCONF_ERROR; + } + } + + # Sign the host certificate request + system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}", + '-batch', '-notext', + '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", + '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", + '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); + &newcleanssldatabase(); + goto VPNCONF_ERROR; + } else { + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); + &deletebackupcert(); + } + + # Create the pkcs12 file + system('/usr/bin/openssl', 'pkcs12', '-export', + '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", + '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", + '-name', $cgiparams{'NAME'}, + '-passout', "pass:$cgiparams{'CERT_PASS1'}", + '-certfile', "${General::swroot}/ovpn/ca/cacert.pem", + '-caname', "$vpnsettings{'ROOTCERT_ORGANIZATION'} CA", + '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12"); + goto VPNCONF_ERROR; + } else { + unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); + } + } elsif ($cgiparams{'AUTH'} eq 'cert') { + ;# Nothing, just editing + } else { + $errormessage = $Lang::tr{'invalid input for authentication method'}; + goto VPNCONF_ERROR; + } + + # Check if there is no other entry with this common name + if ((! $cgiparams{'KEY'}) && ($cgiparams{'AUTH'} ne 'psk')) { + foreach my $key (keys %confighash) { + if ($confighash{$key}[2] eq $cgiparams{'CERT_NAME'}) { + $errormessage = $Lang::tr{'a connection with this common name already exists'}; + goto VPNCONF_ERROR; } - goto VPNCONF_END; + } + } + + # Save the config + my $key = $cgiparams{'KEY'}; + + if (! $key) { + $key = &General::findhasharraykey (\%confighash); + foreach my $i (0 .. 38) { $confighash{$key}[$i] = "";} + } + $confighash{$key}[0] = $cgiparams{'ENABLED'}; + $confighash{$key}[1] = $cgiparams{'NAME'}; + if ((! $cgiparams{'KEY'}) && $cgiparams{'AUTH'} ne 'psk') { + $confighash{$key}[2] = $cgiparams{'CERT_NAME'}; + } + + $confighash{$key}[3] = $cgiparams{'TYPE'}; + if ($cgiparams{'AUTH'} eq 'psk') { + $confighash{$key}[4] = 'psk'; + $confighash{$key}[5] = $cgiparams{'PSK'}; + } else { + $confighash{$key}[4] = 'cert'; + } + if ($cgiparams{'TYPE'} eq 'net') { + $confighash{$key}[6] = $cgiparams{'SIDE'}; + $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'}; + } + $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'}; + $confighash{$key}[10] = $cgiparams{'REMOTE'}; + if ($cgiparams{'OVPN_MGMT'} eq '') { + $confighash{$key}[22] = $confighash{$key}[29]; + } else { + $confighash{$key}[22] = $cgiparams{'OVPN_MGMT'}; + } + $confighash{$key}[23] = $cgiparams{'MSSFIX'}; + $confighash{$key}[24] = $cgiparams{'FRAGMENT'}; + $confighash{$key}[25] = $cgiparams{'REMARK'}; + $confighash{$key}[26] = $cgiparams{'INTERFACE'}; +# new fields + $confighash{$key}[27] = $cgiparams{'OVPN_SUBNET'}; + $confighash{$key}[28] = $cgiparams{'PROTOCOL'}; + $confighash{$key}[29] = $cgiparams{'DEST_PORT'}; + $confighash{$key}[30] = $cgiparams{'COMPLZO'}; + $confighash{$key}[31] = $cgiparams{'MTU'}; + $confighash{$key}[32] = $cgiparams{'CHECK1'}; + my $name=$cgiparams{'CHECK1'}; + $confighash{$key}[33] = $cgiparams{$name}; + $confighash{$key}[34] = $cgiparams{'RG'}; + $confighash{$key}[35] = $cgiparams{'CCD_DNS1'}; + $confighash{$key}[36] = $cgiparams{'CCD_DNS2'}; + $confighash{$key}[37] = $cgiparams{'CCD_WINS'}; + $confighash{$key}[38] = $cgiparams{'PMTU_DISCOVERY'}; + + + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + + if ($cgiparams{'CHECK1'} ){ + + my ($ccdip,$ccdsub)=split "/",$cgiparams{$name}; + my ($a,$b,$c,$d) = split (/\./,$ccdip); + if ( -e "${General::swroot}/ovpn/ccd/$confighash{$key}[2]"){unlink "${General::swroot}/ovpn/ccd/$cgiparams{'CERT_NAME'}";} + open ( CCDRWCONF,'>',"${General::swroot}/ovpn/ccd/$confighash{$key}[2]") or die "Unable to create clientconfigfile $!"; + print CCDRWCONF "# OpenVPN Clientconfig from CCD extension by Copymaster#\n\n"; + if($cgiparams{'CHECK1'} eq 'dynamic'){ + print CCDRWCONF "#This client uses the dynamic pool\n"; + }else{ + print CCDRWCONF "#Ip address client and Server\n"; + print CCDRWCONF "ifconfig-push $ccdip ".&General::getlastip($ccdip,1)."\n"; + } + if ($confighash{$key}[34] eq 'on'){ + print CCDRWCONF "\n#Redirect Gateway: \n#All IP traffic is redirected through the vpn \n"; + print CCDRWCONF "push redirect-gateway\n"; + } + &General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash); + if ($cgiparams{'IR'} ne ''){ + print CCDRWCONF "\n#Client routes these Networks (behind Client)\n"; + foreach my $key (keys %ccdroutehash){ + if ($ccdroutehash{$key}[0] eq $cgiparams{'NAME'}){ + foreach my $i ( 1 .. $#{$ccdroutehash{$key}}){ + my ($a,$b)=split (/\//,$ccdroutehash{$key}[$i]); + print CCDRWCONF "iroute $a $b\n"; + } + } + } + } + if ($cgiparams{'IFROUTE'} eq $Lang::tr{'ccd none'} ){$cgiparams{'IFROUTE'}='';} + if ($cgiparams{'IFROUTE'} ne ''){ + print CCDRWCONF "\n#Client gets routes to these Networks (behind IPFIRE)\n"; + foreach my $key (keys %ccdroute2hash){ + if ($ccdroute2hash{$key}[0] eq $cgiparams{'NAME'}){ + foreach my $i ( 1 .. $#{$ccdroute2hash{$key}}){ + if($ccdroute2hash{$key}[$i] eq $Lang::tr{'blue'}){ + my %blue=(); + &General::readhash("${General::swroot}/ethernet/settings", \%blue); + print CCDRWCONF "push \"route $blue{BLUE_ADDRESS} $blue{BLUE_NETMASK}\n"; + }elsif($ccdroute2hash{$key}[$i] eq $Lang::tr{'orange'}){ + my %orange=(); + &General::readhash("${General::swroot}/ethernet/settings", \%orange); + print CCDRWCONF "push \"route $orange{ORANGE_ADDRESS} $orange{ORANGE_NETMASK}\n"; + }else{ + my ($a,$b)=split (/\//,$ccdroute2hash{$key}[$i]); + print CCDRWCONF "push \"route $a $b\"\n"; + } + } + } + } + } + if(($cgiparams{'CCD_DNS1'} eq '') && ($cgiparams{'CCD_DNS1'} ne '')){ $cgiparams{'CCD_DNS1'} = $cgiparams{'CCD_DNS2'};$cgiparams{'CCD_DNS2'}='';} + if($cgiparams{'CCD_DNS1'} ne ''){ + print CCDRWCONF "\n#Client gets these Nameservers\n"; + print CCDRWCONF "push \"dhcp-option DNS $cgiparams{'CCD_DNS1'}\" \n"; + } + if($cgiparams{'CCD_DNS2'} ne ''){ + print CCDRWCONF "push \"dhcp-option DNS $cgiparams{'CCD_DNS2'}\" \n"; + } + if($cgiparams{'CCD_WINS'} ne ''){ + print CCDRWCONF "\n#Client gets this WINS server\n"; + print CCDRWCONF "push \"dhcp-option WINS $cgiparams{'CCD_WINS'}\" \n"; + } + close CCDRWCONF; + } + +### +# m.a.d n2n begin +### + + if ($cgiparams{'TYPE'} eq 'net') { + + if (-e "/var/run/$confighash{$key}[1]n2n.pid") { + system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]); + + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + my $key = $cgiparams{'KEY'}; + if (! $key) { + $key = &General::findhasharraykey (\%confighash); + foreach my $i (0 .. 31) { $confighash{$key}[$i] = "";} + } + $confighash{$key}[0] = 'on'; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + + system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); + } + } + +### +# m.a.d n2n end +### + + if ($cgiparams{'EDIT_ADVANCED'} eq 'on') { + $cgiparams{'KEY'} = $key; + $cgiparams{'ACTION'} = $Lang::tr{'advanced'}; + } + goto VPNCONF_END; } else { - $cgiparams{'ENABLED'} = 'on'; - if ($cgiparams{'ZERINA_CLIENT'} eq ''){ - $cgiparams{'ZERINA_CLIENT'} = 'no'; - } - if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) { - $cgiparams{'AUTH'} = 'psk'; - } elsif ( ! -f "${General::swroot}/ovpn/ca/cacert.pem") { - $cgiparams{'AUTH'} = 'certfile'; - } else { + $cgiparams{'ENABLED'} = 'on'; +### +# m.a.d n2n begin +### + $cgiparams{'MSSFIX'} = 'on'; + $cgiparams{'FRAGMENT'} = '1300'; + $cgiparams{'PMTU_DISCOVERY'} = 'off'; +### +# m.a.d n2n end +### + $cgiparams{'SIDE'} = 'left'; + if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) { + $cgiparams{'AUTH'} = 'psk'; + } elsif ( ! -f "${General::swroot}/ovpn/ca/cacert.pem") { + $cgiparams{'AUTH'} = 'certfile'; + } else { $cgiparams{'AUTH'} = 'certgen'; - } - $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; - $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'}; - $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'}; - $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'}; - $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'}; + } + $cgiparams{'LOCAL_SUBNET'} ="$netsettings{'GREEN_NETADDRESS'}/$netsettings{'GREEN_NETMASK'}"; + $cgiparams{'CERT_ORGANIZATION'} = $vpnsettings{'ROOTCERT_ORGANIZATION'}; + $cgiparams{'CERT_CITY'} = $vpnsettings{'ROOTCERT_CITY'}; + $cgiparams{'CERT_STATE'} = $vpnsettings{'ROOTCERT_STATE'}; + $cgiparams{'CERT_COUNTRY'} = $vpnsettings{'ROOTCERT_COUNTRY'}; } + VPNCONF_ERROR: - # n2n default settings - if ($cgiparams{'CIPHER'} eq '') { - $cgiparams{'CIPHER'} = 'BF-CBC'; - } - if ($cgiparams{'MTU'} eq '') { - $cgiparams{'MTU'} = '1400'; - } - if ($cgiparams{'OVPN_SUBNET'} eq '') { - $cgiparams{'OVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; - } - #n2n default settings $checked{'ENABLED'}{'off'} = ''; $checked{'ENABLED'}{'on'} = ''; $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED'; @@ -2278,43 +4101,39 @@ END $checked{'ENABLED_ORANGE'}{'off'} = ''; $checked{'ENABLED_ORANGE'}{'on'} = ''; $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED'; + + $checked{'EDIT_ADVANCED'}{'off'} = ''; $checked{'EDIT_ADVANCED'}{'on'} = ''; $checked{'EDIT_ADVANCED'}{$cgiparams{'EDIT_ADVANCED'}} = 'CHECKED'; + $selected{'SIDE'}{'server'} = ''; $selected{'SIDE'}{'client'} = ''; $selected{'SIDE'}{$cgiparams{'SIDE'}} = 'SELECTED'; - -# $selected{'DDEVICE'}{'tun'} = ''; -# $selected{'DDEVICE'}{'tap'} = ''; -# $selected{'DDEVICE'}{$cgiparams{'DDEVICE'}} = 'SELECTED'; - + $selected{'PROTOCOL'}{'udp'} = ''; $selected{'PROTOCOL'}{'tcp'} = ''; $selected{'PROTOCOL'}{$cgiparams{'PROTOCOL'}} = 'SELECTED'; - + + $checked{'AUTH'}{'psk'} = ''; $checked{'AUTH'}{'certreq'} = ''; $checked{'AUTH'}{'certgen'} = ''; $checked{'AUTH'}{'certfile'} = ''; $checked{'AUTH'}{$cgiparams{'AUTH'}} = 'CHECKED'; + $selected{'INTERFACE'}{$cgiparams{'INTERFACE'}} = 'SELECTED'; + $checked{'COMPLZO'}{'off'} = ''; $checked{'COMPLZO'}{'on'} = ''; $checked{'COMPLZO'}{$cgiparams{'COMPLZO'}} = 'CHECKED'; - $selected{'CIPHER'}{'DES-CBC'} = ''; - $selected{'CIPHER'}{'DES-EDE-CBC'} = ''; - $selected{'CIPHER'}{'DES-EDE3-CBC'} = ''; - $selected{'CIPHER'}{'DESX-CBC'} = ''; - $selected{'CIPHER'}{'RC2-CBC'} = ''; - $selected{'CIPHER'}{'RC2-40-CBC'} = ''; - $selected{'CIPHER'}{'RC2-64-CBC'} = ''; - $selected{'CIPHER'}{'BF-CBC'} = ''; - $selected{'CIPHER'}{'CAST5-CBC'} = ''; - $selected{'CIPHER'}{'AES-128-CBC'} = ''; - $selected{'CIPHER'}{'AES-192-CBC'} = ''; - $selected{'CIPHER'}{'AES-256-CBC'} = ''; - $selected{'CIPHER'}{$cgiparams{'CIPHER'}} = 'SELECTED'; + + $checked{'MSSFIX'}{'off'} = ''; + $checked{'MSSFIX'}{'on'} = ''; + $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; + + $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\''; + if (1) { &Header::showhttpheaders(); @@ -2326,140 +4145,215 @@ END print " "; &Header::closebox(); } + if ($warnmessage) { &Header::openbox('100%', 'LEFT', "$Lang::tr{'warning messages'}:"); print "$warnmessage"; print " "; &Header::closebox(); } + print "
"; print ""; - print ""; + if ($cgiparams{'KEY'}) { print ""; print ""; } + &Header::openbox('100%', 'LEFT', "$Lang::tr{'connection'}:"); - print "\n"; - print ""; + print "
$Lang::tr{'name'}:
\n"; + + + + print ""; + if ($cgiparams{'TYPE'} eq 'host') { if ($cgiparams{'KEY'}) { - print "\n"; + print ""; } else { + print ""; } +# print ""; +# print ""; +# print <"; if ($cgiparams{'KEY'}) { - print ""; + print ""; } else { - print ""; + print ""; } - print ""; - print ""; - print ""; - if ((($cgiparams{'ACTION'} eq $Lang::tr{'edit'}) && ($cgiparams{'ZERINA_CLIENT'} eq 'no')) || - (($cgiparams{'ACTION'} eq $Lang::tr{'save'}) && ($cgiparams{'ZERINA_CLIENT'} eq 'no')) || - (($cgiparams{'ACTION'} eq $Lang::tr{'add'}) && ($cgiparams{'ZERINA_CLIENT'} eq 'no'))) { - print ""; - print ""; - print ""; - print ""; - print ""; - } else { - print ""; - print ""; - print ""; - } - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; + + + + print <  + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +END +; } +#jumper print ""; - print ""; -# if ($cgiparams{'TYPE'} eq 'net') { - print "\n"; + print "
$Lang::tr{'name'}: $cgiparams{'NAME'}$cgiparams{'NAME'}
$Lang::tr{'interface'}
$cgiparams{'NAME'}$cgiparams{'NAME'}  
$Lang::tr{'Act as'}
$Lang::tr{'local vpn hostname/ip'}:$Lang::tr{'remote host/ip'}:
$Lang::tr{'Act as'}$cgiparams{'SIDE'}$Lang::tr{'remote host/ip'}:
$Lang::tr{'local subnet'}$Lang::tr{'remote subnet'}
$Lang::tr{'ovpn subnet'}
$Lang::tr{'protocol'}$Lang::tr{'destination port'}:
$Lang::tr{'comp-lzo'}$Lang::tr{'cipher'}
$Lang::tr{'MTU'}   
$Lang::tr{'Act as'}$Lang::tr{'remote host/ip'}:
$Lang::tr{'local subnet'}$Lang::tr{'remote subnet'}
$Lang::tr{'ovpn subnet'}
$Lang::tr{'protocol'}$Lang::tr{'destination port'}:
$Lang::tr{'comp-lzo'}   +
mssfix  $Lang::tr{'openvpn default'}: on
fragment  $Lang::tr{'openvpn default'}: 1300
$Lang::tr{'MTU'}  $Lang::tr{'openvpn default'}: udp/tcp 1500/1400
Management Port  $Lang::tr{'openvpn default'}: $Lang::tr{'destination port'}
$Lang::tr{'ovpn mtu-disc'} + $Lang::tr{'ovpn mtu-disc yes'} + $Lang::tr{'ovpn mtu-disc maybe'} + $Lang::tr{'ovpn mtu-disc no'} + $Lang::tr{'ovpn mtu-disc off'} +
$Lang::tr{'remark title'} 
$Lang::tr{'enabled'}
"; if ($cgiparams{'TYPE'} eq 'host') { - print " "; - } elsif ($cgiparams{'ACTION'} ne $Lang::tr{'edit'}){ - print " $Lang::tr{'edit advanced settings when done'}"; - } else { - print ""; - } - + print "$Lang::tr{'enabled'} "; + } + print"

"; +#A.Marx CCD new client +if ($cgiparams{'TYPE'} eq 'host') { + print ""; + my %vpnnet=(); + my $vpnip; + &General::readhash("${General::swroot}/ovpn/settings", \%vpnnet); + $vpnip=$vpnnet{'DOVPN_SUBNET'}; + &General::readhasharray("${General::swroot}/ovpn/ccd.conf", \%ccdconfhash); + my @ccdconf=(); + my $count=0; + my $checked; + $checked{'check1'}{'off'} = ''; + $checked{'check1'}{'on'} = ''; + $checked{'check1'}{$cgiparams{'CHECK1'}} = 'CHECKED'; + print"

$Lang::tr{'ccd choose net'}
$Lang::tr{'ccd dynrange'} ($vpnip)"; + print"


"; + my $name=$cgiparams{'CHECK1'}; + $checked{'RG'}{$cgiparams{'RG'}} = 'CHECKED'; + + if (! -z "${General::swroot}/ovpn/ccd.conf"){ + print""; + foreach my $key (keys %ccdconfhash) { + $count++; + @ccdconf=($ccdconfhash{$key}[0],$ccdconfhash{$key}[1]); + if ($count % 2){print"";}else{print"";} + print""; + } + print "
$Lang::tr{'ccd name'}$Lang::tr{'network'}$Lang::tr{'ccd clientip'}
$ccdconf[0]$ccdconf[1]"; + &fillselectbox($ccdconf[1],$ccdconf[0],$cgiparams{$name}); + print"




"; + } +} +# ccd end &Header::closebox(); if ($cgiparams{'KEY'} && $cgiparams{'AUTH'} eq 'psk') { - ;#we dont have psk - } elsif (! $cgiparams{'KEY'}) { + + } elsif (! $cgiparams{'KEY'}) { + + my $disabled=''; my $cakeydisabled=''; my $cacrtdisabled=''; if ( ! -f "${General::swroot}/ovpn/ca/cakey.pem" ) { $cakeydisabled = "disabled='disabled'" } else { $cakeydisabled = "" }; if ( ! -f "${General::swroot}/ovpn/ca/cacert.pem" ) { $cacrtdisabled = "disabled='disabled'" } else { $cacrtdisabled = "" }; + &Header::openbox('100%', 'LEFT', $Lang::tr{'authentication'}); - print < - - - $Lang::tr{'upload a certificate request'} - - - $Lang::tr{'upload a certificate'} - - - $Lang::tr{'generate a certificate'}  -   - $Lang::tr{'users fullname or system hostname'}: - -   - $Lang::tr{'users email'}:  - -   - $Lang::tr{'users department'}:  - -   - $Lang::tr{'organization name'}:  - -   - $Lang::tr{'city'}:  - -   - $Lang::tr{'state or province'}:  - -   - $Lang::tr{'country'}: - $Lang::tr{'upload a certificate request'} + $Lang::tr{'upload a certificate'} +   +
+   + $Lang::tr{'generate a certificate'}  +  $Lang::tr{'users fullname or system hostname'}: +  $Lang::tr{'users email'}:  +  $Lang::tr{'users department'}:  +  $Lang::tr{'organization name'}:  +  $Lang::tr{'city'}:  +  $Lang::tr{'state or province'}:  +  $Lang::tr{'country'}:$Lang::tr{'generate a certificate'}  +  $Lang::tr{'users fullname or system hostname'}: +  $Lang::tr{'users email'}:  +  $Lang::tr{'users department'}:  +  $Lang::tr{'organization name'}:  +  $Lang::tr{'city'}:  +  $Lang::tr{'state or province'}:  +  $Lang::tr{'country'}: -  $Lang::tr{'pkcs12 file password'}:
($Lang::tr{'confirmation'}) - - -END - ; - &Header::closebox(); - } - print "
"; - if ($cgiparams{'KEY'}) { - if ($cgiparams{'TYPE'} ne 'host') { - print ""; - } - } - print "
"; - &Header::closebigbox(); - &Header::closepage(); - exit (0); - } - VPNCONF_END: -} ### -### Advanced settings +# m.a.d net2net ### -if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) || - ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'ADVANCED'} eq 'yes')) { - &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); - &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - - if (! $confighash{$cgiparams{'KEY'}}) { - $errormessage = $Lang::tr{'invalid key'}; - goto ADVANCED_END; - } - #n2n advanced error - if ($cgiparams{'KEEPALIVE_1'} ne '') { - if ($cgiparams{'KEEPALIVE_1'} !~ /^[0-9]+$/) { - $errormessage = $Lang::tr{'invalid input for keepalive 1'}; - goto ADVANCED_ERROR; - } - } - if ($cgiparams{'KEEPALIVE_2'} ne ''){ - if ($cgiparams{'KEEPALIVE_2'} !~ /^[0-9]+$/) { - $errormessage = $Lang::tr{'invalid input for keepalive 2'}; - goto ADVANCED_ERROR; - } - } - if ($cgiparams{'KEEPALIVE_2'} < ($cgiparams{'KEEPALIVE_1'} * 2)){ - $errormessage = $Lang::tr{'invalid input for keepalive 1:2'}; - goto ADVANCED_ERROR; - } - if ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { -# if ($cgiparams{'NAT'} !~ /^(on|off)$/) { -# $errormessage = $Lang::tr{'invalid input'}; -# goto ADVANCED_ERROR; -# } - #n2n advanced error - #cgi an config - $confighash{$cgiparams{'KEY'}}[26] = $cgiparams{'KEEPALIVE_1'}; - $confighash{$cgiparams{'KEY'}}[27] = $cgiparams{'KEEPALIVE_2'}; - $confighash{$cgiparams{'KEY'}}[28] = $cgiparams{'EXTENDED_NICE'}; - $confighash{$cgiparams{'KEY'}}[29] = $cgiparams{'EXTENDED_FASTIO'}; - $confighash{$cgiparams{'KEY'}}[30] = $cgiparams{'EXTENDED_MTUDISC'}; - $confighash{$cgiparams{'KEY'}}[31] = $cgiparams{'EXTENDED_MSSFIX'}; - $confighash{$cgiparams{'KEY'}}[32] = $cgiparams{'EXTENDED_FRAGMENT'}; - $confighash{$cgiparams{'KEY'}}[33] = $cgiparams{'PROXY_HOST'}; - $confighash{$cgiparams{'KEY'}}[34] = $cgiparams{'PROXY_PORT'}; - $confighash{$cgiparams{'KEY'}}[35] = $cgiparams{'PROXY_USERNAME'}; - $confighash{$cgiparams{'KEY'}}[36] = $cgiparams{'PROXY_PASS'}; - $confighash{$cgiparams{'KEY'}}[37] = $cgiparams{'PROXY_AUTH_METHOD'}; - $confighash{$cgiparams{'KEY'}}[38] = $cgiparams{'http-proxy-retry'}; - $confighash{$cgiparams{'KEY'}}[39] = $cgiparams{'PROXY_TIMEOUT'}; - $confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'PROXY_OPT_VERSION'}; - $confighash{$cgiparams{'KEY'}}[41] = $cgiparams{'PROXY_OPT_AGENT'}; - $confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'LOG_VERB'}; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - &Ovpnfunc::writenet2netconf($cgiparams{'KEY'},$zerinaclient); - # restart n2n after advanced save ? - goto ADVANCED_END; - } else { - $cgiparams{'KEEPALIVE_1'} = $confighash{$cgiparams{'KEY'}}[26]; - $cgiparams{'KEEPALIVE_2'} = $confighash{$cgiparams{'KEY'}}[27]; - $cgiparams{'EXTENDED_NICE'} = $confighash{$cgiparams{'KEY'}}[28]; - $cgiparams{'EXTENDED_FASTIO'} = $confighash{$cgiparams{'KEY'}}[29]; - $cgiparams{'EXTENDED_MTUDISC'} = $confighash{$cgiparams{'KEY'}}[30]; - $cgiparams{'EXTENDED_MSSFIX'} = $confighash{$cgiparams{'KEY'}}[31]; - $cgiparams{'EXTENDED_FRAGMENT'} = $confighash{$cgiparams{'KEY'}}[32]; - $cgiparams{'PROXY_HOST'} = $confighash{$cgiparams{'KEY'}}[33]; - $cgiparams{'PROXY_PORT'} = $confighash{$cgiparams{'KEY'}}[34]; - $cgiparams{'PROXY_USERNAME'} = $confighash{$cgiparams{'KEY'}}[35]; - $cgiparams{'PROXY_PASS'} = $confighash{$cgiparams{'KEY'}}[36]; - $cgiparams{'PROXY_AUTH_METHOD'} = $confighash{$cgiparams{'KEY'}}[37]; - $cgiparams{'http-proxy-retry'} = $confighash{$cgiparams{'KEY'}}[38]; - $cgiparams{'PROXY_TIMEOUT'} = $confighash{$cgiparams{'KEY'}}[39]; - $cgiparams{'PROXY_OPT_VERSION'} = $confighash{$cgiparams{'KEY'}}[40]; - $cgiparams{'PROXY_OPT_AGENT'} = $confighash{$cgiparams{'KEY'}}[41]; - $cgiparams{'LOG_VERB'} = $confighash{$cgiparams{'KEY'}}[42]; - #cgi an config - } - ADVANCED_ERROR: - #Schalter setzen - $selected{'EXTENDED_NICE'}{'-13'} = ''; - $selected{'EXTENDED_NICE'}{'-10'} = ''; - $selected{'EXTENDED_NICE'}{'-7'} = ''; - $selected{'EXTENDED_NICE'}{'-3'} = ''; - $selected{'EXTENDED_NICE'}{'0'} = ''; - $selected{'EXTENDED_NICE'}{'3'} = ''; - $selected{'EXTENDED_NICE'}{'7'} = ''; - $selected{'EXTENDED_NICE'}{'10'} = ''; - $selected{'EXTENDED_NICE'}{'13'} = ''; - $selected{'EXTENDED_NICE'}{$cgiparams{'EXTENDED_NICE'}} = 'SELECTED'; - $checked{'EXTENDED_FASTIO'}{'off'} = ''; - $checked{'EXTENDED_FASTIO'}{'on'} = ''; - $checked{'EXTENDED_FASTIO'}{$cgiparams{'EXTENDED_FASTIO'}} = 'CHECKED'; - $checked{'EXTENDED_MTUDISC'}{'off'} = ''; - $checked{'EXTENDED_MTUDISC'}{'on'} = ''; - $checked{'EXTENDED_MTUDISC'}{$cgiparams{'EXTENDED_MTUDISC'}} = 'CHECKED'; - $selected{'LOG_VERB'}{'1'} = ''; - $selected{'LOG_VERB'}{'2'} = ''; - $selected{'LOG_VERB'}{'3'} = ''; - $selected{'LOG_VERB'}{'4'} = ''; - $selected{'LOG_VERB'}{'5'} = ''; - $selected{'LOG_VERB'}{'6'} = ''; - $selected{'LOG_VERB'}{'7'} = ''; - $selected{'LOG_VERB'}{'8'} = ''; - $selected{'LOG_VERB'}{'9'} = ''; - $selected{'LOG_VERB'}{'10'} = ''; - $selected{'LOG_VERB'}{'11'} = ''; - $selected{'LOG_VERB'}{'0'} = ''; - $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; - $selected{'PROXY_AUTH_METHOD'}{'none'} = ''; - $selected{'PROXY_AUTH_METHOD'}{'basic'} = ''; - $selected{'PROXY_AUTH_METHOD'}{'ntlm'} = ''; - $selected{'PROXY_AUTH_METHOD'}{$cgiparams{'PROXY_AUTH_METHOD'}} = 'SELECTED'; - $checked{'PROXY_RETRY'}{'off'} = ''; - $checked{'PROXY_RETRY'}{'on'} = ''; - $checked{'PROXY_RETRY'}{$cgiparams{'PROXY_RETRY'}} = 'CHECKED'; - #Schalter setzen - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', $errormessage); - if ($errormessage) { - &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); - print "$errormessage"; - print " "; - &Header::closebox(); - } - - if ($warnmessage) { - &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'}); - print "$warnmessage"; - print " "; - &Header::closebox(); - } - - print "
\n"; - print "\n"; - print "\n"; - - &Header::openbox('100%', 'LEFT', "$Lang::tr{'advanced'}:"); - print < - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$Lang::tr{'misc-options'}
Keppalive (ping/ping-restart)
$Lang::tr{'ovpn_processprio'} - -
$Lang::tr{'ovpn_fastio'} - -
$Lang::tr{'ovpn_mtudisc'} - -
$Lang::tr{'ovpn_mssfix'} - -
$Lang::tr{'ovpn_fragment'} - -
-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
$Lang::tr{'proxy'} $Lang::tr{'settings'}
$Lang::tr{'proxy'} $Lang::tr{'host'}:$Lang::tr{'proxy port'}:
$Lang::tr{'username'}$Lang::tr{'password'}
$Lang::tr{'authentication'} $Lang::tr{'method'} - -
http-proxy-retryhttp-proxy-timeout
http-proxy-option VERSIONhttp-proxy-option AGENT
-
- - - - - - - - - - -
$Lang::tr{'log-options'}
VERB
- -EOF - ; - &Header::closebox(); - print "
"; - print "
"; - &Header::closebigbox(); - &Header::closepage(); - exit(0); +if ($cgiparams{'TYPE'} eq 'host') { + print < - ADVANCED_END: +  $Lang::tr{'valid till'} (days): + +   + $Lang::tr{'pkcs12 file password'}: + +  $Lang::tr{'pkcs12 file password'}:
($Lang::tr{'confirmation'}) + +   +
+ * $Lang::tr{'this field may be blank'} + +END +}else{ + print < +     +     +
+ * $Lang::tr{'this field may be blank'} + + +END } + ### -### Default status page +# m.a.d net2net ### -%cgiparams = (); -%cahash = (); -%confighash = (); -&General::readhash("${General::swroot}/ovpn/settings", \%cgiparams); -&General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash); -&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); -my @status = `/bin/cat /var/log/ovpnserver.log`; -if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { - if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { - my $ipaddr = ; - close IPADDR; - chomp ($ipaddr); - $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; - if ($cgiparams{'VPN_IP'} eq '') { - $cgiparams{'VPN_IP'} = $ipaddr; - } + ; + &Header::closebox(); + + } + +#A.Marx CCD new client +if ($cgiparams{'TYPE'} eq 'host') { + print"

"; + &Header::openbox('100%', 'LEFT', "$Lang::tr{'ccd client options'}:"); + + + print < + Redirect Gateway: +
$Lang::tr{'ccd routes'} +   + $Lang::tr{'ccd iroute'}$Lang::tr{'ccd iroutehint'} +
+ $Lang::tr{'ccd iroute2'} + DNS2: + WINS:
+ +END +; + &Header::closebox(); +} + print "
"; + if ($cgiparams{'KEY'}) { +# print ""; } + print "
"; + &Header::closebigbox(); + &Header::closepage(); + exit (0); + } + VPNCONF_END: } + +# SETTINGS_ERROR: +### +### Default status page +### + %cgiparams = (); + %cahash = (); + %confighash = (); + &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams); + &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash); + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + + my @status = `/bin/cat /var/log/ovpnserver.log`; + + if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { + if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { + my $ipaddr = ; + close IPADDR; + chomp ($ipaddr); + $cgiparams{'VPN_IP'} = (gethostbyaddr(pack("C4", split(/\./, $ipaddr)), 2))[0]; + if ($cgiparams{'VPN_IP'} eq '') { + $cgiparams{'VPN_IP'} = $ipaddr; + } + } + } + #default setzen -if ($cgiparams{'DCIPHER'} eq '') { + if ($cgiparams{'DCIPHER'} eq '') { $cgiparams{'DCIPHER'} = 'BF-CBC'; -} -# if ($cgiparams{'DCOMPLZO'} eq '') { -# $cgiparams{'DCOMPLZO'} = 'on'; -# } -if ($cgiparams{'DDEST_PORT'} eq '') { + } + if ($cgiparams{'DDEST_PORT'} eq '') { $cgiparams{'DDEST_PORT'} = '1194'; -} -if ($cgiparams{'DMTU'} eq '') { + } + if ($cgiparams{'DMTU'} eq '') { $cgiparams{'DMTU'} = '1400'; -} -if ($cgiparams{'DOVPN_SUBNET'} eq '') { + } + if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; -} -$checked{'ENABLED'}{'off'} = ''; -$checked{'ENABLED'}{'on'} = ''; -$checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED'; -$checked{'ENABLED_BLUE'}{'off'} = ''; -$checked{'ENABLED_BLUE'}{'on'} = ''; -$checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED'; -$checked{'ENABLED_ORANGE'}{'off'} = ''; -$checked{'ENABLED_ORANGE'}{'on'} = ''; -$checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED'; -#new settings -$selected{'DDEVICE'}{'tun'} = ''; -$selected{'DDEVICE'}{'tap'} = ''; -$selected{'DDEVICE'}{$cgiparams{'DDEVICE'}} = 'SELECTED'; -$selected{'DPROTOCOL'}{'udp'} = ''; -$selected{'DPROTOCOL'}{'tcp'} = ''; -$selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED'; -$selected{'DCIPHER'}{'DES-CBC'} = ''; -$selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; -$selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; -$selected{'DCIPHER'}{'DESX-CBC'} = ''; -$selected{'DCIPHER'}{'RC2-CBC'} = ''; -$selected{'DCIPHER'}{'RC2-40-CBC'} = ''; -$selected{'DCIPHER'}{'RC2-64-CBC'} = ''; -$selected{'DCIPHER'}{'BF-CBC'} = ''; -$selected{'DCIPHER'}{'CAST5-CBC'} = ''; -$selected{'DCIPHER'}{'AES-128-CBC'} = ''; -$selected{'DCIPHER'}{'AES-192-CBC'} = ''; -$selected{'DCIPHER'}{'AES-256-CBC'} = ''; -$selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; -$checked{'DCOMPLZO'}{'off'} = ''; -$checked{'DCOMPLZO'}{'on'} = ''; -$checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; + } + $checked{'ENABLED'}{'off'} = ''; + $checked{'ENABLED'}{'on'} = ''; + $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED'; + $checked{'ENABLED_BLUE'}{'off'} = ''; + $checked{'ENABLED_BLUE'}{'on'} = ''; + $checked{'ENABLED_BLUE'}{$cgiparams{'ENABLED_BLUE'}} = 'CHECKED'; + $checked{'ENABLED_ORANGE'}{'off'} = ''; + $checked{'ENABLED_ORANGE'}{'on'} = ''; + $checked{'ENABLED_ORANGE'}{$cgiparams{'ENABLED_ORANGE'}} = 'CHECKED'; + $selected{'DDEVICE'}{'tun'} = ''; + $selected{'DDEVICE'}{'tap'} = ''; + $selected{'DDEVICE'}{$cgiparams{'DDEVICE'}} = 'SELECTED'; + $selected{'DPROTOCOL'}{'udp'} = ''; + $selected{'DPROTOCOL'}{'tcp'} = ''; + $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED'; + + $selected{'DCIPHER'}{'DES-CBC'} = ''; + $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; + $selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; + $selected{'DCIPHER'}{'DESX-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-40-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-64-CBC'} = ''; + $selected{'DCIPHER'}{'BF-CBC'} = ''; + $selected{'DCIPHER'}{'CAST5-CBC'} = ''; + $selected{'DCIPHER'}{'AES-128-CBC'} = ''; + $selected{'DCIPHER'}{'AES-192-CBC'} = ''; + $selected{'DCIPHER'}{'AES-256-CBC'} = ''; + $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; + $checked{'DCOMPLZO'}{'off'} = ''; + $checked{'DCOMPLZO'}{'on'} = ''; + $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; +# m.a.d + $checked{'MSSFIX'}{'off'} = ''; + $checked{'MSSFIX'}{'on'} = ''; + $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; #new settings -&Header::showhttpheaders(); -&Header::openpage($Lang::tr{'status ovpn'}, 1, ''); -&Header::openbigbox('100%', 'LEFT', '', $errormessage); + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'status ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', $errormessage); -if ($errormessage) { + if ($errormessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); print "$errormessage\n"; print " \n"; &Header::closebox(); -} + } -my $sactive = "
$Lang::tr{'stopped'}
"; -my $srunning = "no"; -my $activeonrun = ""; -if ( -e "/var/run/openvpn.pid"){ + my $sactive = "
$Lang::tr{'stopped'}
"; + my $srunning = "no"; + my $activeonrun = ""; + if ( -e "/var/run/openvpn.pid"){ $sactive = "
$Lang::tr{'running'}
"; $srunning ="yes"; $activeonrun = ""; -} else { + } else { $activeonrun = "disabled='disabled'"; -} -#ufuk -#CERT -&Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}:"); -print "
ZERINA-0.9.7a9
"; -print " "; -print < - - $Lang::tr{'name'} + } + &Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'}); + print < +
+   +   +   + $Lang::tr{'ovpn server status'} + $sactive + $Lang::tr{'ovpn on red'} + +END +; + if (&haveBlueNet()) { + print "$Lang::tr{'ovpn on blue'}"; + print ""; + } + if (&haveOrangeNet()) { + print "$Lang::tr{'ovpn on orange'}"; + print ""; + } + print <$Lang::tr{'local vpn hostname/ip'}:
+ $Lang::tr{'ovpn subnet'}
+ $Lang::tr{'ovpn device'} + + + $Lang::tr{'destination port'}: + + $Lang::tr{'MTU'}  + + $Lang::tr{'comp-lzo'} + + $Lang::tr{'cipher'} + +
+END +; + + if ( $srunning eq "yes" ) { + print ""; + print ""; + print ""; + print ""; + } else{ + print ""; + print ""; + print ""; + if (( -e "${General::swroot}/ovpn/ca/cacert.pem" && + -e "${General::swroot}/ovpn/ca/dh1024.pem" && + -e "${General::swroot}/ovpn/certs/servercert.pem" && + -e "${General::swroot}/ovpn/certs/serverkey.pem") && + (( $cgiparams{'ENABLED'} eq 'on') || + ( $cgiparams{'ENABLED_BLUE'} eq 'on') || + ( $cgiparams{'ENABLED_ORANGE'} eq 'on'))){ + print ""; + } else { + print ""; + } + } + print ""; + &Header::closebox(); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}:"); + print < + + $Lang::tr{'name'} $Lang::tr{'subject'} $Lang::tr{'action'} - + EOF ; -if (-f "${General::swroot}/ovpn/ca/cacert.pem") { + if (-f "${General::swroot}/ovpn/ca/cacert.pem") { my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; $casubject =~ /Subject: (.*)[\n]/; $casubject = $1; $casubject =~ s+/Email+, E+; $casubject =~ s/ ST=/ S=/; + print < - $Lang::tr{'root certificate'} - $casubject -
- - -
-
- + + $Lang::tr{'root certificate'} + $casubject + + + +
+
+ -
-   + +   END ; -} else { + } else { # display rootcert generation buttons print < + $Lang::tr{'root certificate'}: $Lang::tr{'not present'}   END ; -} + } -if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + if (-f "${General::swroot}/ovpn/certs/servercert.pem") { my $hostsubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; $hostsubject =~ /Subject: (.*)[\n]/; $hostsubject = $1; $hostsubject =~ s+/Email+, E+; $hostsubject =~ s/ ST=/ S=/; + print < + $Lang::tr{'host certificate'} $hostsubject
- - + +
- - + +
  END ; -} else { + } else { # Nothing print < + $Lang::tr{'host certificate'}: $Lang::tr{'not present'}   END ; -} + } -if (! -f "${General::swroot}/ovpn/ca/cacert.pem") { - print "
"; + if (! -f "${General::swroot}/ovpn/ca/cacert.pem") { + print ""; print ""; - print "
\n"; -} + print "\n"; + } -if (keys %cahash > 0) { + if (keys %cahash > 0) { foreach my $key (keys %cahash) { - if (($key + 1) % 2) { - print "\n"; - } else { - print "\n"; - } - print "$cahash{$key}[0]\n"; - print "$cahash{$key}[1]\n"; - print < + if (($key + 1) % 2) { + print "\n"; + } else { + print "\n"; + } + print "$cahash{$key}[0]\n"; + print "$cahash{$key}[1]\n"; + print < - -
- +
+
+ -
-
+
+
-
+ END ; } -} -print ""; -if ( -f "${General::swroot}/ovpn/ca/cacert.pem") {# If the file contains entries, print Key to action icons - print < - + } + + print ""; + + # If the file contains entries, print Key to action icons + if ( -f "${General::swroot}/ovpn/ca/cacert.pem") { + print < +   $Lang::tr{'legend'}:     $Lang::tr{ $Lang::tr{'show certificate'} -     $Lang::tr{ +     $Lang::tr{ $Lang::tr{'download certificate'} - - + + END - ; -} +; + } + print < - - - - -
$Lang::tr{'ca name'}: -
+ + + + +
$Lang::tr{'ca name'}:
END - ; -&Header::closebox(); -if ( $srunning eq "yes" ) { +; + + + &Header::closebox(); + if ( $srunning eq "yes" ) { print "
\n"; -}else{ - print "
\n"; -} -#CERT -#RWSERVER -#&Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'}); -&Header::openbox('100%', 'LEFT', 'Roadwarrior Server'); -print < -
-  -  -  -$Lang::tr{'ovpn server status'} -$sactive -$Lang::tr{'ovpn on red'} - + }else{ + print "
\n"; + } + if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) { + +### +# m.a.d net2net +#$Lang::tr{'remark'}
L2089 +### + + &Header::openbox('100%', 'LEFT', $Lang::tr{'Client status and controlc' }); + print < + + $Lang::tr{'name'} + $Lang::tr{'type'} + $Lang::tr{'network'} + $Lang::tr{'remark'} + $Lang::tr{'status'} + $Lang::tr{'action'} + END -; -if (&Ovpnfunc::haveBlueNet()) { - print "$Lang::tr{'ovpn on blue'}"; - print ""; + ; + my $id = 0; + my $gif; + foreach my $key (sort { uc($confighash{$a}[1]) cmp uc($confighash{$b}[1]) } keys %confighash) { + if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } + + if ($id % 2) { + print "\n"; + } else { + print "\n"; + } + print "$confighash{$key}[1]"; + print "" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")"; + #if ($confighash{$key}[4] eq 'cert') { + #print "$confighash{$key}[2]"; + #} else { + #print " "; + #} + my $cavalid = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`; + $cavalid =~ /Not After : (.*)[\n]/; + $cavalid = $1; + if ($confighash{$key}[32] eq "" && $confighash{$key}[3] eq 'net' ){$confighash{$key}[32]="net-2-net";} + if ($confighash{$key}[32] eq "" && $confighash{$key}[3] eq 'host' ){$confighash{$key}[32]="dynamic";} + print "$confighash{$key}[32]"; + print "$confighash{$key}[25]"; + + my $active = "
$Lang::tr{'capsclosed'}
"; + + if ($confighash{$key}[0] eq 'off') { + $active = "
$Lang::tr{'capsclosed'}
"; + } else { + +### +# m.a.d net2net +### + + if ($confighash{$key}[3] eq 'net') { + + if (-e "/var/run/$confighash{$key}[1]n2n.pid") { + my @output = ""; + my @tustate = ""; + my $tport = $confighash{$key}[22]; + my $tnet = new Net::Telnet ( Timeout=>5, Errmode=>'return', Port=>$tport); + if ($tport ne '') { + $tnet->open('127.0.0.1'); + @output = $tnet->cmd(String => 'state', Prompt => '/(END.*\n|ERROR:.*\n)/'); + @tustate = split(/\,/, $output[1]); +### +#CONNECTING -- OpenVPN's initial state. +#WAIT -- (Client only) Waiting for initial response from server. +#AUTH -- (Client only) Authenticating with server. +#GET_CONFIG -- (Client only) Downloading configuration options from server. +#ASSIGN_IP -- Assigning IP address to virtual network interface. +#ADD_ROUTES -- Adding routes to system. +#CONNECTED -- Initialization Sequence Completed. +#RECONNECTING -- A restart has occurred. +#EXITING -- A graceful exit is in progress. +#### + + if ( $tustate[1] eq 'CONNECTED') { + $active = "
$Lang::tr{'capsopen'}
"; + } else { + $active = "
$tustate[1]
"; + } + } + } + } else { + + my $cn; + my @match = (); + foreach my $line (@status) { + chomp($line); + if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) { + @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line); + if ($match[1] ne "Common Name") { + $cn = $match[1]; + } + $cn =~ s/[_]/ /g; + if ($cn eq "$confighash{$key}[2]") { + $active = "
$Lang::tr{'capsopen'}
"; + } + } + + } } -if (&Ovpnfunc::haveOrangeNet()) { - print "$Lang::tr{'ovpn on orange'}"; - print ""; -} -print <$Lang::tr{'local vpn hostname/ip'}: - - $Lang::tr{'ovpn subnet'} -
-$Lang::tr{'ovpn device'} - -$Lang::tr{'protocol'} - - $Lang::tr{'destination port'}: - -$Lang::tr{'MTU'}  - -$Lang::tr{'comp-lzo'} - - $Lang::tr{'cipher'} - +} + + + my $disable_clientdl = "disabled='disabled'"; + if (( $cgiparams{'ENABLED'} eq 'on') || + ( $cgiparams{'ENABLED_BLUE'} eq 'on') || + ( $cgiparams{'ENABLED_ORANGE'} eq 'on')){ + $disable_clientdl = ""; + } + print <$active + +
+ + + +
END -; - -if ( $srunning eq "yes" ) { - print ""; - print ""; - print ""; - print ""; -} else{ - print ""; - print ""; - if (( -e "${General::swroot}/ovpn/ca/cacert.pem" && - -e "${General::swroot}/ovpn/ca/dh1024.pem" && - -e "${General::swroot}/ovpn/certs/servercert.pem" && - -e "${General::swroot}/ovpn/certs/serverkey.pem") && - (( $cgiparams{'ENABLED'} eq 'on') || - ( $cgiparams{'ENABLED_BLUE'} eq 'on') || - ( $cgiparams{'ENABLED_ORANGE'} eq 'on'))){ - print ""; - print ""; - } else { - print ""; - print ""; - } + ; + if ($confighash{$key}[4] eq 'cert') { + print < + + + + +END + ; } else { + print " "; + } + if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$key}[1].p12") { + print < + + + + +END + ; } elsif ($confighash{$key}[4] eq 'cert') { + print < + + + + +END + ; } else { + print " "; + } + print < + + + + + +
+ + + +
+
+ + + +
+ +END + ; + $id++; + } + ; + + # If the config file contains entries, print Key to action icons + if ( $id ) { + print < + +   $Lang::tr{'legend'}: +   $Lang::tr{ + $Lang::tr{'click to disable'} +     $Lang::tr{ + $Lang::tr{'show certificate'} +     $Lang::tr{ + $Lang::tr{'edit'} +     $Lang::tr{ + $Lang::tr{'remove'} + + +   +   ?OFF + $Lang::tr{'click to enable'} + ?FLOPPY + $Lang::tr{'download certificate'} + ?RELOAD + $Lang::tr{'dl client arch'} + +
+END + ; + } + + print < +
+ + +
+ +END + ; + &Header::closebox(); } -print ""; -&Header::closebox(); -#RWSERVER -&Ovpnfunc::rwclientstatus($activeonrun); -&Ovpnfunc::net2netstatus($activeonrun); &Header::closepage(); + + +