X-Git-Url: http://git.ipfire.org/?p=people%2Fteissler%2Fipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fovpnmain.cgi;h=c315e9e5eb04f5eae1c48bce25328e78c831f2ec;hp=7eccf988ee4b4165df18ea15d8ff5dba7e847e15;hb=4d81e0f3812fc272b2515a631a2e98c4ae76a42b;hpb=ac14b325e03276f9e17e334b03a3d3129903bac7 diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 7eccf988e..c315e9e5e 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -69,6 +69,7 @@ my $confighost="${General::swroot}/fwhosts/customhosts"; my $configgrp="${General::swroot}/fwhosts/customgroups"; my $customnet="${General::swroot}/fwhosts/customnetworks"; my $name; +my $col=""; &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} = 'off'; $cgiparams{'ENABLED_BLUE'} = 'off'; @@ -221,50 +222,6 @@ sub checkportinc } } -# Darren Critchley - certain ports are reserved for IPFire -# TCP 67,68,81,222,445 -# UDP 67,68 -# Params passed in -> port, rangeyn, protocol -sub disallowreserved -{ - # port 67 and 68 same for tcp and udp, don't bother putting in an array - my $msg = ""; - my @tcp_reserved = (81,222,445); - my $prt = $_[0]; # the port or range - my $ryn = $_[1]; # tells us whether or not it is a port range - my $prot = $_[2]; # protocol - my $srcdst = $_[3]; # source or destination - if ($ryn) { # disect port range - if ($srcdst eq "src") { - $msg = "$Lang::tr{'rsvd src port overlap'}"; - } else { - $msg = "$Lang::tr{'rsvd dst port overlap'}"; - } - my @tmprng = split(/\:/,$prt); - unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; } - unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; } - if ($prot eq "tcp") { - foreach my $prange (@tcp_reserved) { - unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; } - } - } - } else { - if ($srcdst eq "src") { - $msg = "$Lang::tr{'reserved src port'}"; - } else { - $msg = "$Lang::tr{'reserved dst port'}"; - } - if ($prt == 67) { $errormessage="$msg 67"; return; } - if ($prt == 68) { $errormessage="$msg 68"; return; } - if ($prot eq "tcp") { - foreach my $prange (@tcp_reserved) { - if ($prange == $prt) { $errormessage="$msg $prange"; return; } - } - } - } - return; -} - sub writeserverconf { my %sovpnsettings = (); my @temp = (); @@ -380,7 +337,7 @@ sub writeserverconf { if ($sovpnsettings{DHCP_WINS} ne '') { print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n"; } - print CONF "tls-verify /var/ipfire/ovpn/verify\n"; + print CONF "tls-verify /usr/lib/openvpn/verify\n"; print CONF "crl-verify /var/ipfire/ovpn/crls/cacrl.pem\n"; print CONF "user nobody\n"; print CONF "group nobody\n"; @@ -552,7 +509,7 @@ sub getccdadresses my @iprange=(); my %ccdhash=(); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); - $iprange[0]=$ip1.".".$ip2.".".$ip3.".".2; + $iprange[0]=$ip1.".".$ip2.".".$ip3.".".($ip4+2); for (my $i=1;$i<=$count;$i++) { my $tmpip=$iprange[$i-1]; my $stepper=$i*4; @@ -1092,16 +1049,11 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg goto SETTINGS_ERROR; } } - if ($cgiparams{'ENABLED'} eq 'on'){ - &disallowreserved($cgiparams{'DDEST_PORT'},0,$cgiparams{'DPROTOCOL'},"dest"); - } if ($errormessage) { goto SETTINGS_ERROR; } - - + if ($cgiparams{'ENABLED'} eq 'on'){ &checkportfw($cgiparams{'DDEST_PORT'},$cgiparams{'DPROTOCOL'}); } - if ($errormessage) { goto SETTINGS_ERROR; } if (! &General::validipandmask($cgiparams{'DOVPN_SUBNET'})) { @@ -1162,6 +1114,12 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $errormessage = $Lang::tr{'invalid port'}; goto SETTINGS_ERROR; } + + if ($cgiparams{'DDEST_PORT'} <= 1023) { + $errormessage = $Lang::tr{'ovpn port in root range'}; + goto SETTINGS_ERROR; + } + $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'}; $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'}; $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'}; @@ -2201,7 +2159,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { } else { $errormessage = $Lang::tr{'invalid key'}; } - + &General::firewall_reload(); ### ### Download PKCS12 file @@ -2324,7 +2282,7 @@ ADV_ERROR: &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'}); print < - +
@@ -2392,12 +2350,12 @@ print < - + - + @@ -2527,10 +2485,10 @@ if ($cgiparams{'ACTION'} eq "edit"){ &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd modify'}); print < +
$Lang::tr{'dhcp-options'}
fragment
Default: 1300$Lang::tr{'openvpn default'}: 1300
mssfix Default: on$Lang::tr{'openvpn default'}: on
- + @@ -2571,7 +2529,7 @@ END } print < +
$Lang::tr{'ccd name'}:$Lang::tr{'ccd subnet'}:
$Lang::tr{'ccd subnet'}:
END @@ -2590,7 +2548,7 @@ END print" + END ; } @@ -2625,15 +2583,15 @@ END # # protocol temp removed print < +
$Lang::tr{'ccd name'}$Lang::tr{'network'}$Lang::tr{'ccd used'}
$ccdconf[0]$ccdconf[1]$ccdhosts/".(&ccdmaxclients($ccdconf[1])+1).""; print < - + @@ -2599,7 +2557,7 @@ print < -
$Lang::tr{'protocol'}
- - - - - - - + + + + + + + END ; @@ -2684,22 +2642,23 @@ END } my $user2 = @users; if ($user2 >= 1){ - for (my $idx = 1; $idx <= $user2; $idx++){ + for (my $idx = 1; $idx <= $user2; $idx++){ if ($idx % 2) { - print "\n"; - } else { - print "\n"; + print ""; + $col="bgcolor='$color{'color22'}'"; + } else { + print ""; + $col="bgcolor='$color{'color20'}'"; } - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; - print ""; -# print ""; - } - } + print ""; + print ""; + print ""; + print ""; + print ""; + print ""; + print ""; + } + } print "
$Lang::tr{'common name'}$Lang::tr{'real address'}$Lang::tr{'virtual address'}$Lang::tr{'loged in at'}$Lang::tr{'bytes sent'}$Lang::tr{'bytes received'}$Lang::tr{'last activity'}$Lang::tr{'common name'}$Lang::tr{'real address'}$Lang::tr{'virtual address'}$Lang::tr{'loged in at'}$Lang::tr{'bytes sent'}$Lang::tr{'bytes received'}$Lang::tr{'last activity'}
$users[$idx-1]{'CommonName'}$users[$idx-1]{'RealAddress'}$users[$idx-1]{'VirtualAddress'}$users[$idx-1]{'Since'}$users[$idx-1]{'BytesSent'}$users[$idx-1]{'BytesReceived'}$users[$idx-1]{'LastRef'}$users[$idx-1]{'Proto'}$users[$idx-1]{'CommonName'}$users[$idx-1]{'RealAddress'}$users[$idx-1]{'VirtualAddress'}$users[$idx-1]{'Since'}$users[$idx-1]{'BytesSent'}$users[$idx-1]{'BytesReceived'}$users[$idx-1]{'LastRef'}
"; print <$Lang::tr{'net to net vpn'} (Upload Client Package)    Import Connection Name -  Default : Client Packagename +  $Lang::tr{'openvpn default'}: Client Packagename
* $Lang::tr{'this field may be blank'} @@ -3532,12 +3491,31 @@ if ($cgiparams{'TYPE'} eq 'net') { unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; goto VPNCONF_ERROR; - } + } + + if ($cgiparams{'DEST_PORT'} <= 1023) { + $errormessage = $Lang::tr{'ovpn port in root range'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; + } - if ($cgiparams{'OVPN_MGMT'} eq '') { - $cgiparams{'OVPN_MGMT'} = $cgiparams{'DEST_PORT'}; + if ($cgiparams{'OVPN_MGMT'} eq '') { + $cgiparams{'OVPN_MGMT'} = $cgiparams{'DEST_PORT'}; } - + + if ($cgiparams{'OVPN_MGMT'} <= 1023) { + $errormessage = $Lang::tr{'ovpn mgmt in root range'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; + goto VPNCONF_ERROR; + } + #Check if remote subnet is used elsewhere + my ($n2nip,$n2nsub)=split("/",$cgiparams{'REMOTE_SUBNET'}); + $warnmessage=&General::checksubnets('',$n2nip,'ovpn'); + if ($warnmessage){ + $warnmessage=$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'})
".$warnmessage; + } } # if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)$/)) { @@ -3945,7 +3923,6 @@ if ($cgiparams{'TYPE'} eq 'net') { if ( -e "${General::swroot}/ovpn/ccd/$confighash{$key}[2]"){ unlink "${General::swroot}/ovpn/ccd/$cgiparams{'CERT_NAME'}"; } - $confighash{$key}[2] =~ s/ /_/gi; open ( CCDRWCONF,'>',"${General::swroot}/ovpn/ccd/$confighash{$key}[2]") or die "Unable to create clientconfigfile $!"; print CCDRWCONF "# OpenVPN clientconfig from ccd extension by Copymaster#\n\n"; if($cgiparams{'CHECK1'} eq 'dynamic'){ @@ -4350,7 +4327,7 @@ if ($cgiparams{'TYPE'} eq 'host') {   $Lang::tr{'pkcs12 file password'}: -  $Lang::tr{'pkcs12 file password'}:
($Lang::tr{'confirmation'}) +  $Lang::tr{'pkcs12 file password'}:
($Lang::tr{'confirmation'})  
@@ -4534,7 +4511,7 @@ END #default setzen if ($cgiparams{'DCIPHER'} eq '') { - $cgiparams{'DCIPHER'} = 'BF-CBC'; + $cgiparams{'DCIPHER'} = 'AES-256-CBC'; } if ($cgiparams{'DDEST_PORT'} eq '') { $cgiparams{'DDEST_PORT'} = '1194'; @@ -4574,6 +4551,9 @@ END $selected{'DCIPHER'}{'AES-128-CBC'} = ''; $selected{'DCIPHER'}{'AES-192-CBC'} = ''; $selected{'DCIPHER'}{'AES-256-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; $checked{'DCOMPLZO'}{'off'} = ''; $checked{'DCOMPLZO'}{'on'} = ''; @@ -4594,6 +4574,16 @@ END &Header::closebox(); } + if ($warnmessage) { + &Header::openbox('100%', 'LEFT', $Lang::tr{'warning messages'}); + print "$warnmessage
"; + print "$Lang::tr{'fwdfw warn1'}
"; + &Header::closebox(); + print"
"; + &Header::closepage(); + exit 0; + } + my $sactive = "
$Lang::tr{'stopped'}
"; my $srunning = "no"; my $activeonrun = ""; @@ -4606,7 +4596,7 @@ END } &Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'}); print < + @@ -4638,23 +4628,28 @@ END - + - - + + END ; @@ -4681,45 +4676,46 @@ END } print "
   $Lang::tr{'destination port'}:
$Lang::tr{'MTU'} 
$Lang::tr{'comp-lzo'} $Lang::tr{'cipher'}


"; &Header::closebox(); - &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}:"); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}"); print < + - - - + + + EOF ; + my $col1="bgcolor='$color{'color22'}'"; + my $col2="bgcolor='$color{'color20'}'"; if (-f "${General::swroot}/ovpn/ca/cacert.pem") { my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; $casubject =~ /Subject: (.*)[\n]/; $casubject = $1; $casubject =~ s+/Email+, E+; $casubject =~ s/ ST=/ S=/; - print < - - - + + + - - + END ; } else { # display rootcert generation buttons print < - - - + + + + END ; } @@ -4732,27 +4728,27 @@ END $hostsubject =~ s/ ST=/ S=/; print < - - - + + + - - + END ; } else { # Nothing print < - - - + + + + END ; } @@ -4815,7 +4811,7 @@ print <
$Lang::tr{'name'}$Lang::tr{'subject'}$Lang::tr{'action'}$Lang::tr{'name'}$Lang::tr{'subject'}$Lang::tr{'action'}
$Lang::tr{'root certificate'}$casubject
+
$Lang::tr{'root certificate'}$casubject
+  
 
$Lang::tr{'root certificate'}:$Lang::tr{'not present'} 
$Lang::tr{'root certificate'}:$Lang::tr{'not present'} 
$Lang::tr{'host certificate'}$hostsubject
+
$Lang::tr{'host certificate'}$hostsubject
- - + + +  
 
$Lang::tr{'host certificate'}:$Lang::tr{'not present'} 
$Lang::tr{'host certificate'}:$Lang::tr{'not present'} 
- +
$Lang::tr{'ca name'}:

END @@ -4839,28 +4835,31 @@ END print < + - - - - - - + + + + + + END ; - my $id = 0; - my $gif; - foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { + my $id = 0; + my $gif; + my $col1=""; + foreach my $key (sort { ncmp ($confighash{$a}[1],$confighash{$b}[1]) } keys %confighash) { if ($confighash{$key}[0] eq 'on') { $gif = 'on.gif'; } else { $gif = 'off.gif'; } if ($id % 2) { - print "\n"; + print ""; + $col="bgcolor='$color{'color20'}'"; } else { - print "\n"; + print ""; + $col="bgcolor='$color{'color22'}'"; } - print ""; - print ""; + print ""; + print ""; #if ($confighash{$key}[4] eq 'cert') { #print ""; #} else { @@ -4871,19 +4870,20 @@ END $cavalid = $1; if ($confighash{$key}[32] eq "" && $confighash{$key}[3] eq 'net' ){$confighash{$key}[32]="net-2-net";} if ($confighash{$key}[32] eq "" && $confighash{$key}[3] eq 'host' ){$confighash{$key}[32]="dynamic";} - print ""; - print ""; - - my $active = "
$Lang::tr{'name'}$Lang::tr{'type'}$Lang::tr{'network'}$Lang::tr{'remark'}$Lang::tr{'status'}$Lang::tr{'action'}$Lang::tr{'name'}$Lang::tr{'type'}$Lang::tr{'network'}$Lang::tr{'remark'}$Lang::tr{'status'}$Lang::tr{'action'}
$confighash{$key}[1]" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")$confighash{$key}[1]" . $Lang::tr{"$confighash{$key}[3]"} . " (" . $Lang::tr{"$confighash{$key}[4]"} . ")$confighash{$key}[2]$confighash{$key}[32]$confighash{$key}[25]
$Lang::tr{'capsclosed'}
"; + print "$confighash{$key}[32]"; + print "$confighash{$key}[25]"; + $col1="bgcolor='${Header::colourred}'"; + my $active = "$Lang::tr{'capsclosed'}"; if ($confighash{$key}[0] eq 'off') { - $active = "
$Lang::tr{'capsclosed'}
"; + $col1="bgcolor='${Header::colourblue}'"; + $active = "$Lang::tr{'capsclosed'}"; } else { ### # m.a.d net2net -### - +### + if ($confighash{$key}[3] eq 'net') { if (-e "/var/run/$confighash{$key}[1]n2n.pid") { @@ -4907,39 +4907,41 @@ END #EXITING -- A graceful exit is in progress. #### - if ( $tustate[1] eq 'CONNECTED') { - $active = "
$Lang::tr{'capsopen'}
"; - } else { - $active = "
$tustate[1]
"; + if (($tustate[1] eq 'CONNECTED') || ($tustate[1] eq 'WAIT')) { + $col1="bgcolor='${Header::colourgreen}'"; + $active = "$Lang::tr{'capsopen'}"; + }else { + $col1="bgcolor='${Header::colourred}'"; + $active = "$tustate[1]"; + } } - } } - } else { - - my $cn; - my @match = (); - foreach my $line (@status) { - chomp($line); - if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) { - @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line); - if ($match[1] ne "Common Name") { - $cn = $match[1]; - } - $cn =~ s/[_]/ /g; - if ($cn eq "$confighash{$key}[2]") { - $active = "
$Lang::tr{'capsopen'}
"; - } - } - + }else { + + my $cn; + my @match = (); + foreach my $line (@status) { + chomp($line); + if ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) { + @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line); + if ($match[1] ne "Common Name") { + $cn = $match[1]; + } + $cn =~ s/[_]/ /g; + if ($cn eq "$confighash{$key}[2]") { + $col1="bgcolor='${Header::colourgreen}'"; + $active = "$Lang::tr{'capsopen'}"; + } + } + } } } -} print <$active + $active -
+ @@ -4948,7 +4950,7 @@ END ; if ($confighash{$key}[4] eq 'cert') { print < + @@ -4959,7 +4961,7 @@ END } if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$key}[1].p12") { print < + @@ -4967,7 +4969,7 @@ END END ; } elsif ($confighash{$key}[4] eq 'cert') { print < + @@ -4977,18 +4979,18 @@ END print " "; } print < + -
+
-
+ @@ -5024,7 +5026,7 @@ END ?RELOAD $Lang::tr{'dl client arch'} -
+
END ; }