diff -Nur rootfs-1.21/etc/inc/config.inc rootfs-1.21-ovpn1/etc/inc/config.inc --- rootfs-1.21/etc/inc/config.inc 2006-01-01 12:53:09.000000000 +0100 +++ rootfs-1.21-ovpn1/etc/inc/config.inc 2006-01-14 11:48:36.000000000 +0100 @@ -521,36 +521,9 @@ /* convert 1.5 -> 1.6 */ if ($config['version'] == "1.5") { - - /* Remove OpenVPN configuration */ - unset($config['ovpn']); - - /* Remove OpenVPN interfaces */ - for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { - if (isset($config['interfaces']['opt' . $i]['ovpn'])) { - - unset($config['interfaces']['opt' . $i]); - - /* shift down other OPTn interfaces to get rid of holes */ - $j = $i + 1; - - /* look at the following OPTn ports */ - while (is_array($config['interfaces']['opt' . $j])) { - $config['interfaces']['opt' . ($j - 1)] = - $config['interfaces']['opt' . $j]; - - if ($config['interfaces']['opt' . ($j - 1)]['descr'] == "OPT" . $j) - $config['interfaces']['opt' . ($j - 1)]['descr'] = "OPT" . ($j - 1); - - unset($config['interfaces']['opt' . $j]); - $j++; - } - } - } - $config['version'] = "1.6"; } - + write_config(); if ($g['booting']) diff -Nur rootfs-1.21/etc/inc/filter.inc rootfs-1.21-ovpn1/etc/inc/filter.inc --- rootfs-1.21/etc/inc/filter.inc 2006-01-01 12:53:09.000000000 +0100 +++ rootfs-1.21-ovpn1/etc/inc/filter.inc 2006-01-14 11:48:36.000000000 +0100 @@ -300,6 +300,7 @@ if (isset($oc['enable']) && $oc['if']) { $oic = array(); $oic['if'] = $oc['if']; + $oic['ovpn'] = $oc['ovpn']; if ($oc['bridge']) { if (!strstr($oc['bridge'], "opt") || @@ -412,6 +413,11 @@ EOD; foreach ($optcfg as $oc) { + if (isset($oc['ovpn'])) { + /* exclude OpenVPN tunneling interfaces */ + /* $ovpnclient = true; */ + continue; + } if (!$oc['bridge']) $ipfrules .= "block in $log quick on $wanif from {$oc['sa']}/{$oc['sn']} to any\n"; } @@ -456,8 +462,11 @@ /* OPT spoof check */ foreach ($optcfg as $on => $oc) { + /* omit for openvpn interfaces */ /* omit for bridged interfaces when the filtering bridge is on */ - if ($oc['ip'] && (!$oc['bridge'] || !isset($config['bridge']['filteringbridge']))) + if (!isset($oc['ovpn']) && + $oc['ip'] && + (!$oc['bridge'] || !isset($config['bridge']['filteringbridge'])) && $oc['sa'] != "0.0.0.0") $ipfrules .= filter_rules_spoofcheck_generate($on, $oc['if'], $oc['sa'], $oc['sn'], $log); } diff -Nur rootfs-1.21/etc/inc/functions.inc rootfs-1.21-ovpn1/etc/inc/functions.inc --- rootfs-1.21/etc/inc/functions.inc 2006-01-01 12:53:09.000000000 +0100 +++ rootfs-1.21-ovpn1/etc/inc/functions.inc 2006-01-14 11:48:36.000000000 +0100 @@ -37,6 +37,7 @@ require_once("filter.inc"); require_once("shaper.inc"); require_once("vpn.inc"); +require_once("openvpn.inc"); require_once("captiveportal.inc"); require_once("util.inc"); diff -Nur rootfs-1.21/etc/inc/interfaces.inc rootfs-1.21-ovpn1/etc/inc/interfaces.inc --- rootfs-1.21/etc/inc/interfaces.inc 2006-01-01 12:53:09.000000000 +0100 +++ rootfs-1.21-ovpn1/etc/inc/interfaces.inc 2006-01-14 11:48:36.000000000 +0100 @@ -216,6 +216,12 @@ echo "Configuring OPT{$opti}{$optdescr} interface... "; } + /* OpenVPN configuration? */ + if (isset($optcfg['ovpn'])) { + if (strstr($optcfg['if'], "tap")) + ovpn_link_tap(); + } + if (isset($optcfg['enable'])) { /* wireless configuration? */ if (is_array($optcfg['wireless'])) @@ -235,7 +241,7 @@ $cmd .= " mediaopt " . escapeshellarg($optcfg['mediaopt']); mwexec($cmd); } - + $addflags = ""; if (strpos($optcfg['if'], "fxp") !== false) $addflags .= " link0"; @@ -251,7 +257,7 @@ $bridgeconfig .= $optcfg['if'] . ":" . $opti . "," . $config['interfaces'][$optcfg['bridge']]['if'] . ":" . $opti; - } else { + } else if (!$optcfg['ovpn']) { mwexec("/sbin/ifconfig " . escapeshellarg($optcfg['if']) . " " . escapeshellarg($optcfg['ipaddr'] . "/" . $optcfg['subnet']) . $addflags); } diff -Nur rootfs-1.21/etc/inc/openvpn.inc rootfs-1.21-ovpn1/etc/inc/openvpn.inc --- rootfs-1.21/etc/inc/openvpn.inc 1970-01-01 01:00:00.000000000 +0100 +++ rootfs-1.21-ovpn1/etc/inc/openvpn.inc 2006-01-14 11:48:36.000000000 +0100 @@ -0,0 +1,1486 @@ + $server) { + /* get tunnel interface */ + $tun = $server['tun_iface']; + + if (isset($server['enable'])) { + + if ($g['booting']) { + echo "Starting OpenVPN server $id... "; + + /* define configuration options */ + ovpn_srv_config_generate($id); + + /* Start the openvpn daemon */ + mwexec("/usr/local/sbin/openvpn {$g['varetc_path']}/ovpn_srv_{$tun}.conf"); + + /* Send the boot message */ + echo "done\n"; + + /* next server */ + continue; + } + + /* send SIGUSR1 to running openvpn daemon */ + if ( $reconfigure == "true" && isset($server['dynip'])) { + sigkillbypid($g['varrun_path']."/ovpn_srv_{$tun}.pid", "SIGUSR1"); + continue; + } + + /* read dirtyfile */ + if (is_readable($d_ovpnsrvdirty_path)) + $lines = file($d_ovpnsrvdirty_path); + + /* reconfigure server */ + if (is_array($lines) && in_array($tun . "\n", $lines)) { + + /* kill running server */ + ovpn_server_kill($tun); + + /* remove old certs & keys */ + ovpn_server_certs_del($tun); + + /* define configuration options */ + ovpn_srv_config_generate($id); + } + + /* Start the openvpn daemon */ + if (!is_readable("{$g['varrun_path']}/ovpn_srv_{$tun}.pid")) + mwexec("/usr/local/sbin/openvpn {$g['varetc_path']}/ovpn_srv_{$tun}.conf"); + + /* next server */ + continue; + } + + /* server disabled */ + if (!$g['booting']) { + /* kill running server */ + ovpn_server_kill($tun); + + /* Remove old certs & keys */ + ovpn_server_certs_del($tun); + + /* stop any processes, unload the tap module */ + //if ($server['type'] == "tap") + // ovpn_unlink_tap(); + } + } + return 0; +} + +/* Kill off a running server process */ +function ovpn_server_certs_del($tun) { + global $g; + + /* Remove old certs & keys */ + unlink_if_exists("{$g['vardb_path']}/ovpn_ca_cert_{$tun}.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_srv_cert_{$tun}.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_srv_key_{$tun}.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_dh_{$tun}.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_srv_psk_{$tun}.pem"); + unlink_if_exists("{$g['varetc_path']}/ovpn_srv_up_{$tun}.sh"); + unlink_if_exists("{$g['varetc_path']}/ovpn_srv_{$tun}.conf"); + + return 0; +} + +/* Kill off a running server process */ +function ovpn_server_kill($tun) { + global $g; + + /* kill running server */ + killbypid("{$g['varrun_path']}/ovpn_srv_{$tun}.pid"); +} + +/* Generate the config for a OpenVPN server */ +function ovpn_srv_config_generate($id) { + global $config, $g; + $server = $config['ovpn']['server']['tunnel'][$id]; + + /* get tunnel interface */ + $tun = $server['tun_iface']; + + /* get optional interface name */ + $iface = ovpn_get_opt_interface($tun); + + /* Copy the TLS-Server certs & keys to disk */ + if ($server['authentication_method'] != "pre_shared_key" ) { + + $fd = fopen("{$g['vardb_path']}/ovpn_ca_cert_{$tun}.pem", "w"); + if ($fd) { + fwrite($fd, base64_decode($server['ca_cert'])."\n"); + fclose($fd); + } + + $fd = fopen("{$g['vardb_path']}/ovpn_srv_cert_{$tun}.pem", "w"); + if ($fd) { + fwrite($fd, base64_decode($server['srv_cert'])."\n"); + fclose($fd); + } + + touch ("{$g['vardb_path']}/ovpn_srv_key_{$tun}.pem"); + chmod ("{$g['vardb_path']}/ovpn_srv_key_{$tun}.pem", 0600); + $fd = fopen("{$g['vardb_path']}/ovpn_srv_key_{$tun}.pem", "w"); + if ($fd) { + fwrite($fd, base64_decode($server['srv_key'])."\n"); + fclose($fd); + } + + $fd = fopen("{$g['vardb_path']}/ovpn_dh_{$tun}.pem", "w"); + if ($fd) { + fwrite($fd, base64_decode($server['dh_param'])."\n"); + fclose($fd); + } + } + + if ($server['authentication_method'] == "pre_shared_key" || isset($server['tlsauth'])) { + touch ("{$g['vardb_path']}/ovpn_srv_psk_{$tun}.pem"); + chmod ("{$g['vardb_path']}/ovpn_srv_psk_{$tun}.pem", 0600); + $fd = fopen("{$g['vardb_path']}/ovpn_srv_psk_{$tun}.pem", "w"); + if ($fd) { + fwrite($fd, base64_decode($server['pre-shared-key'])."\n"); + fclose($fd); + } + } + + $fd = fopen("{$g['varetc_path']}/ovpn_srv_{$tun}.conf", "w"); + if (!$fd) { + printf("Error: cannot open ovpn_srv_{$tun}.conf in ovpn_srv_config_generate($id).\n"); + return 1; + } + + /* First the generic stuff: + - We are a server + - We will run without privilege + */ + $ovpn_config = ""; + $ovpn_config .= << $server) { + if (isset($server['enable'])) { + + /* get tunnel interface */ + $tun = $server['tun_iface']; + + $i = 1; + while (true) { + $ifname = 'opt' . $i; + if (is_array($config['interfaces'][$ifname])) { + if ((isset($config['interfaces'][$ifname]['ovpn'])) + && ($config['interfaces'][$ifname]['ovpn'] == "server_{$tun}")) + /* Already an interface defined - overwrite */ + break; + } else { + + /* No existing entry, this is first unused */ + $config['interfaces'][$ifname] = array(); + + /* add new filter rules */ + $filter_configure = true; + break; + } + $i++; + } + $config['interfaces'][$ifname]['descr'] = strtoupper($server['tun_iface']); + $config['interfaces'][$ifname]['if'] = $server['tun_iface']; + if ($server['method'] == "ovpn") + $config['interfaces'][$ifname]['ipaddr'] = long2ip( ip2long($server['ipblock']) + 1); + else + $config['interfaces'][$ifname]['ipaddr'] = $server['ipblock']; + if (isset($server['bridge'])) { + $config['interfaces'][$ifname]['bridge'] = $server['bridge']; + $bridge_configure = true; + } else if (isset($config['interfaces'][$ifname]['bridge'])) { + /* bridge config removed */ + unset ($config['interfaces'][$ifname]['bridge']); + $bridge_configure = true; + } + $config['interfaces'][$ifname]['subnet'] = $server['prefix']; + $config['interfaces'][$ifname]['enable'] = isset($server['enable']) ? true : false; + $config['interfaces'][$ifname]['ovpn'] = "server_{$tun}"; + + write_config(); + } + } + + /* do we have to reconfigure filter rules? */ + if (isset($bridge_configure)) + interfaces_optional_configure(); + else if (isset($filter_configure)) + filter_configure(); + + return "OpenVPN server interface defined"; +} + +/* Delete a server interface definition */ +function ovpn_server_iface_del($tun) { + global $config; + + for ($i = 1; is_array($config['interfaces']['opt' . $i]); $i++) { + $ifname = 'opt' . $i; + if ((isset($config['interfaces'][$ifname]['ovpn'])) + && ($config['interfaces'][$ifname]['if'] == "$tun")) { + unset($config['interfaces'][$ifname]); + break; + } + } + + /* shift down other OPTn interfaces to get rid of holes */ + $i++; + + /* look at the following OPTn ports */ + while (is_array($config['interfaces']['opt' . $i])) { + $config['interfaces']['opt' . ($i - 1)] = + $config['interfaces']['opt' . $i]; + + unset($config['interfaces']['opt' . $i]); + $i++; + } + + /* reconfigure filter rules */ + interfaces_optional_configure(); +} + +/* Add client config file */ +function ovpn_server_ccd_add() { + global $config, $g; + + if (is_array($config['ovpn']['server']['ccd'])) { + foreach ($config['ovpn']['server']['ccd'] as $id => $server) { + /* define configuration options */ + ovpn_server_ccd_generate($id); + } + } +} + + +/* Construct client config file */ +function ovpn_server_ccd_generate($id) { + global $config, $g; + $ovpnccd = $config['ovpn']['server']['ccd'][$id]; + + $cn = $ovpnccd['cn']; + $ccd_config = ""; + $push_options = ""; + + /* Push reset */ + if (!isset($ovpnccd['disable']) && isset($ovpnccd['psh_reset'])) { + $ccd_config .= "push-reset\n"; + + /* Client push - redirect gateway */ + if (isset($ovpnccd['psh_options']['redir'])) { + if (isset($ovpnccd['psh_options']['redir_loc'])) + $push_config .= "push \"redirect-gateway local\"\n"; + else + $push_config .= "push \"redirect-gateway\"\n"; + } + + /* Client push - route delay */ + if (isset($ovpnccd['psh_options']['rte_delay'])) + $push_config .= "push \"route-delay {$ovpnccd['psh_options']['rte_delay_int']}\"\n"; + + /* Client push - ping (note we set both server and client) */ + if (isset ($ovpnccd['psh_options']['ping'])){ + $ccd_config .= "ping {$server['psh_options']['ping_int']}\n "; + $push_config .= "push \"ping {$ovpnccd['psh_options']['ping_int']}\"\n"; + } + + /* Client push - ping-restart (note server uses 2 x client interval) */ + if (isset ($ovpnccd['psh_options']['pingrst'])){ + $interval = $ovpnccd['psh_options']['pingrst_int']; + $ccd_config .= "ping-restart " . ($interval * 2) . "\n"; + $push_config .= "push \"ping-restart $interval\"\n"; + } + + /* Client push - ping-exit (set on client) */ + if (isset ($ovpnccd['psh_options']['pingexit'])){ + $ccd_config .= "ping-exit {$ovpnccd['psh_options']['pingexit_int']}\n"; + $push_config .= "push \"ping-exit {$ovpnccd['psh_options']['pingexit_int']}\"\n"; + } + + /* Client push - inactive (set on client) */ + if (isset ($ovpnccd['psh_options']['inact'])){ + $ccd_config .= "inactive {$ovpnccd['psh_options']['inact_int']}\n"; + $push_config .= "push \"inactive {$ovpnccd['psh_options']['inact_int']}\"\n"; + } + + if (isset($push_config)) + $ccd_config .= $push_config; + } + + if (!isset($ovpnccd['disable']) && is_array($ovpnccd['options'])) { + foreach ($ovpnccd['options']['option'] as $option) { + $ccd_config .= "{$option}\n"; + } + } + + /* Disable client from connecting */ + if (isset($ovpnccd['disable'])) + $ccd_config = "disable\n"; + + unlink_if_exists("{$g['vardb_path']}/ccd/{$cn}"); + + if (isset($ccd_config) && isset($ovpnccd['enable'])) { + $fd = fopen("{$g['vardb_path']}/ccd/{$cn}", "w"); + if ($fd) { + fwrite($fd, $ccd_config."\n"); + fclose($fd); + } + } +} + +/* Delete client config file */ +function ovpn_server_ccd_del($cn) { + global $g; + + unlink_if_exists("{$g['vardb_path']}/ccd/{$cn}"); + return 0; +} + +/* Add CRL file */ +function ovpn_server_crl_add() { + global $config, $g, $d_ovpncrldirty_path; + + if (is_array($config['ovpn']['server']['crl'])) { + foreach ($config['ovpn']['server']['crl'] as $id => $crlent) { + /* get crl file name */ + $name = $crlent['crlname']; + + if (isset($crlent['enable'])) { + + /* add file */ + ovpn_server_crl_generate($id); + + if ($g['booting']) { + /* next crl file */ + continue; + } + + /* read dirtyfile */ + if (is_readable($d_ovpncrldirty_path)) + $lines = file($d_ovpncrldirty_path); + + /* reconfigure crl file */ + if (is_array($lines) && in_array($name . "\n", $lines)) { + + /* restart running openvpn daemon */ + foreach ($config['ovpn']['server']['tunnel'] as $id => $server) { + $tun = $server['tun_iface']; + + if ($server['enable'] && + isset($server['crlname']) && $server['crlname'] == $name) + /* kill running server */ + ovpn_server_kill($tun); + + /* Start the openvpn daemon */ + mwexec("/usr/local/sbin/openvpn {$g['varetc_path']}/ovpn_srv_{$tun}.conf"); + } + + } + + /* next crl file */ + continue; + } + + /* crl file disabled: remove file */ + ovpn_server_crl_del($name); + } + } + return 0; +} + +/* Write CRL to file */ +function ovpn_server_crl_generate($id) { + global $config, $g; + + $ovpncrl = $config['ovpn']['server']['crl'][$id]; + + $fd = fopen("{$g['vardb_path']}/{$ovpncrl['crlname']}.crl.pem", "w"); + if ($fd) { + fwrite($fd, base64_decode($ovpncrl['crl_list'])."\n"); + fclose($fd); + } +} + +/* Delete CRL file */ +function ovpn_server_crl_del($name) { + global $config, $g; + + /* have to wipe out the crl from the server config */ + foreach ($config['ovpn']['server']['tunnel'] as $id => $server) { + if (isset($server['crlname']) && $server['crlname'] == $name) { + + /* get tunnel interface */ + $tun = $server['tun_iface']; + + /* remove crl file entry */ + unset($config['ovpn']['server']['tunnel'][$id]['crlname']); + write_config(); + + /* kill running server */ + ovpn_server_kill($tun); + + /* remove old certs & keys */ + ovpn_server_certs_del($tun); + + /* reconfigure daemon */ + ovpn_srv_config_generate($id); + + /* Start the openvpn daemon */ + mwexec("/usr/local/sbin/openvpn {$g['varetc_path']}/ovpn_srv_{$tun}.conf"); + } + } + + unlink_if_exists("{$g['vardb_path']}/{$name}.crl.pem"); + return 0; +} + + +/* Get a list of crl files */ +function ovpn_get_crl_list() { + global $config; + + $crl_list = array(); + + if (is_array($config['ovpn']['server']['crl'])) { + foreach ($config['ovpn']['server']['crl'] as $crlent) { + if (isset($crlent['enable'])) + $crl_list[] = $crlent['crlname']; + } + } + return $crl_list; +} + +/* append interface to $_ovpnsrvdirty_path */ +function ovpn_srv_dirty($tun) { + global $d_ovpnsrvdirty_path; + + $fd = fopen($d_ovpnsrvdirty_path, 'a'); + if ($fd) { + fwrite($fd, $tun ."\n"); + fclose($fd); + } +} + +/* append file name to $_ovpncrldirty_path */ +function ovpn_crl_dirty($name) { + global $d_ovpncrldirty_path; + + $fd = fopen($d_ovpncrldirty_path, 'a'); + if ($fd) { + fwrite($fd, $name ."\n"); + fclose($fd); + } +} + + +/****************************/ +/* Client related functions */ +/****************************/ + +function ovpn_config_client() { + /* Boot time configuration */ + global $config, $g, $d_ovpnclidirty_path;; + + foreach ($config['ovpn']['client']['tunnel'] as $id => $client) { + + /* get tunnel interface */ + $tun = $client['if']; + + if (isset($client['enable'])) { + + if ($g['booting']) { + echo "Starting OpenVPN client $id... "; + + /* define configuration options */ + ovpn_cli_config_generate($id); + + /* Start openvpn for this client */ + mwexec("/usr/local/sbin/openvpn {$g['varetc_path']}/ovpn_cli_{$tun}.conf"); + + /* Send the boot message */ + echo "done\n"; + + /* next client */ + continue; + } + + /* read dirtyfile */ + if (is_readable($d_ovpnclidirty_path)) + $lines = file($d_ovpnclidirty_path); + + /* reconfigure client */ + if (is_array($lines) && in_array($tun . "\n", $lines)) { + + /* kill running client */ + ovpn_client_kill($tun); + + /* remove old certs & keys */ + ovpn_client_certs_del($tun); + + /* define configuration options */ + ovpn_cli_config_generate($id); + } + + /* Start the openvpn daemon */ + if (!is_readable("{$g['varrun_path']}/ovpn_cli_{$tun}.pid")) + mwexec("/usr/local/sbin/openvpn {$g['varetc_path']}/ovpn_cli_{$tun}.conf"); + + /* next client */ + continue; + } + + /* client disabled */ + if (!$g['booting']) { + /* kill running client */ + ovpn_client_kill($tun); + + /* remove old certs & keys */ + ovpn_client_certs_del($tun); + + /* stop any processes, unload the tap module */ + //if ($client['type'] == "tap") + // ovpn_unlink_tap(); + } + } + return 0; +} + +/* Kill off a running client process */ +function ovpn_client_certs_del($tun) { + global $g; + + /* Remove old certs & keys */ + unlink_if_exists("{$g['vardb_path']}/ovpn_cli_ca_cert_{$tun}.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_cli_cert_{$tun}.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_cli_key_{$tun}.pem"); + unlink_if_exists("{$g['vardb_path']}/ovpn_cli_psk_{$tun}.pem"); + unlink_if_exists("{$g['varetc_path']}/ovpn_cli_up_{$tun}.pem"); + unlink_if_exists("{$g['varetc_path']}/ovpn_cli_{$tun}.conf"); + + return 0; +} + +/* Kill off a running client process */ +function ovpn_client_kill($tun) { + global $g; + + /* kill running client */ + killbypid("{$g['varrun_path']}/ovpn_cli_{$tun}.pid"); +} + +/* Generate the config for a OpenVPN client */ +function ovpn_cli_config_generate($id) { + /* configure the named client */ + global $config, $g; + $client = $config['ovpn']['client']['tunnel'][$id]; + + /* get tunnel interface */ + $tun = $client['if']; + + /* get optional interface name */ + $iface = ovpn_get_opt_interface($tun); + + /* Copy the TLS-Client certs & keys to disk */ + if ($client['authentication_method'] != "pre_shared_key" ) { + + $fd = fopen("{$g['vardb_path']}/ovpn_cli_ca_cert_{$tun}.pem", "w"); + if ($fd) { + fwrite($fd, base64_decode($client['ca_cert'])."\n"); + fclose($fd); + } + + $fd = fopen("{$g['vardb_path']}/ovpn_cli_cert_{$tun}.pem", "w"); + if ($fd) { + fwrite($fd, base64_decode($client['cli_cert'])."\n"); + fclose($fd); + } + + touch ("{$g['vardb_path']}/ovpn_cli_key_{$tun}.pem"); + chmod ("{$g['vardb_path']}/ovpn_cli_key_{$tun}.pem", 0600); + $fd = fopen("{$g['vardb_path']}/ovpn_cli_key_{$tun}.pem", "w"); + if ($fd) { + fwrite($fd, base64_decode($client['cli_key'])."\n"); + fclose($fd); + } + } + + if ($client['authentication_method'] == "pre_shared_key" || isset($client['tlsauth'])) { + touch ("{$g['vardb_path']}/ovpn_cli_psk_{$tun}.pem"); + chmod ("{$g['vardb_path']}/ovpn_cli_psk_{$tun}.pem", 0600); + $fd = fopen("{$g['vardb_path']}/ovpn_cli_psk_{$tun}.pem", "w"); + if ($fd) { + fwrite($fd, base64_decode($client['pre-shared-key'])."\n"); + fclose($fd); + } + } + + $fd = fopen("{$g['varetc_path']}/ovpn_cli_{$tun}.conf", "w"); + if (!$fd) { + printf("Error: cannot open ovpn_cli_{$tun}.conf in ovpn_cli_config_generate($id).\n"); + return 1; + } + + /* Client support in 2.0 is very simple */ + $ovpn_config = ""; + $ovpn_config .= << $client) { + if (isset($client['enable'])) { + + /* get tunnel interface */ + $tun = $client['if']; + + $i = 1; + while (true) { + $ifname = 'opt' . $i; + if (is_array($config['interfaces'][$ifname])) { + if ((isset($config['interfaces'][$ifname]['ovpn'])) + && ($config['interfaces'][$ifname]['ovpn'] == "client_{$tun}")) + /* Already an interface defined - overwrite */ + break; + } else { + + /* No existing entry, this is first unused */ + $config['interfaces'][$ifname] = array(); + + /* add new filter rules */ + $filter_configure = true; + break; + } + $i++; + } + $config['interfaces'][$ifname]['descr'] = strtoupper($client['if']); + $config['interfaces'][$ifname]['if'] = $client['if']; + $config['interfaces'][$ifname]['ipaddr'] = "0.0.0.0"; + $config['interfaces'][$ifname]['subnet'] = "0"; + if (isset($client['bridge'])) { + $config['interfaces'][$ifname]['bridge'] = $client['bridge']; + $bridge_configure = true; + } else if (isset($config['interfaces'][$ifname]['bridge'])) { + /* bridge config removed */ + unset ($config['interfaces'][$ifname]['bridge']); + $bridge_configure = true; + } + $config['interfaces'][$ifname]['enable'] = isset($client['enable']) ? true : false; + $config['interfaces'][$ifname]['ovpn'] = "client_{$tun}"; + write_config(); + } + } + + /* do we have to reconfigure filter rules? */ + if (isset($bridge_configure)) + interfaces_optional_configure(); + else if (isset($filter_configure)) + filter_configure(); + + return "OpenVPN client interfaces defined"; +} + +/* Delete a client interface definition */ +function ovpn_client_iface_del($tun) { + global $config; + + for ($i = 1; is_array($config['interfaces']['opt' . $i]); $i++) { + $ifname = 'opt' . $i; + if ((isset($config['interfaces'][$ifname]['ovpn'])) + && ($config['interfaces'][$ifname]['if'] == "$tun")) { + unset($config['interfaces'][$ifname]); + break; + } + } + + /* shift down other OPTn interfaces to get rid of holes */ + $i++; + + /* look at the following OPTn ports */ + while (is_array($config['interfaces']['opt' . $i])) { + $config['interfaces']['opt' . ($i - 1)] = + $config['interfaces']['opt' . $i]; + + unset($config['interfaces']['opt' . $i]); + $i++; + } + + /* reconfigure filter rules */ + interfaces_optional_configure(); +} + +/* append interface to ovpndirty_path */ +function ovpn_cli_dirty($tun) { + global $d_ovpnclidirty_path; + + $fd = fopen($d_ovpnclidirty_path, 'a'); + if ($fd) { + fwrite($fd, $tun . "\n"); + fclose($fd); + } +} + + +/******************/ +/* Misc functions */ +/******************/ + +/* find the first available device of type $type */ +function getnxt_if($type) { + global $config; + + /* initialize variables */ + $iface_list = array(); + $max = ($type == 'tun') ? 17 : 4; + + /* construct list of valid interfaces */ + for ($i = 0; $i < $max ; $i++) + array_push($iface_list, $type . $i); + + /* delete interface in use from the list */ + if ($a_server = $config['ovpn']['server']['tunnel']) { + foreach ($a_server as $server) { + $entry = array(); + array_push($entry, $server['tun_iface']); + $iface_list = array_diff($iface_list, $entry); + } + } + + /* same for list of client tunnels */ + if ($a_client = $config['ovpn']['client']['tunnel']) { + foreach ($a_client as $client) { + $entry = array(); + array_push($entry, $client['if']); + $iface_list = array_diff($iface_list, $entry); + } + } + + /* return first element of list, if list of interfaces isn't empty */ + if (count($iface_list)) + return array_shift($iface_list); + else + return false; +} + +/* find the next best available port */ +function getnxt_port() { + + /* construct list of valid ports */ + $port_list = free_port_list(); + + /* return first element of list, if list of ports isn't empty */ + if (count($port_list)) + return array_shift($port_list); + else + return false; +} + +/* construct list of free ports */ +function free_port_list() { + global $config; + + /* initialize variables */ + $port_list = array(); + $first_port = 1194; + $max = $first_port + 21; + + for ($i = $first_port; $i < $max; $i++) + array_push($port_list, $i); + + /* delete port in use from the list */ + if ($a_server = $config['ovpn']['server']['tunnel']) { + foreach ($a_server as $server) { + $entry = array(); + array_push($entry, $server['port']); + $port_list = array_diff($port_list, $entry); + } + } + + /* same for list of client tunnels */ + if ($a_client = $config['ovpn']['client']['tunnel']) { + foreach ($a_client as $client) { + $entry = array(); + array_push($entry, $client['cport']); + $port_list = array_diff($port_list, $entry); + } + } + + return $port_list; +} + +/* construct list of used ports */ +function used_port_list() { + global $config; + + /* initialize variables */ + $port_list = array(); + + /* add used ports to the list */ + if ($a_server = $config['ovpn']['server']['tunnel']) { + foreach ($a_server as $server) { + if (isset($server['enable'])) + array_push($port_list, $server['port']); + } + } + + /* same for list of client tunnels */ + if ($a_client = $config['ovpn']['client']['tunnel']) { + foreach ($a_client as $client) { + if (isset($client['enable'])) + array_push($port_list, $client['cport']); + } + } + + return $port_list; +} + +/* construct list of bindings used for a specified port */ +function used_bind_list($port) { + global $config; + + /* initialize variables */ + $bind_list = array(); + + /* add used bindings to the list */ + if ($a_server = $config['ovpn']['server']['tunnel']) { + foreach ($a_server as $server) { + if (isset($server['enable']) && $server['port'] == $port) + array_push($bind_list, $server['bind_iface']); + } + } + + /* client daemon always binds to 0.0.0.0 */ + if ($a_client = $config['ovpn']['client']['tunnel']) { + foreach ($a_client as $client) { + if (isset($client['enable']) && $client['cport'] == $port) + array_push($bind_list, "all"); + } + } + + /* return list of bindings */ + return $bind_list; +} + +/* Calculate the last address in a range given the start and /prefix */ +function ovpn_calc_end($start, $prefix){ + $first = ip2long($start); + $last = pow(2,(32 - $prefix)) - 1 + $first; + return long2ip($last); +} + +/* Calculate a mask given a /prefix */ +function ovpn_calc_mask($prefix){ + return long2ip(ip2long("255.255.255.255") - (pow( 2, (32 - $prefix)) - 1)); +} + +/* Port in use */ +function ovpn_port_inuse_server($port){ + global $config; + if ($a_server = $config['ovpn']['server']['tunnel']) { + foreach ($a_server as $server) { + if ($server['port'] == $port) { + return true; + } + } + } + return false; +} + +/* Read in a file from the $_FILES array */ +function ovpn_get_file($file){ + global $g; + + if (!is_uploaded_file($_FILES[$file]['tmp_name'])){ + trigger_error("Bad file upload".$_FILES[$file]['error'], E_USER_NOTICE); + return NULL; + } + $contents = file_get_contents($_FILES[$file]['tmp_name']); + return $contents; +} + + +/* Get the IP address of a specified interface */ +function ovpn_get_ip($iface){ + global $config; + + if ($iface == 'wan') + return get_current_wan_address(); + + if ($config['interfaces'][$iface]['bridge']) + /* No bridging (yet) */ + return false; + return $config['interfaces'][$iface]['ipaddr']; +} + + +/* Get a list of the cipher options supported by OpenVPN */ +function ovpn_get_cipher_list(){ + +/* exec("/usr/local/sbin/openvpn --show-ciphers", $raw); + print_r ($raw); + + $ciphers = preg_grep('/ bit default key /', $raw); + + for($i = 0; $i 'DES-CBC (64 bit)', + 'RC2-CBC' => 'RC2-CBC (128 bit)', + 'DES-EDE-CBC' => 'DES-EDE-CBC (128 bit)', + 'DES-EDE3-CBC' => 'DES-EDE3-CBC (192 bit)', + 'DESX-CBC' => 'DESX-CBC (192 bit)', + 'BF-CBC' => 'BF-CBC (128 bit)', + 'RC2-40-CBC' => 'RC2-40-CBC (40 bit)', + 'CAST5-CBC' => 'CAST5-CBC (128 bit)', + 'RC5-CBC' => 'RC5-CBC (128 bit)', + 'RC2-64-CBC' => 'RC2-64-CBC (64 bit)', + 'AES-128-CBC' => 'AES-128-CBC (128 bit)', + 'AES-192-CBC' => 'AES-192-CBC (192 bit)', + 'AES-256-CBC' => 'AES-256-CBC (256 bit)'); + return $cipher_list; +} + + +/* Get optional interface */ +/* needs tunneling interface (tun0, tun1, tap0, ...) */ +/* returns optional interface name (opt2, opt3, ...) */ +function ovpn_get_opt_interface($tun){ + global $config; + + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + $ifname = 'opt' . $i; + + if (isset($config['interfaces']['opt' . $i]['ovpn'])) + if ($config['interfaces'][$ifname]['if'] == "$tun") + return $ifname; + } + /* not found? */ + return false; +} + +/* Build a list of the current real interfaces */ +function ovpn_real_interface_list(){ + global $config; + + $interfaces = array('all' => 'ALL', + 'lan' => 'LAN', + 'wan' => 'WAN'); + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + if (isset($config['interfaces']['opt' . $i]['ovpn'])) + /* Hide our own interface */ + break; + if (isset($config['interfaces']['opt' . $i]['enable'])) + $interfaces['opt' . $i] = $config['interfaces']['opt' . $i]['descr']; + } + return $interfaces; +} + +/* called by interfaces_opt.php */ +function ovpn_ccd_sort() { + global $g, $config; + + function ccdcmp($a, $b) { + return strcmp($a['cn'][0], $b['cn'][0]); + } + + usort($config['ovpn']['server']['ccd'], "ccdcmp"); + +} + +/* called by interfaces_opt.php */ +function ovpn_config_post() { + global $_POST, $optcfg, $pconfig; + + unset($input_errors); + + /* bridge check */ + if ($_POST['bridge'] && strstr($optcfg['if'], "tun")) + $input_errors[] = "Bridging a tun interface isn't possible."; + + if (($_POST['enable'] && !isset($optcfg['enable'])) || (!$_POST['enable'] && isset($optcfg['enable']))) + $input_errors[] = "Enabling or disabling a tunneling interface isn't supported on this page."; + + if ($_POST['ipaddr'] != $optcfg['ipaddr']) + $input_errors[] = "Changing the IP address of a tunneling interfaces isn't supported on this page."; + + if ($_POST['subnet'] != $optcfg['subnet']) + $input_errors[] = "Changing the subnet mask of a tunneling interfaces isn't supported on this page."; + + if ($input_errors) { + $pconfig['ipaddr'] = $optcfg['ipaddr']; + $pconfig['subnet'] = $optcfg['subnet']; + $pconfig['bridge'] = $optcfg['bridge']; + $pconfig['enable'] = isset($optcfg['enable']); + } + + return $input_errors; +} + +function check_bridging($bridge) { + global $config; + unset($input_errors); + + /* double bridging? */ + for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { + if ($i != $index) { + if ($config['interfaces']['opt' . $i]['bridge'] == $bridge) { + $input_errors = "Optional interface {$i} " . + "({$config['interfaces']['opt' . $i]['descr']}) is already bridged to " . + "the specified interface."; + } else if ($config['interfaces']['opt' . $i]['bridge'] == "opt{$index}") { + $input_errors = "Optional interface {$i} " . + "({$config['interfaces']['opt' . $i]['descr']}) is already bridged to " . + "this interface."; + } + } + } + + if ($config['interfaces'][$bridge]['bridge']) + $input_errors = "The specified interface is already bridged to another interface."; + + return $input_errors; +} + +/* +function is_specialnet($net) { + $specialsrcdst = explode(" ", "lan"); + + if (in_array($net, $specialsrcdst)) + return true; + else + return false; +} +*/ + + +/* lock openvpn information, decide that the lock file is stale after + 10 seconds */ +function ovpn_lock() { + + global $g; + + $lockfile = "{$g['varrun_path']}/ovpn.lock"; + + $n = 0; + while ($n < 10) { + /* open the lock file in append mode to avoid race condition */ + if ($fd = fopen($lockfile, "x")) { + /* succeeded */ + fclose($fd); + return; + } else { + /* file locked, wait and try again */ + sleep(1); + $n++; + } + } +} + +/* unlock configuration file */ +function ovpn_unlock() { + + global $g; + + $lockfile = "{$g['varrun_path']}/ovpn.lock"; + + if (file_exists($lockfile)) + unlink($lockfile); +} + +?> diff -Nur rootfs-1.21/etc/inc/util.inc rootfs-1.21-ovpn1/etc/inc/util.inc --- rootfs-1.21/etc/inc/util.inc 2006-01-01 12:53:09.000000000 +0100 +++ rootfs-1.21-ovpn1/etc/inc/util.inc 2006-01-14 11:48:36.000000000 +0100 @@ -239,7 +239,7 @@ if (substr($ifname, -1) == "*") $ifname = substr($ifname, 0, strlen($ifname) - 1); - if (!preg_match("/^(ppp|sl|gif|faith|lo|ng|vlan|tun)/", $ifname)) { + if (!preg_match("/^(ppp|sl|gif|faith|lo|ng|vlan)/", $ifname)) { $iflist[$ifname] = array(); $iflist[$ifname]['mac'] = chop($alink[3]); diff -Nur rootfs-1.21/etc/inc/xmlparse.inc rootfs-1.21-ovpn1/etc/inc/xmlparse.inc --- rootfs-1.21/etc/inc/xmlparse.inc 2006-01-01 12:53:09.000000000 +0100 +++ rootfs-1.21-ovpn1/etc/inc/xmlparse.inc 2006-01-14 11:48:36.000000000 +0100 @@ -30,7 +30,7 @@ */ /* tags that are always to be handled as lists */ -$listtags = explode(" ", "rule user key dnsserver winsserver " . +$listtags = explode(" ", "rule user key dnsserver winsserver option ccd crl " . "encryption-algorithm-option hash-algorithm-option hosts tunnel onetoone " . "staticmap route alias pipe queue shellcmd cacert earlyshellcmd mobilekey " . "servernat proxyarpnet passthrumac allowedip wolentry vlan domainoverrides element"); diff -Nur rootfs-1.21/etc/rc rootfs-1.21-ovpn1/etc/rc --- rootfs-1.21/etc/rc 2005-05-10 14:14:04.000000000 +0200 +++ rootfs-1.21-ovpn1/etc/rc 2006-01-14 11:48:24.000000000 +0100 @@ -19,7 +19,7 @@ trap "echo 'Reboot interrupted'; exit 1" 3 # make some directories in /var -mkdir /var/run /var/log /var/etc /var/db +mkdir /var/run /var/log /var/etc /var/db /var/db/ccd # generate circular logfiles clog -i -s 262144 /var/log/system.log diff -Nur rootfs-1.21/etc/rc.bootup rootfs-1.21-ovpn1/etc/rc.bootup --- rootfs-1.21/etc/rc.bootup 2006-01-01 12:53:09.000000000 +0100 +++ rootfs-1.21-ovpn1/etc/rc.bootup 2006-01-14 11:48:24.000000000 +0100 @@ -87,6 +87,9 @@ /* set up Optional interfaces */ interfaces_optional_configure(); + + /* start OpenVPN server & clients */ + ovpn_configure(false); /* resync ipfilter */ filter_resync(); diff -Nur rootfs-1.21/etc/rc.newwanip rootfs-1.21-ovpn1/etc/rc.newwanip --- rootfs-1.21/etc/rc.newwanip 2006-01-01 12:53:09.000000000 +0100 +++ rootfs-1.21-ovpn1/etc/rc.newwanip 2006-01-14 11:48:24.000000000 +0100 @@ -62,6 +62,9 @@ /* reconfigure IPsec tunnels */ vpn_ipsec_configure(true); + + /* reconfigure OpenVPN tunnels */ + ovpn_configure(true); /* regenerate resolv.conf if DNS overrides are allowed or the BigPond client is enabled */ diff -Nur rootfs-1.21/etc/version rootfs-1.21-ovpn1/etc/version --- rootfs-1.21/etc/version 2006-01-01 12:53:09.000000000 +0100 +++ rootfs-1.21-ovpn1/etc/version 2006-01-14 11:48:24.000000000 +0100 @@ -1 +1 @@ -1.21 +1.21-ovpn1 diff -Nur rootfs-1.21/etc/version.buildtime rootfs-1.21-ovpn1/etc/version.buildtime --- rootfs-1.21/etc/version.buildtime 2006-01-01 12:53:30.000000000 +0100 +++ rootfs-1.21-ovpn1/etc/version.buildtime 2006-01-14 11:59:35.000000000 +0100 @@ -1 +1 @@ -Sun Jan 1 12:53:30 CET 2006 +Sat Jan 14 11:59:35 CET 2006 diff -Nur rootfs-1.21/usr/local/www/fbegin.inc rootfs-1.21-ovpn1/usr/local/www/fbegin.inc --- rootfs-1.21/usr/local/www/fbegin.inc 2006-01-01 12:53:09.000000000 +0100 +++ rootfs-1.21-ovpn1/usr/local/www/fbegin.inc 2006-01-14 11:49:22.000000000 +0100 @@ -49,6 +49,7 @@ triel.src = "/tri_c.gif"; } } + --> @@ -92,7 +93,7 @@ shaper
     Aliases
Services
-      DNS forwarder
+      DNS forwarder
     Dynamic DNS
     DHCP server
@@ -104,9 +105,13 @@ VPN
     IPsec
     PPTP
+      OpenVPN
Status
     System
     Interfaces
+ +      OpenVPN
+      Traffic graph
     Wireless
diff -Nur rootfs-1.21/usr/local/www/guiconfig.inc rootfs-1.21-ovpn1/usr/local/www/guiconfig.inc --- rootfs-1.21/usr/local/www/guiconfig.inc 2006-01-01 12:53:09.000000000 +0100 +++ rootfs-1.21-ovpn1/usr/local/www/guiconfig.inc 2006-01-14 11:49:22.000000000 +0100 @@ -56,6 +56,10 @@ $d_sysrebootreqd_path = $g['varrun_path'] . "/sysreboot.reqd"; $d_passthrumacsdirty_path = $g['varrun_path'] . "/passthrumacs.dirty"; $d_allowedipsdirty_path = $g['varrun_path'] . "/allowedips.dirty"; +$d_ovpnsrvdirty_path = $g['varrun_path'] . "/ovpnserver.dirty"; +$d_ovpnclidirty_path = $g['varrun_path'] . "/ovpnclient.dirty"; +$d_ovpnccddirty_path = $g['varrun_path'] . "/ovpnccd.dirty"; +$d_ovpncrldirty_path = $g['varrun_path'] . "/ovpncrl.dirty"; if (file_exists($d_firmwarelock_path)) { if (!$d_isfwfile) { diff -Nur rootfs-1.21/usr/local/www/interfaces_assign.php rootfs-1.21-ovpn1/usr/local/www/interfaces_assign.php --- rootfs-1.21/usr/local/www/interfaces_assign.php 2006-01-01 12:53:09.000000000 +0100 +++ rootfs-1.21-ovpn1/usr/local/www/interfaces_assign.php 2006-01-14 11:49:22.000000000 +0100 @@ -51,6 +51,26 @@ } } +/* add server tun/tap interfaces */ +if (is_array($config['ovpn']['server']['tunnel']) && count($config['ovpn']['server']['tunnel'])) { + $i = 0; + foreach ($config['ovpn']['server']['tunnel'] as $tunnel) { + $portlist['tun' . $i] = $tunnel; + $portlist['tun' . $i]['istun'] = true; + $i++; + } +} + +/* add client tun/tap interfaces */ +if (is_array($config['ovpn']['client']['tunnel']) && count($config['ovpn']['client']['tunnel'])) { + $i = 0; + foreach ($config['ovpn']['client']['tunnel'] as $tunnel) { + $portlist['tun' . $i] = $tunnel; + $portlist['tun' . $i]['istun'] = true; + $i++; + } +} + if ($_POST) { unset($input_errors); @@ -118,29 +138,30 @@ if ($_GET['act'] == "del") { $id = $_GET['id']; - - unset($config['interfaces'][$id]); /* delete the specified OPTn */ - /* shift down other OPTn interfaces to get rid of holes */ - $i = substr($id, 3); /* the number of the OPTn port being deleted */ - $i++; - - /* look at the following OPTn ports */ - while (is_array($config['interfaces']['opt' . $i])) { - $config['interfaces']['opt' . ($i - 1)] = - $config['interfaces']['opt' . $i]; - - if ($config['interfaces']['opt' . ($i - 1)]['descr'] == "OPT" . $i) - $config['interfaces']['opt' . ($i - 1)]['descr'] = "OPT" . ($i - 1); - - unset($config['interfaces']['opt' . $i]); + if (!$input_errors) { + + /* shift down other OPTn interfaces to get rid of holes */ + $i = substr($id, 3); /* the number of the OPTn port being deleted */ $i++; - } - write_config(); - touch($d_sysrebootreqd_path); - header("Location: interfaces_assign.php"); - exit; + /* look at the following OPTn ports */ + while (is_array($config['interfaces']['opt' . $i])) { + $config['interfaces']['opt' . ($i - 1)] = + $config['interfaces']['opt' . $i]; + + if ($config['interfaces']['opt' . ($i - 1)]['descr'] == "OPT" . $i) + $config['interfaces']['opt' . ($i - 1)]['descr'] = "OPT" . ($i - 1); + + unset($config['interfaces']['opt' . $i]); + $i++; + } + + write_config(); + touch($d_sysrebootreqd_path); + header("Location: interfaces_assign.php"); + exit; + } } if ($_GET['act'] == "add") { @@ -178,8 +199,10 @@ ?> - - +
$iface): + /* we don't want to see the OpenVPN tun interfaces */ + if (isset($iface['ovpn'])) + continue; + if ($iface['descr']) $ifdescr = $iface['descr']; else @@ -207,6 +234,7 @@ @@ -243,26 +267,28 @@ - - - - - - + + + + + + diff -Nur rootfs-1.21/usr/local/www/license.php rootfs-1.21-ovpn1/usr/local/www/license.php --- rootfs-1.21/usr/local/www/license.php 2006-01-01 12:53:08.000000000 +0100 +++ rootfs-1.21-ovpn1/usr/local/www/license.php 2006-01-14 11:49:22.000000000 +0100 @@ -79,8 +79,9 @@     DHCP lease list page

Peter Allgeyer (allgeyer@web.de)
-     "reject" type filter rules; dial-on-demand; WAN connect/disconnect; auto-add proxy ARP
-     firewall log filtering; DynDNS server/port; Diag: ARP improvements
+     "reject" type filter rules; dial-on-demand; WAN connect/disconnect; auto-add proxy ARP;
+     firewall log filtering; DynDNS server/port; Diag: ARP improvements;
+     OpenVPN support enhancements

Thierry Lechat (dev@lechat.org)
    SVG-based traffic grapher
@@ -110,6 +111,9 @@ Audun Larsen (larsen@xqus.com)
    CPU/memory usage display

+ Peter Curran (peter@closeconsultants.com)
+     OpenVPN support
+
Pavel A. Grodek (pg@abletools.com)
    Traffic shaper packet loss rate/queue size

diff -Nur rootfs-1.21/usr/local/www/services_dhcp.php rootfs-1.21-ovpn1/usr/local/www/services_dhcp.php --- rootfs-1.21/usr/local/www/services_dhcp.php 2006-01-01 12:53:08.000000000 +0100 +++ rootfs-1.21-ovpn1/usr/local/www/services_dhcp.php 2006-01-14 11:49:22.000000000 +0100 @@ -41,7 +41,7 @@ for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { $oc = $config['interfaces']['opt' . $i]; - if (isset($oc['enable']) && $oc['if'] && (!$oc['bridge'])) { + if (isset($oc['enable']) && $oc['if'] && (!$oc['bridge']) && (!strstr($oc['if'], "tun"))) { $iflist['opt' . $i] = $oc['descr']; } } diff -Nur rootfs-1.21/usr/local/www/services_dhcp_relay.php rootfs-1.21-ovpn1/usr/local/www/services_dhcp_relay.php --- rootfs-1.21/usr/local/www/services_dhcp_relay.php 2006-01-01 12:53:08.000000000 +0100 +++ rootfs-1.21-ovpn1/usr/local/www/services_dhcp_relay.php 2006-01-14 11:49:22.000000000 +0100 @@ -62,7 +62,7 @@ for ($i = 1; isset($config['interfaces']['opt' . $i]); $i++) { $oc = $config['interfaces']['opt' . $i]; - if (isset($oc['enable']) && $oc['if'] && (!$oc['bridge'])) { + if (isset($oc['enable']) && $oc['if'] && (!$oc['bridge']) && (!strstr($oc['if'], "tun"))) { $iflist['opt' . $i] = $oc['descr']; } } diff -Nur rootfs-1.21/usr/local/www/services_proxyarp_edit.php rootfs-1.21-ovpn1/usr/local/www/services_proxyarp_edit.php --- rootfs-1.21/usr/local/www/services_proxyarp_edit.php 2006-01-01 12:53:08.000000000 +0100 +++ rootfs-1.21-ovpn1/usr/local/www/services_proxyarp_edit.php 2006-01-14 11:49:22.000000000 +0100 @@ -168,6 +168,7 @@ \n"; + echo "\n"; + echo "\n"; + + unset($found); + if (isset($virtip_list)) { + foreach ($virtip_list as $vent) { + if ($cent[1] == $vent[2]) { + $found = 1; + echo "\n"; + } + } + } + if (!isset($found)) + echo "\n"; + + $date = preg_split("/\s+/", $cent[4]); + echo "\n"; + echo "\n"; + echo "\n"; + echo "\n"; + } + } +} + +?> + +
@@ -197,6 +220,10 @@  
  - onClick="enable_change(false);bridge_change(false)"> + onChange="enable_change(false);bridge_change(false)"> Enable Optional interface
IP address - - / - -
IP address + + / + +
  + > + >
" . htmlspecialchars($cent[0]) . "" . htmlspecialchars($cent[1]) . "" . htmlspecialchars($vent[0]) . " --" . htmlspecialchars($date[1]) . " " . htmlspecialchars($date[2]) . " " . htmlspecialchars($date[3]) . "" . htmlspecialchars($cent[2]) . "" . htmlspecialchars($cent[3]) . "
+ + + + + + + + + + + + +
+ OpenVPN server status entries
Common NameReal AddressVirtual AddressConnected SinceBytes ReceivedBytes Sent
+
+Note:
+Please note that status entries are updated once every minute only. +So don't bother about entries on this page being possibly too old! + diff -Nur rootfs-1.21/usr/local/www/status.php rootfs-1.21-ovpn1/usr/local/www/status.php --- rootfs-1.21/usr/local/www/status.php 2006-01-01 12:53:08.000000000 +0100 +++ rootfs-1.21-ovpn1/usr/local/www/status.php 2006-01-14 11:49:22.000000000 +0100 @@ -30,6 +30,8 @@ /* remove password tag contents */ $line = preg_replace("/.*?<\\/password>/", "xxxxx", $line); $line = preg_replace("/.*?<\\/pre-shared-key>/", "xxxxx", $line); + $line = preg_replace("/.*?<\\/srv_key>/", "xxxxx", $line); + $line = preg_replace("/.*?<\\/cli_key>/", "xxxxx", $line); $line = str_replace("\t", " ", $line); echo htmlspecialchars($line,ENT_NOQUOTES); } diff -Nur rootfs-1.21/usr/local/www/vpn_ipsec_edit.php rootfs-1.21-ovpn1/usr/local/www/vpn_ipsec_edit.php --- rootfs-1.21/usr/local/www/vpn_ipsec_edit.php 2006-01-01 12:53:08.000000000 +0100 +++ rootfs-1.21-ovpn1/usr/local/www/vpn_ipsec_edit.php 2006-01-14 11:49:22.000000000 +0100 @@ -328,6 +328,7 @@ > + Disable this entry
+ Set this option to disable this client-specific configuration + without removing it from the list. + + + + + Common Name + + +
Enter client's X.509 common name here. + + + + Description + + +
You may enter a description here for your reference (not parsed). + + + + Block client + + > + Disable this client from connecting
+ Disable a particular client (based on the common name) from connecting. + Don't use this option to disable a client due to key + or password compromise. Use a CRL (certificate revocation list) + instead. + + + + + + + + + Push options + + + + Client-Push Inheritation + + >Push reset +
Set this option to on, if you don't want to inherit + the global push list for this client from the server page. + + + + Client-push options + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
> + Redirect-gateway > + Local
> Route-delay  seconds
> + Inactive  + seconds
> Ping Interval: seconds
> Ping-exit Interval: seconds
> Ping-restart Interval: seconds
+ + + + Custom client options + + The following options are legal in a client-specific context:
+ push, push-reset, iroute, ifconfig-push and config.
+ + Note:
+ Commands in here aren't supported. + + + + +   + + + + + + + + + + + diff -Nur rootfs-1.21/usr/local/www/vpn_openvpn_ccd.php rootfs-1.21-ovpn1/usr/local/www/vpn_openvpn_ccd.php --- rootfs-1.21/usr/local/www/vpn_openvpn_ccd.php 1970-01-01 01:00:00.000000000 +0100 +++ rootfs-1.21-ovpn1/usr/local/www/vpn_openvpn_ccd.php 2006-01-14 11:49:22.000000000 +0100 @@ -0,0 +1,191 @@ +#!/usr/local/bin/php + $server) { +# /* get tunnel interface */ +# $tun = $server['tun_iface']; +# +# /* send SIGUSR1 to running openvpn daemon */ +# if (isset($server['enable'])) +# sigkillbypid($g['varrun_path']."/ovpn_srv_{$tun}.pid", "SIGUSR1"); +# } +# + + /* remove dirty flag */ + unlink_if_exists($d_ovpnccddirty_path); + + $savemsg = get_std_save_message($retval); +} + +if ($_GET['act'] == "del") { + if ($ovpnccd[$id]) { + $ovpnent = $ovpnccd[$id]; + + unset($ovpnccd[$id]); + write_config(); + + /* Remove config files */ + ovpn_server_ccd_del($ovpnent['cn']); + + header("Location: vpn_openvpn_ccd.php"); + exit; + } + +} else if ($_GET['act'] == "toggle") { + if ($ovpnccd[$_GET['id']]) { + $ovpnccd[$_GET['id']]['enable'] = !isset($ovpnccd[$_GET['id']]['enable']); + write_config(); + touch($d_ovpnccddirty_path); + header("Location: vpn_openvpn_ccd.php"); + exit; + } +} + + +?> + + + + +
+

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + +
+ +
+ WARNING: This feature is experimental and modifies your optional interface configuration. + Backup your configuration before using OpenVPN, and restore it before upgrading.

+ + + + + + + + + "; + $spane = ""; + $iconfn .= "_d"; + } else { + $spans = $spane = ""; + } + ?> + + + + + + + + + + + + +
 Common NameDescription
+ + + + +   + +  
 
+ + + + + + + + + + + + + + + + + + +
passblock
pass (disabled)block (disabled)
+
+
+ diff -Nur rootfs-1.21/usr/local/www/vpn_openvpn_cli_edit.php rootfs-1.21-ovpn1/usr/local/www/vpn_openvpn_cli_edit.php --- rootfs-1.21/usr/local/www/vpn_openvpn_cli_edit.php 1970-01-01 01:00:00.000000000 +0100 +++ rootfs-1.21-ovpn1/usr/local/www/vpn_openvpn_cli_edit.php 2006-01-14 11:49:22.000000000 +0100 @@ -0,0 +1,722 @@ +#!/usr/local/bin/php + + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Disabled + > + Disable this client
+ Set this option to disable this client without removing it from the list. +
Server information
Address + +
+ Enter the server's IP address or FQDN.
Port +
+ Enter the server's port number (default is 1194).
Version + > 2.0  + > 1.x +
+ Specify which version of the OpenVPN protocol the server runs.
Description + +
You may enter a description here for your reference (not parsed).
Cryptographic options
Authentication method +
Must match the setting chosen on the remote side.
CA certificate + +
+ Paste a CA certificate in X.509 PEM format here.
Client certificate + +
+ Paste a client certificate in X.509 PEM format here.
Client key + +
Paste the client RSA private key here.
Crypto + +
+ Select the data channel encryption cipher. This must match the setting on the server. +
nsCertType + > + nsCertType
+ Require that peer certificate was signed with an explicit + nsCertType designation of "server". + This is a useful security option for clients, to ensure that the + host they connect with is a designated server. +
TLS auth + > + TLS auth
+ The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification.
Pre-shared secret + +
+ Paste your own pre-shared secret here.
Client configuration
Tunnel type + > TUN  + > TAP
Tunnel protocol +> UDP  +> TCP
+ Important: These settings must match the server's configuration.
Interface + Auto +
Port + Auto +
Bridge with +
Only supported with authentication method set to RSA signature. +
OpenVPN address assignment + When using pre-shared keys, enter the IP address and subnet mask + of the local and remote VPN endpoint here. For TAP devices, only the + IP address of the local VPN endpoint is needed. The netmask is the subnet mask + of the virtual ethernet segment which is being created or connected to.
+
+ + + + + + + + + +
Local IP address:   + / + +
Remote IP address:   +
+
Client Options
Pull Options + > + Client-pull
+ This option must be used on a client which is connecting to a + multi-client server. It indicates to OpenVPN that it should + accept options pushed by the server, provided they are part of the + legal set of pushable options. +
Compression method + +
+ Choose which compression method to use.
+
+ LZO compression generally improves performance on slow links, + but may add up to 1 byte per packet for incompressible data.
+
+ With adaptive compression, OpenVPN will periodically sample the + compression process to measure its efficiency. If the data being + sent over the tunnel is already compressed, the compression + efficiency will be very low. Choose 'LZO (no adaptive)' + to disable OpenVPN's adaptive compression algorithm. +
Expert mode + > + Enable expert OpenVPN mode
+ If this option is on, you can specify your own extra commands for the OpenVPN server.
+ + Note:
+ Commands in expert mode aren't supported. +
  + + + + +
+
+ + diff -Nur rootfs-1.21/usr/local/www/vpn_openvpn_cli.php rootfs-1.21-ovpn1/usr/local/www/vpn_openvpn_cli.php --- rootfs-1.21/usr/local/www/vpn_openvpn_cli.php 1970-01-01 01:00:00.000000000 +0100 +++ rootfs-1.21-ovpn1/usr/local/www/vpn_openvpn_cli.php 2006-01-14 11:49:22.000000000 +0100 @@ -0,0 +1,166 @@ +#!/usr/local/bin/php + + + + +
+

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + +
+ +
+ WARNING: This feature is experimental and modifies your optional interface configuration. + Backup your configuration before using OpenVPN, and restore it before upgrading.

+ + + + + + + + + + + + + "; + $spane = ""; + } else { + $spans = $spane = ""; + } + ?> + + + + + + + + + + + + + + + +
InterfaceProtocolSocketServer addressVersionDescription
+ + + + + + + + + + + +   + +  
 
+
+
+ diff -Nur rootfs-1.21/usr/local/www/vpn_openvpn_crl_edit.php rootfs-1.21-ovpn1/usr/local/www/vpn_openvpn_crl_edit.php --- rootfs-1.21/usr/local/www/vpn_openvpn_crl_edit.php 1970-01-01 01:00:00.000000000 +0100 +++ rootfs-1.21-ovpn1/usr/local/www/vpn_openvpn_crl_edit.php 2006-01-14 11:49:22.000000000 +0100 @@ -0,0 +1,238 @@ +#!/usr/local/bin/php + + + + + + +
+WARNING: This feature is experimental and modifies your optional interface configuration. + Backup your configuration before using OpenVPN, and restore it before upgrading.
 
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Disabled + > + Disable this X.509 CRL list
+ Set this option to on to disable this X.509 CRL file + without removing it from the list.
Name + +
Enter a unique name here, to describe the X.509 CRL list.
Description + +
You may enter a description here for your reference (not parsed).
X.509 CRL file content + +
+ Paste the contents of a X.509 CRL file in PEM format here.
X.509 CRL file +
+ Instead of pasting the contents of a X.509 CRL file above, + you can upload a X.509 CRL file in PEM format here. It will + overwrite the values entered in the "X.509 CRL file content" + field. +
  + + + + +
+
+ + diff -Nur rootfs-1.21/usr/local/www/vpn_openvpn_crl.php rootfs-1.21-ovpn1/usr/local/www/vpn_openvpn_crl.php --- rootfs-1.21/usr/local/www/vpn_openvpn_crl.php 1970-01-01 01:00:00.000000000 +0100 +++ rootfs-1.21-ovpn1/usr/local/www/vpn_openvpn_crl.php 2006-01-14 11:49:22.000000000 +0100 @@ -0,0 +1,156 @@ +#!/usr/local/bin/php + + + + + +
+

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + +
+ +
+ WARNING: This feature is experimental and modifies your optional interface configuration. + Backup your configuration before using OpenVPN, and restore it before upgrading.
+  
+ + + + + + + + "; + $spane = ""; + } else { + $spans = $spane = ""; + } + ?> + + + + + + + + + + + +
CRL nameDescription
+ + +   + +  
 

+ + Note:
+ A CRL (certificate revocation list) is used when a particular + key is compromised but when the overall PKI is still intact.
+
+ Suppose you had a PKI consisting of a CA, root certificate, and + a number of client certificates. Suppose a laptop computer + containing a client key and certificate was stolen. By adding the + stolen certificate to the CRL file, you could reject any connection + which attempts to use it, while preserving the overall + integrity of the PKI.
+
+ The only time when it would be necessary to rebuild the entire + PKI from scratch would be if the root certificate key itself was + compromised. + +
+
+ diff -Nur rootfs-1.21/usr/local/www/vpn_openvpn_srv_edit.php rootfs-1.21-ovpn1/usr/local/www/vpn_openvpn_srv_edit.php --- rootfs-1.21/usr/local/www/vpn_openvpn_srv_edit.php 1970-01-01 01:00:00.000000000 +0100 +++ rootfs-1.21-ovpn1/usr/local/www/vpn_openvpn_srv_edit.php 2006-01-14 11:49:22.000000000 +0100 @@ -0,0 +1,1204 @@ +#!/usr/local/bin/php + 1) + $input_errors[] = "Maximum number of simultaneous clients should not be greater than \"1\"."; + + /* checked also by javascript */ + if ($_POST['method'] != "static") + $input_errors[] = "Only static address assignment is supported."; + + } else { + /* rsa */ + $reqdfields = array_merge($reqdfields, explode(" ", "ca_cert srv_cert srv_key dh_param")); + $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "CA certificate,Server certificate,Server key,DH parameters")); + + if ($_POST['type'] == "tap") { + /* tap*/ + if (!$_POST['bridge']) { + if ($_POST['method'] == "ovpn") { + $reqdfields = array_merge($reqdfields, "ipblock"); + $reqdfieldsn = array_merge($reqdfieldsn, "IP address block"); + + $check_ipblock = 1; + } else { + $input_errors[] = "Only supported address assignment is \"Managed by OpenVPN\"."; + } + } else { + if ($_POST['method'] == "ovpn") { + $reqdfields = array_merge($reqdfields, explode(" ", "range_from range_to gateway")); + $reqdfieldsn = array_merge($reqdfieldsn, explode(",", "Range begin,Range end,Gateway")); + if (intval($_POST['maxcli']) > (ip2long($_POST['range_to']) - ip2long($_POST['range_from']) + 1)) + $input_errors[] = "IP range to small for maximum number of simultaneous clients."; + + } else if ($_POST['method'] != "dhcp") { + $input_errors[] = "Wrong or emtpy OpenVPN address assignment."; + } + } + + } else { + /* tun*/ + $reqdfields = array_merge($reqdfields, "ipblock"); + $reqdfieldsn = array_merge($reqdfieldsn, "IP address block"); + + /* checked also by javascript */ + if ($_POST['method'] != "ovpn") + $input_errors[] = "Only supported address assignment is \"Managed by OpenVPN\"."; + + $check_ipblock = 1; + } + + + /* valid IP */ + if ($_POST['ipblock'] && $check_ipblock) { + if (!is_ipaddr($_POST['ipblock'])) { + $input_errors[] = "A valid IP netblock must be specified."; + } else if ($_POST['type'] == "tun" && intval($_POST['prefix']) > 29) { + $input_errors[] = "Network mask too high for tun-style tunnels."; + } else { + $network = ip2long(gen_subnet($_POST['ipblock'], $_POST['prefix'])); + $broadcast = ip2long(gen_subnet_max($_POST['ipblock'], $_POST['prefix'])); + + if ($_POST['maxcli']) { + if ($_POST['type'] == "tap") { + if (intval($_POST['maxcli']) > ($broadcast - $network - 3)) + $input_errors[] = "Maximum number of simultaneous clients too high"; + } else { + if (intval($_POST['maxcli']) > floor(($broadcast - $network) / 4)) + $input_errors[] = "Maximum number of simultaneous clients too high"; + } + } + } + } + + /* Sort out the cert+key files */ + if (!empty($_POST['ca_cert']) && + (!strstr($_POST['ca_cert'], "BEGIN CERTIFICATE") || + !strstr($_POST['ca_cert'], "END CERTIFICATE"))) + $input_errors[] = "The CA certificate does not appear to be valid."; + + if (!empty($_POST['srv_cert']) && + (!strstr($_POST['srv_cert'], "BEGIN CERTIFICATE") || + !strstr($_POST['srv_cert'], "END CERTIFICATE"))) + $input_errors[] = "The server certificate does not appear to be valid."; + + if (!empty($_POST['srv_key']) && + (!strstr($_POST['srv_key'], "BEGIN RSA PRIVATE KEY") || + !strstr($_POST['srv_key'], "END RSA PRIVATE KEY"))) + $input_errors[] = "The server key does not appear to be valid."; + + if (!empty($_POST['dh_param']) && + (!strstr($_POST['dh_param'], "BEGIN DH PARAMETERS") || + !strstr($_POST['dh_param'], "END DH PARAMETERS"))) + $input_errors[] = "The DH parameters do not appear to be valid."; + + if (isset($_POST['tlsauth']) && empty($_POST['pre-shared-key'])) + $input_errors[] = "The field 'Pre-shared secret' is required."; + } + + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (($_POST['range_from'] && !is_ipaddr($_POST['range_from']))) + $input_errors[] = "A valid range must be specified."; + + if (($_POST['range_to'] && !is_ipaddr($_POST['range_to']))) + $input_errors[] = "A valid range must be specified."; + + if ($_POST['gateway'] && !is_ipaddr($_POST['gateway'])) + $input_errors[] = "A valid gateway IP address must be specified."; + + /* make sure the range lies within the bridged subnet */ + if ($_POST['bridge']) { + if ($_POST['method'] == "ovpn") { + + $ipaddr = $config['interfaces'][$_POST['bridge']]['ipaddr']; + $subnet = $config['interfaces'][$_POST['bridge']]['subnet']; + + $subnet_start = (ip2long($ipaddr) & gen_subnet_mask_long($subnet)); + $subnet_end = (ip2long($ipaddr) | (~gen_subnet_mask_long($subnet))); + + if (!ip_in_subnet($_POST['gateway'], gen_subnet($ipaddr, $subnet) . "/" . $subnet)) + $input_errors[] = "The specified gateway lies outside of the bridged subnet."; + + if ((ip2long($_POST['range_from']) < $subnet_start) || (ip2long($_POST['range_from']) > $subnet_end) || + (ip2long($_POST['range_to']) < $subnet_start) || (ip2long($_POST['range_to']) > $subnet_end)) { + $input_errors[] = "The specified range lies outside of the bridged subnet."; + } + + if (ip2long($_POST['range_from']) > ip2long($_POST['range_to'])) + $input_errors[] = "The range is invalid (first element higher than second element)."; + } + } + + /* valid Port */ + if (empty($_POST['port'])) + $input_errors[] = "You must provide a server in between 1 and 65535."; + else if (!is_port($_POST['port'])) + $input_errors[] = "The server port must be an integer between 1 and 65535."; + + /* check if dynip is set correctly */ + if ($_POST['dynip'] && $_POST['bind_iface'] != 'all') + $input_errors[] = "Dynamic IP address can only be set with interface binding set to ALL."; + + if (!empty($_POST['pre-shared-key'])) + if (!strstr($_POST['pre-shared-key'], "BEGIN OpenVPN Static key") || + !strstr($_POST['pre-shared-key'], "END OpenVPN Static key")) + $input_errors[] = "Pre-shared secret does not appear to be valid."; + + if ($_POST['psh_pingrst'] && $_POST['psh_pingexit']) + $input_errors[] = "Ping-restart and Ping-exit are mutually exclusive and cannot be used together"; + + if ($_POST['psh_rtedelay'] && !is_numeric($_POST['psh_rtedelay_int'])) + $input_errors[] = "Route-delay needs a numerical interval setting."; + + if ($_POST['psh_inact'] && !is_numeric($_POST['psh_inact_int'])) + $input_errors[] = "Inactive needs a numerical interval setting."; + + if ($_POST['psh_ping'] && !is_numeric($_POST['psh_ping_int'])) + $input_errors[] = "Ping needs a numerical interval setting."; + + if ($_POST['psh_pingexit'] && !is_numeric($_POST['psh_pingexit_int'])) + $input_errors[] = "Ping-exit needs a numerical interval setting."; + + if ($_POST['psh_pingrst'] && !is_numeric($_POST['psh_pingrst_int'])) + $input_errors[] = "Ping-restart needs a numerical interval setting."; + + /* Editing an existing entry? */ + if (isset($id) && $ovpnsrv[$id]) { + $ovpnent = $ovpnsrv[$id]; + + /* bridging changed */ + if ($ovpnent['bridge'] != $_POST['bridge']) { + /* double bridging? */ + if ($_POST['bridge'] && + $_POST['type'] == "tap" && + $_POST['authentication_method'] == "rsasig") + $retval = check_bridging($_POST['bridge']); + + if (!empty($retval)) + $input_errors[] = $retval; + } + + /* port number syntactically valid, so lets check, if it is free */ + if (isset($ovpnent['enable']) && + !isset($_POST['disabled']) && + $ovpnent['port'] != $_POST['port']) { + /* port number has changed */ + + if (in_array($_POST['port'], used_port_list())) { + /* port in use, check binding */ + + /* return interfaces bind to this port */ + $bind_list = used_bind_list($_POST['port']); + + /* check if binding is in use */ + if (($_POST['bind_iface'] == "all") || + in_array("all", $bind_list) || + in_array($_POST['bind_iface'], $bind_list) ) { + $input_errors[] = "OpenVPN binding already in use by another OpenVPN daemon."; + } + } + } + + /* binding free? */ + if (isset($ovpnent['enable']) && + !isset($_POST['disabled']) && + $ovpnent['bind_iface'] != $_POST['bind_iface']) { + /* binding has changed, remove existing old entry from list */ + $entry = array(); + array_push($entry, $ovpnent['bind_iface']); + $bind_list = array_diff(used_bind_list($_POST['port']), $entry); + + if (count($bind_list)) { + if ($_POST['bind_iface'] == "all") + $input_errors[] = "Interface binding is already in use."; + else if (in_array("all", $bind_list) || + in_array($_POST['bind_iface'], $bind_list)) + $input_errors[] = "Interface binding is already in use."; + } + } + + /* Test Server type hasn't changed */ + if ($ovpnent['type'] != $_POST['type']) { + $input_errors[] = "Delete this interface first before changing the type of the tunnel to " . strtoupper($_POST['type']) ."."; + + } + + /* status changed to enable */ + if (!isset($ovpnent['enable']) && !isset($_POST['disabled'])) { + + /* check if port number is free */ + if (in_array($_POST['port'], used_port_list())) { + /* port in use, check binding */ + + /* return interfaces bind to this port */ + $bind_list = used_bind_list($_POST['port']); + + if (($_POST['bind_iface'] == "all") || + in_array("all", $bind_list ) || + in_array($_POST['bind_iface'], $bind_list) ) { + /* binding in use */ + $input_errors[] = "OpenVPN binding already in use by another OpenVPN daemon."; + } + } + } + + } else { + /* Creating a new entry */ + $ovpnent = array(); + + /* port number syntactically valid, so lets check, if it is free */ + if ($_POST['port']) { + /* new port number */ + $bind_list = used_bind_list($_POST['port']); + + if (in_array($_POST['port'], used_port_list())) { + /* port in use, check binding */ + if (($_POST['bind_iface'] == "all") || + in_array("all", $bind_list ) || + in_array($_POST['bind_iface'], $bind_list) ) { + /* binding in use */ + $input_errors[] = "Port {$_POST['port']} is already used for another interface."; + } + } + } + + if (!($ovpnent['tun_iface'] = getnxt_if($_POST['type']))) + $input_errors[] = "Run out of devices for a tunnel of type {$_POST['type']}"; + + /* double bridging? */ + if ($ovpnent['bridge'] != $_POST['bridge']) { + /* double bridging? */ + if ($_POST['bridge'] && + $_POST['type'] == "tap" && + $_POST['authentication_method'] == "rsasig") + $retval = check_bridging($_POST['bridge']); + + if (!empty($retval)) + $input_errors[] = $retval; + } + } + + if (!$input_errors) { + + $ovpnent['enable'] = isset($_POST['disabled']) ? false : true; + $ovpnent['bind_iface'] = $_POST['bind_iface']; + $ovpnent['port'] = $_POST['port']; + $ovpnent['proto'] = $_POST['proto']; + $ovpnent['type'] = $_POST['type']; + $ovpnent['method'] = $_POST['method']; + $ovpnent['authentication_method'] = $_POST['authentication_method']; + + /* convert IP address block to a correct network IP address */ + $ovpnent['ipblock'] = gen_subnet($_POST['ipblock'], $_POST['prefix']); + $ovpnent['prefix'] = $_POST['prefix']; + $ovpnent['lipaddr'] = $_POST['lipaddr']; + $ovpnent['ripaddr'] = $_POST['ripaddr']; + $ovpnent['netmask'] = $_POST['netmask']; + $ovpnent['range_from'] = $_POST['range_from']; + $ovpnent['range_to'] = $_POST['range_to']; + $ovpnent['gateway'] = $_POST['gateway']; + $ovpnent['bridge'] = $_POST['bridge']; + + $ovpnent['descr'] = $_POST['descr']; + $ovpnent['verb'] = $_POST['verb']; + $ovpnent['maxcli'] = $_POST['maxcli']; + $ovpnent['crypto'] = $_POST['crypto']; + $ovpnent['comp_method'] = $_POST['comp_method']; + $ovpnent['cli2cli'] = $_POST['cli2cli'] ? true : false; + $ovpnent['dupcn'] = $_POST['dupcn'] ? true : false; + $ovpnent['dynip'] = $_POST['dynip'] ? true : false; + $ovpnent['tlsauth'] = $_POST['tlsauth'] ? true : false; + $ovpnent['crlname'] = $_POST['crlname']; + + unset($ovpnent['pre-shared-key']); + if ($_POST['pre-shared-key']) + $ovpnent['pre-shared-key'] = base64_encode($_POST['pre-shared-key']); + + $ovpnent['psh_options']['redir'] = $_POST['psh_redir'] ? true : false; + $ovpnent['psh_options']['redir_loc'] = $_POST['psh_redir_loc'] ? true : false; + $ovpnent['psh_options']['rtedelay'] = $_POST['psh_rtedelay'] ? true : false; + $ovpnent['psh_options']['inact'] = $_POST['psh_inact'] ? true : false; + $ovpnent['psh_options']['ping'] = $_POST['psh_ping'] ? true : false; + $ovpnent['psh_options']['pingrst'] = $_POST['psh_pingrst'] ? true : false; + $ovpnent['psh_options']['pingexit'] = $_POST['psh_pingexit'] ? true : false; + + unset($ovpnent['psh_options']['rtedelay_int']); + unset($ovpnent['psh_options']['inact_int']); + unset($ovpnent['psh_options']['ping_int']); + unset($ovpnent['psh_options']['pingrst_int']); + unset($ovpnent['psh_options']['pingexit_int']); + + if ($_POST['psh_rtedelay_int']) + $ovpnent['psh_options']['rtedelay_int'] = $_POST['psh_rtedelay_int']; + if ($_POST['psh_inact_int']) + $ovpnent['psh_options']['inact_int'] = $_POST['psh_inact_int']; + if ($_POST['psh_ping_int']) + $ovpnent['psh_options']['ping_int'] = $_POST['psh_ping_int']; + if ($_POST['psh_pingrst_int']) + $ovpnent['psh_options']['pingrst_int'] = $_POST['psh_pingrst_int']; + if ($_POST['psh_pingexit_int']) + $ovpnent['psh_options']['pingexit_int'] = $_POST['psh_pingexit_int']; + + $ovpnent['ca_cert'] = base64_encode($_POST['ca_cert']); + $ovpnent['srv_cert'] = base64_encode($_POST['srv_cert']); + $ovpnent['srv_key'] = base64_encode($_POST['srv_key']); + $ovpnent['dh_param'] = base64_encode($_POST['dh_param']); + + /* expertmode params */ + $ovpnent['expertmode_enabled'] = $_POST['expertmode_enabled'] ? true : false; + + if (!is_array($options)) + $options = array(); + if (!is_array($ovpnent['expertmode'])) + $ovpnent['expertmode'] = array(); + + $options['option'] = array_map('trim', explode("\n", trim($_POST['expertmode_options']))); + $ovpnent['expertmode'] = $options; + + if (isset($id) && $ovpnsrv[$id]) + $ovpnsrv[$id] = $ovpnent; + else + $ovpnsrv[] = $ovpnent; + + write_config(); + ovpn_srv_dirty($ovpnent['tun_iface']); + + header("Location: vpn_openvpn_srv.php"); + exit; + } else { + + $pconfig = $_POST; + + $pconfig['enable'] = "true"; + if (isset($_POST['disabled'])) + unset($pconfig['enable']); + + $pconfig['pre-shared-key'] = base64_encode($_POST['pre-shared-key']); + $pconfig['ca_cert'] = base64_encode($_POST['ca_cert']); + $pconfig['srv_cert'] = base64_encode($_POST['srv_cert']); + $pconfig['srv_key'] = base64_encode($_POST['srv_key']); + $pconfig['dh_param'] = base64_encode($_POST['dh_param']); + + $pconfig['psh_options']['redir'] = $_POST['psh_redir']; + $pconfig['psh_options']['redir_loc'] = $_POST['psh_redir_loc']; + $pconfig['psh_options']['rtedelay'] = $_POST['psh_rtedelay']; + $pconfig['psh_options']['inact'] = $_POST['psh_inact']; + $pconfig['psh_options']['ping'] = $_POST['psh_ping']; + $pconfig['psh_options']['pingrst'] = $_POST['psh_pingrst']; + $pconfig['psh_options']['pingexit'] = $_POST['psh_pingexit']; + + $pconfig['psh_options']['rtedelay_int'] = $_POST['psh_rtedelay_int']; + $pconfig['psh_options']['inact_int'] = $_POST['psh_inact_int']; + $pconfig['psh_options']['ping_int'] = $_POST['psh_ping_int']; + $pconfig['psh_options']['pingrst_int'] = $_POST['psh_pingrst_int']; + $pconfig['psh_options']['pingexit_int'] = $_POST['psh_pingexit_int']; + } +} + + +?> + + + +
+WARNING: This feature is experimental and modifies your optional interface configuration. + Backup your configuration before using OpenVPN, and restore it before upgrading.
 
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Disabled + > + Disable this server
+ Set this option to disable this server without removing it from the list. +
OpenVPN protocol/port + > + UDP  + > + TCP

+ Port: +
+ Enter the port number to use for the server (default is 1194).
Interface binding + +
+ Choose an interface for the OpenVPN server to listen on.
Dynamic IP address + > + Dynamic IP address
+ Set this option to on, if your IP addresses are being assigned dynamically. Can only be used with interface binding set to ALL.
Description + +
You may enter a description here for your reference (not parsed).
Cryptographic options
Authentication method +
Must match the setting chosen on the remote side.
CA certificate + +
+ Paste a CA certificate in X.509 PEM format here.
Server certificate + +
+ Paste a server certificate in X.509 PEM format here.
Server key + +
Paste the server RSA private key here.
DH parameters + +
+ Paste the Diffie-Hellman parameters in PEM format here.
Crypto + +
+ Select a data channel encryption cipher.
TLS auth + onclick="tls_change(false)"> + TLS auth
+ The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification.
Pre-shared secret + +
+ Paste your own pre-shared secret here.
CRL + +
+ You can choose a CRL (certificate revocation list) file in PEM format here. + Each peer certificate is checked against this file.
IP configuration
Tunnel type + > + TUN  + > + TAP +
Bridge with +
Only supported with authentication method set to RSA signature. +
OpenVPN address assignment + + + + + + + + + + + + + + + + + + +
> + Managed by OpenVPN +
> + Configure manually or by DHCP Server +
> + Static assignment +
  
Maximum number of simultaneous clients:  
(leave blank to disable)		 + +
+
+ When using OpenVPN for address assignment, set aside a pool of subnets to be + dynamically allocated to connecting clients, similar to a DHCP server.
+
+ For tun-style tunnels, each client will be given a /30 subnet + (for interoperability with Windows clients).
+ For tap-style tunnels, individual addresses will be allocated, and the optional + netmask parameter will also be pushed to clients.
+
+ + + + + + +
IP address block:   + / + +
+
+ For bridges interfaces OpenVPN will allocate + an IP range in the bridged subnet to connecting clients.

+ The gateway and netmask parameters + can be set to either the IP of the bridge interface, or to + the IP of the default gateway/router on the bridged subnet.
+
+ + + + + + + + + + + +
Range:   +  to  +
Gateway:   +
+
  + When using pre-shared keys, enter the IP address and subnet mask + of the local and remote VPN endpoint here. For TAP devices, only the + IP address of the local VPN endpoint is needed. The netmask is the subnet mask + of the virtual ethernet segment which is being created or connected to.
+
+ + + + + + + + + + +
Local IP address:   + / + +
Remote IP address:   +
+
Server Options
Internal routing mode + > + Enable client-to-client routing
+ If this option is on, clients are allowed to talk to each other.
Client authentication + > + Permit duplicate client certificates
+ If this option is on, clients with duplicate certificates will not be disconnected.
Compression method + +
+ Choose which compression method to use.
+
+ LZO compression generally improves performance on slow links, + but may add up to 1 byte per packet for incompressible data.
+
+ With adaptive compression, OpenVPN will periodically sample the + compression process to measure its efficiency. If the data being + sent over the tunnel is already compressed, the compression + efficiency will be very low. Choose 'LZO (no adaptive)' + to disable OpenVPN's adaptive compression algorithm. +
Client-push options + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
> + Redirect-gateway > + Local
> Route-delay  seconds
> + Inactive  + seconds
> Ping Interval: seconds
> Ping-exit Interval: seconds
> Ping-restart Interval: seconds
Expert mode + > + Enable expert OpenVPN mode
+ If this option is on, you can specify your own extra commands for the OpenVPN server.
+ + Note:
+ Commands in expert mode aren't supported. +
  + + + + + +
+
+ + diff -Nur rootfs-1.21/usr/local/www/vpn_openvpn_srv.php rootfs-1.21-ovpn1/usr/local/www/vpn_openvpn_srv.php --- rootfs-1.21/usr/local/www/vpn_openvpn_srv.php 1970-01-01 01:00:00.000000000 +0100 +++ rootfs-1.21-ovpn1/usr/local/www/vpn_openvpn_srv.php 2006-01-14 11:49:22.000000000 +0100 @@ -0,0 +1,183 @@ +#!/usr/local/bin/php + + + + +
+

+You must apply the changes in order for them to take effect.");?>
+

+ + + + + + + +
+ +
+ WARNING: This feature is experimental and modifies your optional interface configuration. + Backup your configuration before using OpenVPN, and restore it before upgrading.

+ + + + + + + + + + + + + "; + $spane = ""; + } else { + $spans = $spane = ""; + } + + if ($server['bind_iface'] == 'all') + $ipaddr = "0.0.0.0"; + else + $ipaddr = ovpn_get_ip($server['bind_iface']); + ?> + + + + + + + + + + + + + + + +
InterfaceProtocolSocketIP BlockCryptoDescription
+ + + + + + + + + + + + +   + +  
 
+
+
+