OpenVPN export: offer the ability to export a user without a certificate and increase consistency between export types.

2026-03-15 09:04:39 +00:00 · 2021-05-18 10:08:07 +02:00 · 2021-05-18 10:08:07 +02:00 · 2ba6da4eef
commit 2ba6da4eef
parent 408ef03b6a
5 changed files with 41 additions and 29 deletions
--- a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ExportController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ExportController.php
@ -203,7 +203,12 @@ class ExportController extends ApiControllerBase
     */
    public function accountsAction($vpnid)
    {
-        $result = array();
+        $result = [
+            null => [
+                "description" => gettext("(none) Exclude certificate from export"),
+                "users" => []
+            ]
+        ];
        $server = $this->findServer($vpnid);
        if ($server !== null) {
            // collect certificates for this server's ca
--- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php
+++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php
@ -75,16 +75,18 @@ class ArchiveOpenVPN extends PlainOpenVPN
        mkdir($content_dir, 0700, true);

        if (empty($this->config['cryptoapi'])) {
-            // export keypair
-            $p12 = $this->export_pkcs12(
-                $this->config['client_crt'],
-                $this->config['client_prv'],
-                !empty($this->config['p12_password']) ? $this->config['p12_password'] : null,
-                !empty($this->config['server_ca_chain']) ? $this->config['server_ca_chain'] : null
-            );
+            if (!empty($this->config['client_crt'])) {
+                // export keypair
+                $p12 = $this->export_pkcs12(
+                    $this->config['client_crt'],
+                    $this->config['client_prv'],
+                    !empty($this->config['p12_password']) ? $this->config['p12_password'] : null,
+                    !empty($this->config['server_ca_chain']) ? $this->config['server_ca_chain'] : null
+                );

-            file_put_contents("{$content_dir}/{$base_filename}.p12", $p12);
-            $conf[] = "pkcs12 {$base_filename}.p12";
+                file_put_contents("{$content_dir}/{$base_filename}.p12", $p12);
+                $conf[] = "pkcs12 {$base_filename}.p12";
+            }
        } else {
            // use internal Windows store, only flush ca (when available)
            if (!empty($this->config['server_ca_chain'])) {
--- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php
+++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php
@ -180,7 +180,8 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider
            }
            $conf[] = "</ca>";
        }
-        if ($this->config['mode'] !== "server_user" && empty($this->config['cryptoapi'])) {
+
+        if (!empty($this->config['client_crt']) && empty($this->config['cryptoapi'])) {
            $conf[] = "<cert>";
            $conf = array_merge($conf, explode("\n", trim($this->config['client_crt'])));
            $conf[] = "</cert>";
--- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/TheGreenBow.php
+++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/TheGreenBow.php
@ -170,15 +170,17 @@ class TheGreenBow extends BaseExporter implements IExportProvider
        }

        // client certificate
-        $output->cfg_ssl->cfg_sslconnection->authentication->certificate[0]->public_key =
-            "\n" . $this->config['client_crt'];
-        $output->cfg_ssl->cfg_sslconnection->authentication->certificate[0]->private_key =
-            "\n" . $this->config['client_prv'];
-        // server CA-chain
-        $output->cfg_ssl->cfg_sslconnection->authentication->certificate[1]->public_key = "\n" . implode(
-            "\n",
-            $this->config['server_ca_chain']
-        );
+        if (!empty($this->config['client_crt'])) {
+            $output->cfg_ssl->cfg_sslconnection->authentication->certificate[0]->public_key =
+                "\n" . $this->config['client_crt'];
+            $output->cfg_ssl->cfg_sslconnection->authentication->certificate[0]->private_key =
+                "\n" . $this->config['client_prv'];
+            // server CA-chain
+            $output->cfg_ssl->cfg_sslconnection->authentication->certificate[1]->public_key = "\n" . implode(
+                "\n",
+                $this->config['server_ca_chain']
+            );
+        }

        // export to DOM to reformat+pretty-print output
        $dom = new \DOMDocument("1.0");
--- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php
+++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php
@ -109,16 +109,18 @@ class ViscosityVisz extends PlainOpenVPN
        mkdir($content_dir, 0700, true);

        if (empty($this->config['cryptoapi'])) {
-            // export keypair
-            $p12 = $this->export_pkcs12(
-                $this->config['client_crt'],
-                $this->config['client_prv'],
-                !empty($this->config['p12_password']) ? $this->config['p12_password'] : null,
-                !empty($this->config['server_ca_chain']) ? $this->config['server_ca_chain'] : null
-            );
+            if (!empty($this->config['client_crt'])) {
+                // export keypair
+                $p12 = $this->export_pkcs12(
+                    $this->config['client_crt'],
+                    $this->config['client_prv'],
+                    !empty($this->config['p12_password']) ? $this->config['p12_password'] : null,
+                    !empty($this->config['server_ca_chain']) ? $this->config['server_ca_chain'] : null
+                );

-            file_put_contents("{$content_dir}/pkcs.p12", $p12);
-            $conf[] = "pkcs12 pkcs.p12";
+                file_put_contents("{$content_dir}/pkcs.p12", $p12);
+                $conf[] = "pkcs12 pkcs.p12";
+            }
        } else {
            // use internal Windows store, only flush ca (when available)
            if (!empty($this->config['server_ca_chain'])) {