From b5fc573016bc8a817bd3de8e7dc233472cd22378 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Tue, 4 Aug 2015 13:24:00 +0000 Subject: [PATCH] (legacy) cleanup vpn_openvpn_server.php and add help buttons (fix for https://github.com/opnsense/core/issues/297) --- src/www/vpn_openvpn_server.php | 1966 ++++++++++++++------------------ 1 file changed, 826 insertions(+), 1140 deletions(-) diff --git a/src/www/vpn_openvpn_server.php b/src/www/vpn_openvpn_server.php index 3d9170624..2bca6d90a 100644 --- a/src/www/vpn_openvpn_server.php +++ b/src/www/vpn_openvpn_server.php @@ -26,530 +26,381 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - require_once("guiconfig.inc"); require_once("openvpn.inc"); require_once("services.inc"); require_once("interfaces.inc"); -$openvpn_dh_lengths = array(1024, 2048, 4096 ); -$openvpn_cert_depths = array( - 1 => "One (Client+Server)", - 2 => "Two (Client+Intermediate+Server)", - 3 => "Three (Client+2xIntermediate+Server)", - 4 => "Four (Client+3xIntermediate+Server)", - 5 => "Five (Client+4xIntermediate+Server)" -); - -$openvpn_server_modes = array( - 'p2p_tls' => gettext("Peer to Peer ( SSL/TLS )"), - 'p2p_shared_key' => gettext("Peer to Peer ( Shared Key )"), - 'server_tls' => gettext("Remote Access ( SSL/TLS )"), - 'server_user' => gettext("Remote Access ( User Auth )"), - 'server_tls_user' => gettext("Remote Access ( SSL/TLS + User Auth )")); - if (!isset($config['openvpn']['openvpn-server'])) { $config['openvpn']['openvpn-server'] = array(); } - $a_server = &$config['openvpn']['openvpn-server']; -if (!is_array($config['ca'])) { - $config['ca'] = array(); -} - -$a_ca =& $config['ca']; - -if (!isset($config['cert']) || !is_array($config['cert'])) { - $config['cert'] = array(); -} - -$a_cert =& $config['cert']; - -if (!isset($config['crl']) || !is_array($config['crl'])) { - $config['crl'] = array(); -} - -$a_crl =& $config['crl']; - -foreach ($a_crl as $cid => $acrl) { - if (!isset($acrl['refid'])) { - unset ($a_crl[$cid]); - } -} - -if (isset($_GET['id']) && is_numericint($_GET['id'])) { - $id = $_GET['id']; -} -if (isset($_POST['id']) && is_numericint($_POST['id'])) { - $id = $_POST['id']; -} - -if (isset($_POST['act'])) { - $act = $_POST['act']; -} elseif (isset($_GET['act'])) { - $act = $_GET['act']; -} else { - $act = null; -} - -if (isset($id) && $a_server[$id]) { - $vpnid = $a_server[$id]['vpnid']; -} else { - $vpnid = 0; -} - -if (isset($_GET['act']) && $_GET['act'] == "del") { - if (!isset($a_server[$id])) { - redirectHeader("vpn_openvpn_server.php"); - exit; - } - if (!empty($a_server[$id])) { - openvpn_delete('server', $a_server[$id]); - } - unset($a_server[$id]); - write_config(); - $savemsg = gettext("Server successfully deleted")."
"; -} - -if (isset($_GET['act']) && $_GET['act']=="new") { - $pconfig['autokey_enable'] = "yes"; - $pconfig['tlsauth_enable'] = "yes"; - $pconfig['autotls_enable'] = "yes"; - $pconfig['dh_length'] = 1024; - $pconfig['dev_mode'] = "tun"; - $pconfig['interface'] = "wan"; - $pconfig['local_port'] = openvpn_port_next('UDP'); - $pconfig['pool_enable'] = "yes"; - $pconfig['cert_depth'] = 1; - $pconfig['verbosity_level'] = 1; // Default verbosity is 1 - // OpenVPN Defaults to SHA1 - $pconfig['digest'] = "SHA1"; -} - -if (isset($_GET['act']) && $_GET['act']=="edit") { - if (isset($id) && $a_server[$id]) { - $pconfig['disable'] = isset($a_server[$id]['disable']); - $pconfig['mode'] = $a_server[$id]['mode']; - $pconfig['protocol'] = $a_server[$id]['protocol']; - $pconfig['authmode'] = $a_server[$id]['authmode']; - $pconfig['dev_mode'] = $a_server[$id]['dev_mode']; - $pconfig['interface'] = $a_server[$id]['interface']; - if (!empty($a_server[$id]['ipaddr'])) { - $pconfig['interface'] = $pconfig['interface'] . '|' . $a_server[$id]['ipaddr']; - } - $pconfig['local_port'] = $a_server[$id]['local_port']; - $pconfig['description'] = $a_server[$id]['description']; - $pconfig['custom_options'] = $a_server[$id]['custom_options']; - - if ($pconfig['mode'] != "p2p_shared_key") { - if ($a_server[$id]['tls']) { - $pconfig['tlsauth_enable'] = "yes"; - $pconfig['tls'] = base64_decode($a_server[$id]['tls']); - } - $pconfig['caref'] = $a_server[$id]['caref']; - $pconfig['crlref'] = $a_server[$id]['crlref']; - $pconfig['certref'] = $a_server[$id]['certref']; - $pconfig['dh_length'] = $a_server[$id]['dh_length']; - if (isset($a_server[$id]['cert_depth'])) { - $pconfig['cert_depth'] = $a_server[$id]['cert_depth']; - } else { - $pconfig['cert_depth'] = 1; - } - if ($pconfig['mode'] == "server_tls_user") { - $pconfig['strictusercn'] = $a_server[$id]['strictusercn']; - } - } else { - $pconfig['shared_key'] = base64_decode($a_server[$id]['shared_key']); - } - $pconfig['crypto'] = $a_server[$id]['crypto']; - // OpenVPN Defaults to SHA1 if unset - $pconfig['digest'] = !empty($a_server[$id]['digest']) ? $a_server[$id]['digest'] : "SHA1"; - $pconfig['engine'] = $a_server[$id]['engine']; - - $pconfig['tunnel_network'] = $a_server[$id]['tunnel_network']; - $pconfig['tunnel_networkv6'] = $a_server[$id]['tunnel_networkv6']; - - $pconfig['remote_network'] = $a_server[$id]['remote_network']; - $pconfig['remote_networkv6'] = $a_server[$id]['remote_networkv6']; - $pconfig['gwredir'] = $a_server[$id]['gwredir']; - $pconfig['local_network'] = $a_server[$id]['local_network']; - $pconfig['local_networkv6'] = $a_server[$id]['local_networkv6']; - $pconfig['maxclients'] = $a_server[$id]['maxclients']; - $pconfig['compression'] = $a_server[$id]['compression']; - $pconfig['passtos'] = $a_server[$id]['passtos']; - $pconfig['client2client'] = $a_server[$id]['client2client']; - - $pconfig['dynamic_ip'] = $a_server[$id]['dynamic_ip']; - $pconfig['pool_enable'] = $a_server[$id]['pool_enable']; - $pconfig['topology_subnet'] = $a_server[$id]['topology_subnet']; - - $pconfig['serverbridge_dhcp'] = $a_server[$id]['serverbridge_dhcp']; - $pconfig['serverbridge_interface'] = $a_server[$id]['serverbridge_interface']; - $pconfig['serverbridge_dhcp_start'] = $a_server[$id]['serverbridge_dhcp_start']; - $pconfig['serverbridge_dhcp_end'] = $a_server[$id]['serverbridge_dhcp_end']; - - $pconfig['dns_domain'] = $a_server[$id]['dns_domain']; - if ($pconfig['dns_domain']) { - $pconfig['dns_domain_enable'] = true; - } - - $pconfig['dns_server1'] = $a_server[$id]['dns_server1']; - $pconfig['dns_server2'] = $a_server[$id]['dns_server2']; - $pconfig['dns_server3'] = $a_server[$id]['dns_server3']; - $pconfig['dns_server4'] = $a_server[$id]['dns_server4']; - if ($pconfig['dns_server1'] || - $pconfig['dns_server2'] || - $pconfig['dns_server3'] || - $pconfig['dns_server4']) { - $pconfig['dns_server_enable'] = true; - } - - $pconfig['ntp_server1'] = $a_server[$id]['ntp_server1']; - $pconfig['ntp_server2'] = $a_server[$id]['ntp_server2']; - if ($pconfig['ntp_server1'] || - $pconfig['ntp_server2']) { - $pconfig['ntp_server_enable'] = true; - } - - $pconfig['netbios_enable'] = $a_server[$id]['netbios_enable']; - $pconfig['netbios_ntype'] = $a_server[$id]['netbios_ntype']; - $pconfig['netbios_scope'] = $a_server[$id]['netbios_scope']; - - $pconfig['wins_server1'] = $a_server[$id]['wins_server1']; - $pconfig['wins_server2'] = $a_server[$id]['wins_server2']; - if ($pconfig['wins_server1'] || - $pconfig['wins_server2']) { - $pconfig['wins_server_enable'] = true; - } - - $pconfig['client_mgmt_port'] = $a_server[$id]['client_mgmt_port']; - if ($pconfig['client_mgmt_port']) { - $pconfig['client_mgmt_port_enable'] = true; - } - - $pconfig['nbdd_server1'] = $a_server[$id]['nbdd_server1']; - if ($pconfig['nbdd_server1']) { - $pconfig['nbdd_server_enable'] = true; - } - - // just in case the modes switch - $pconfig['autokey_enable'] = "yes"; - $pconfig['autotls_enable'] = "yes"; - - $pconfig['duplicate_cn'] = isset($a_server[$id]['duplicate_cn']); - - $pconfig['no_tun_ipv6'] = $a_server[$id]['no_tun_ipv6']; - if (isset($a_server[$id]['verbosity_level'])) { - $pconfig['verbosity_level'] = $a_server[$id]['verbosity_level']; - } else { - $pconfig['verbosity_level'] = 1; // Default verbosity is 1 - } - $pconfig['push_register_dns'] = $a_server[$id]['push_register_dns']; - } -} -if ($_POST) { - $input_errors = array(); - $pconfig = $_POST; - - if (isset($id) && $a_server[$id]) { - $vpnid = $a_server[$id]['vpnid']; - } else { - $vpnid = 0; - } - - list($iv_iface, $iv_ip) = explode("|", $pconfig['interface']); - if (is_ipaddrv4($iv_ip) && (stristr($pconfig['protocol'], "6") !== false)) { - $input_errors[] = gettext("Protocol and IP address families do not match. You cannot select an IPv6 protocol and an IPv4 IP address."); - } elseif (is_ipaddrv6($iv_ip) && (stristr($pconfig['protocol'], "6") === false)) { - $input_errors[] = gettext("Protocol and IP address families do not match. You cannot select an IPv4 protocol and an IPv6 IP address."); - } elseif ((stristr($pconfig['protocol'], "6") === false) && !get_interface_ip($iv_iface) && ($pconfig['interface'] != "any")) { - $input_errors[] = gettext("An IPv4 protocol was selected, but the selected interface has no IPv4 address."); - } elseif ((stristr($pconfig['protocol'], "6") !== false) && !get_interface_ipv6($iv_iface) && ($pconfig['interface'] != "any")) { - $input_errors[] = gettext("An IPv6 protocol was selected, but the selected interface has no IPv6 address."); - } - - if ($pconfig['mode'] != "p2p_shared_key") { - $tls_mode = true; - } else { - $tls_mode = false; - } - - if (empty($pconfig['authmode']) && (($pconfig['mode'] == "server_user") || ($pconfig['mode'] == "server_tls_user"))) { - $input_errors[] = gettext("You must select a Backend for Authentication if the server mode requires User Auth."); - } - - /* input validation */ - if ($result = openvpn_validate_port($pconfig['local_port'], 'Local port')) { - $input_errors[] = $result; - } - - if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'IPv4 Tunnel Network', false, "ipv4")) { - $input_errors[] = $result; - } - - if ($result = openvpn_validate_cidr($pconfig['tunnel_networkv6'], 'IPv6 Tunnel Network', false, "ipv6")) { - $input_errors[] = $result; - } - - if ($result = openvpn_validate_cidr($pconfig['remote_network'], 'IPv4 Remote Network', true, "ipv4")) { - $input_errors[] = $result; - } - - if ($result = openvpn_validate_cidr($pconfig['remote_networkv6'], 'IPv6 Remote Network', true, "ipv6")) { - $input_errors[] = $result; - } - - if ($result = openvpn_validate_cidr($pconfig['local_network'], 'IPv4 Local Network', true, "ipv4")) { - $input_errors[] = $result; - } - - if ($result = openvpn_validate_cidr($pconfig['local_networkv6'], 'IPv6 Local Network', true, "ipv6")) { - $input_errors[] = $result; - } - - $portused = openvpn_port_used($pconfig['protocol'], $pconfig['interface'], $pconfig['local_port'], $vpnid); - if (($portused != $vpnid) && ($portused != 0)) { - $input_errors[] = gettext("The specified 'Local port' is in use. Please select another value"); - } - - if ($pconfig['autokey_enable']) { - $pconfig['shared_key'] = openvpn_create_key(); - } - - if (!$tls_mode && !$pconfig['autokey_enable']) { - if (!strstr($pconfig['shared_key'], "-----BEGIN OpenVPN Static key V1-----") || - !strstr($pconfig['shared_key'], "-----END OpenVPN Static key V1-----")) { - $input_errors[] = gettext("The field 'Shared Key' does not appear to be valid"); - } - } - - if ($tls_mode && $pconfig['tlsauth_enable'] && !$pconfig['autotls_enable']) { - if (!strstr($pconfig['tls'], "-----BEGIN OpenVPN Static key V1-----") || - !strstr($pconfig['tls'], "-----END OpenVPN Static key V1-----")) { - $input_errors[] = gettext("The field 'TLS Authentication Key' does not appear to be valid"); - } - } - - if ($pconfig['dns_server_enable']) { - if (!empty($pconfig['dns_server1']) && !is_ipaddr(trim($pconfig['dns_server1']))) { - $input_errors[] = gettext("The field 'DNS Server #1' must contain a valid IP address"); - } - if (!empty($pconfig['dns_server2']) && !is_ipaddr(trim($pconfig['dns_server2']))) { - $input_errors[] = gettext("The field 'DNS Server #2' must contain a valid IP address"); - } - if (!empty($pconfig['dns_server3']) && !is_ipaddr(trim($pconfig['dns_server3']))) { - $input_errors[] = gettext("The field 'DNS Server #3' must contain a valid IP address"); - } - if (!empty($pconfig['dns_server4']) && !is_ipaddr(trim($pconfig['dns_server4']))) { - $input_errors[] = gettext("The field 'DNS Server #4' must contain a valid IP address"); - } - } - - if ($pconfig['ntp_server_enable']) { - if (!empty($pconfig['ntp_server1']) && !is_ipaddr(trim($pconfig['ntp_server1']))) { - $input_errors[] = gettext("The field 'NTP Server #1' must contain a valid IP address"); - } - if (!empty($pconfig['ntp_server2']) && !is_ipaddr(trim($pconfig['ntp_server2']))) { - $input_errors[] = gettext("The field 'NTP Server #2' must contain a valid IP address"); - } - if (!empty($pconfig['ntp_server3']) && !is_ipaddr(trim($pconfig['ntp_server3']))) { - $input_errors[] = gettext("The field 'NTP Server #3' must contain a valid IP address"); - } - if (!empty($pconfig['ntp_server4']) && !is_ipaddr(trim($pconfig['ntp_server4']))) { - $input_errors[] = gettext("The field 'NTP Server #4' must contain a valid IP address"); - } - } - - if ($pconfig['netbios_enable']) { - if ($pconfig['wins_server_enable']) { - if (!empty($pconfig['wins_server1']) && !is_ipaddr(trim($pconfig['wins_server1']))) { - $input_errors[] = gettext("The field 'WINS Server #1' must contain a valid IP address"); - } - if (!empty($pconfig['wins_server2']) && !is_ipaddr(trim($pconfig['wins_server2']))) { - $input_errors[] = gettext("The field 'WINS Server #2' must contain a valid IP address"); - } - } - if ($pconfig['nbdd_server_enable']) { - if (!empty($pconfig['nbdd_server1']) && !is_ipaddr(trim($pconfig['nbdd_server1']))) { - $input_errors[] = gettext("The field 'NetBIOS Data Distribution Server #1' must contain a valid IP address"); - } - } - } - - if ($pconfig['client_mgmt_port_enable']) { - if ($result = openvpn_validate_port($pconfig['client_mgmt_port'], 'Client management port')) { - $input_errors[] = $result; - } - } - - if ($pconfig['maxclients'] && !is_numeric($pconfig['maxclients'])) { - $input_errors[] = gettext("The field 'Concurrent connections' must be numeric."); - } - - /* If we are not in shared key mode, then we need the CA/Cert. */ - if ($pconfig['mode'] != "p2p_shared_key") { - $reqdfields = explode(" ", "caref certref"); - $reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate")); - } elseif (!$pconfig['autokey_enable']) { - /* We only need the shared key filled in if we are in shared key mode and autokey is not selected. */ - $reqdfields = array('shared_key'); - $reqdfieldsn = array(gettext('Shared key')); - } - - if ($pconfig['dev_mode'] != "tap") { - $reqdfields[] = 'tunnel_network'; - $reqdfieldsn[] = gettext('Tunnel network'); - } else { - if ($pconfig['serverbridge_dhcp'] && $pconfig['tunnel_network']) { - $input_errors[] = gettext("Using a tunnel network and server bridge settings together is not allowed."); - } - if (($pconfig['serverbridge_dhcp_start'] && !$pconfig['serverbridge_dhcp_end']) - || (!$pconfig['serverbridge_dhcp_start'] && $pconfig['serverbridge_dhcp_end'])) { - $input_errors[] = gettext("Server Bridge DHCP Start and End must both be empty, or defined."); - } - if (($pconfig['serverbridge_dhcp_start'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_start']))) { - $input_errors[] = gettext("Server Bridge DHCP Start must be an IPv4 address."); - } - if (($pconfig['serverbridge_dhcp_end'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_end']))) { - $input_errors[] = gettext("Server Bridge DHCP End must be an IPv4 address."); - } - if (ip2ulong($pconfig['serverbridge_dhcp_start']) > ip2ulong($pconfig['serverbridge_dhcp_end'])) { - $input_errors[] = gettext("The Server Bridge DHCP range is invalid (start higher than end)."); - } - } - do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); - - if (!$input_errors) { - $server = array(); - - if ($id && $pconfig['dev_mode'] <> $a_server[$id]['dev_mode']) { - openvpn_delete('server', $a_server[$id]);// delete(rename) old interface so a new TUN or TAP interface can be created. - } - if ($vpnid) { - $server['vpnid'] = $vpnid; - } else { - $server['vpnid'] = openvpn_vpnid_next(); - } - - if ($_POST['disable'] == "yes") { - $server['disable'] = true; - } - $server['mode'] = $pconfig['mode']; - if (!empty($pconfig['authmode'])) { - $server['authmode'] = implode(",", $pconfig['authmode']); - } - $server['protocol'] = $pconfig['protocol']; - $server['dev_mode'] = $pconfig['dev_mode']; - list($server['interface'], $server['ipaddr']) = explode("|", $pconfig['interface']); - $server['local_port'] = $pconfig['local_port']; - $server['description'] = $pconfig['description']; - $server['custom_options'] = str_replace("\r\n", "\n", $pconfig['custom_options']); - - if ($tls_mode) { - if ($pconfig['tlsauth_enable']) { - if ($pconfig['autotls_enable']) { - $pconfig['tls'] = openvpn_create_key(); - } - $server['tls'] = base64_encode($pconfig['tls']); - } - $server['caref'] = $pconfig['caref']; - $server['crlref'] = $pconfig['crlref']; - $server['certref'] = $pconfig['certref']; - $server['dh_length'] = $pconfig['dh_length']; - $server['cert_depth'] = $pconfig['cert_depth']; - if ($pconfig['mode'] == "server_tls_user") { - $server['strictusercn'] = $pconfig['strictusercn']; - } - } else { - $server['shared_key'] = base64_encode($pconfig['shared_key']); - } - $server['crypto'] = $pconfig['crypto']; - $server['digest'] = $pconfig['digest']; - $server['engine'] = $pconfig['engine']; - - $server['tunnel_network'] = $pconfig['tunnel_network']; - $server['tunnel_networkv6'] = $pconfig['tunnel_networkv6']; - $server['remote_network'] = $pconfig['remote_network']; - $server['remote_networkv6'] = $pconfig['remote_networkv6']; - $server['gwredir'] = $pconfig['gwredir']; - $server['local_network'] = $pconfig['local_network']; - $server['local_networkv6'] = $pconfig['local_networkv6']; - $server['maxclients'] = $pconfig['maxclients']; - $server['compression'] = $pconfig['compression']; - $server['passtos'] = $pconfig['passtos']; - $server['client2client'] = $pconfig['client2client']; - - $server['dynamic_ip'] = $pconfig['dynamic_ip']; - $server['pool_enable'] = $pconfig['pool_enable']; - $server['topology_subnet'] = $pconfig['topology_subnet']; - - $server['serverbridge_dhcp'] = $pconfig['serverbridge_dhcp']; - $server['serverbridge_interface'] = $pconfig['serverbridge_interface']; - $server['serverbridge_dhcp_start'] = $pconfig['serverbridge_dhcp_start']; - $server['serverbridge_dhcp_end'] = $pconfig['serverbridge_dhcp_end']; - - if ($pconfig['dns_domain_enable']) { - $server['dns_domain'] = $pconfig['dns_domain']; - } - - if ($pconfig['dns_server_enable']) { - $server['dns_server1'] = $pconfig['dns_server1']; - $server['dns_server2'] = $pconfig['dns_server2']; - $server['dns_server3'] = $pconfig['dns_server3']; - $server['dns_server4'] = $pconfig['dns_server4']; - } - - if ($pconfig['push_register_dns']) { - $server['push_register_dns'] = $pconfig['push_register_dns']; - } - - if ($pconfig['ntp_server_enable']) { - $server['ntp_server1'] = $pconfig['ntp_server1']; - $server['ntp_server2'] = $pconfig['ntp_server2']; - } - - $server['netbios_enable'] = $pconfig['netbios_enable']; - $server['netbios_ntype'] = $pconfig['netbios_ntype']; - $server['netbios_scope'] = $pconfig['netbios_scope']; - - $server['no_tun_ipv6'] = $pconfig['no_tun_ipv6']; - $server['verbosity_level'] = $pconfig['verbosity_level']; - - if ($pconfig['netbios_enable']) { - if ($pconfig['wins_server_enable']) { - $server['wins_server1'] = $pconfig['wins_server1']; - $server['wins_server2'] = $pconfig['wins_server2']; - } - - if ($pconfig['dns_server_enable']) { - $server['nbdd_server1'] = $pconfig['nbdd_server1']; - } - } - - if ($pconfig['client_mgmt_port_enable']) { - $server['client_mgmt_port'] = $pconfig['client_mgmt_port']; - } - - if ($_POST['duplicate_cn'] == "yes") { - $server['duplicate_cn'] = true; - } - - if (isset($id) && $a_server[$id]) { - $a_server[$id] = $server; - } else { - $a_server[] = $server; - } - - openvpn_resync('server', $server); - write_config(); - - header("Location: vpn_openvpn_server.php"); - exit; - } - if (!empty($pconfig['authmode'])) { - $pconfig['authmode'] = implode(",", $pconfig['authmode']); - } +$act = null; +if ($_SERVER['REQUEST_METHOD'] === 'GET') { + // fetch id if provided + if (isset($_GET['id']) && is_numericint($_GET['id'])) { + $id = $_GET['id']; + } + if (isset($_GET['act'])) { + $act = $_GET['act']; + } + $pconfig = array(); + // defaults + $vpnid = 0; + $pconfig['verbosity_level'] = 1; + $pconfig['digest'] = "SHA1"; // OpenVPN Defaults to SHA1 if unset + $pconfig['autokey_enable'] = "yes"; + $pconfig['autotls_enable'] = "yes"; + $pconfig['tlsauth_enable'] = "yes"; + if ($act == "edit") { + if (isset($id) && isset($a_server[$id])) { + if ($a_server[$id]['mode'] != "p2p_shared_key") { + $pconfig['cert_depth'] = 1; + } + + // 1 on 1 copy of config attributes + $copy_fields = "mode,protocol,authmode,dev_mode,interface,local_port + ,description,custom_options,crypto,engine,tunnel_network + ,tunnel_networkv6,remote_network,remote_networkv6,gwredir,local_network + ,local_networkv6,maxclients,compression,passtos,client2client + ,dynamic_ip,pool_enable,topology_subnet,serverbridge_dhcp + ,serverbridge_interface,serverbridge_dhcp_start,serverbridge_dhcp_end + ,dns_server1,dns_server2,dns_server3,dns_server4,ntp_server1 + ,ntp_server2,netbios_enable,netbios_ntype,netbios_scope,wins_server1 + ,wins_server2,no_tun_ipv6,push_register_dns,dns_domain,nbdd_server1 + ,client_mgmt_port,verbosity_level,caref,crlref,certref,dh_length + ,cert_depth,strictusercn,digest,disable,duplicate_cn,vpnid"; + + foreach (explode(",",$copy_fields) as $fieldname) { + $fieldname = trim($fieldname); + if(isset($a_server[$id][$fieldname])) { + $pconfig[$fieldname] = $a_server[$id][$fieldname]; + } elseif (!isset($pconfig[$fieldname])) { + // initialize element + $pconfig[$fieldname] = null; + } + } + + // load / convert + if (!empty($a_server[$id]['ipaddr'])) { + $pconfig['interface'] = $pconfig['interface'] . '|' . $a_server[$id]['ipaddr']; + } + if (!empty($a_server[$id]['shared_key'])) { + $pconfig['shared_key'] = base64_decode($a_server[$id]['shared_key']); + } else { + $pconfig['shared_key'] = null; + } + if (!empty($a_server[$id]['tls'])) { + $pconfig['tlsauth_enable'] = "yes"; + $pconfig['tls'] = base64_decode($a_server[$id]['tls']); + } else { + $pconfig['tls'] = null; + } + } + } elseif ($act == "new") { + $pconfig['dh_length'] = 1024; + $pconfig['dev_mode'] = "tun"; + $pconfig['interface'] = "wan"; + $pconfig['local_port'] = openvpn_port_next('UDP'); + $pconfig['pool_enable'] = "yes"; + $pconfig['cert_depth'] = 1; + // init all fields used in the form + $init_fields = "mode,protocol,authmode,dev_mode,interface,local_port + ,description,custom_options,crypto,engine,tunnel_network + ,tunnel_networkv6,remote_network,remote_networkv6,gwredir,local_network + ,local_networkv6,maxclients,compression,passtos,client2client + ,dynamic_ip,pool_enable,topology_subnet,serverbridge_dhcp + ,serverbridge_interface,serverbridge_dhcp_start,serverbridge_dhcp_end + ,dns_server1,dns_server2,dns_server3,dns_server4,ntp_server1 + ,ntp_server2,netbios_enable,netbios_ntype,netbios_scope,wins_server1 + ,wins_server2,no_tun_ipv6,push_register_dns,dns_domain,nbdd_server1 + ,client_mgmt_port,verbosity_level,caref,crlref,certref,dh_length + ,cert_depth,strictusercn,digest,disable,duplicate_cn,vpnid,shared_key,tls"; + foreach (explode(",",$copy_fields) as $fieldname) { + $fieldname = trim($fieldname); + if (!isset($pconfig[$fieldname])) { + $pconfig[$fieldname] = null; + } + } + + } +} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') { + if (isset($_POST['id']) && is_numericint($_POST['id'])) { + $id = $_POST['id']; + } + if (isset($_POST['act'])) { + $act = $_POST['act']; + } + + if ($act == "del") { + // action delete + if (!isset($a_server[$id])) { + redirectHeader("vpn_openvpn_server.php"); + exit; + } + if (!empty($a_server[$id])) { + openvpn_delete('server', $a_server[$id]); + } + unset($a_server[$id]); + write_config(); + $savemsg = gettext("Server successfully deleted")."
"; + } else { + // action add/update + $input_errors = array(); + $pconfig = $_POST; + + if (isset($id) && $a_server[$id]) { + $vpnid = $a_server[$id]['vpnid']; + } else { + $vpnid = 0; + } + if ($pconfig['mode'] != "p2p_shared_key") { + $tls_mode = true; + } else { + $tls_mode = false; + } + if (!empty($pconfig['autokey_enable'])) { + $pconfig['shared_key'] = openvpn_create_key(); + } + + // all input validators + if (strpos($pconfig['interface'],'|') !== false) { + list($iv_iface, $iv_ip) = explode("|", $pconfig['interface']); + } else { + $iv_iface = $pconfig['interface']; + $iv_ip = null; + } + + if (is_ipaddrv4($iv_ip) && (stristr($pconfig['protocol'], "6") !== false)) { + $input_errors[] = gettext("Protocol and IP address families do not match. You cannot select an IPv6 protocol and an IPv4 IP address."); + } elseif (is_ipaddrv6($iv_ip) && (stristr($pconfig['protocol'], "6") === false)) { + $input_errors[] = gettext("Protocol and IP address families do not match. You cannot select an IPv4 protocol and an IPv6 IP address."); + } elseif ((stristr($pconfig['protocol'], "6") === false) && !get_interface_ip($iv_iface) && ($pconfig['interface'] != "any")) { + $input_errors[] = gettext("An IPv4 protocol was selected, but the selected interface has no IPv4 address."); + } elseif ((stristr($pconfig['protocol'], "6") !== false) && !get_interface_ipv6($iv_iface) && ($pconfig['interface'] != "any")) { + $input_errors[] = gettext("An IPv6 protocol was selected, but the selected interface has no IPv6 address."); + } + + if (empty($pconfig['authmode']) && (($pconfig['mode'] == "server_user") || ($pconfig['mode'] == "server_tls_user"))) { + $input_errors[] = gettext("You must select a Backend for Authentication if the server mode requires User Auth."); + } + + if ($result = openvpn_validate_port($pconfig['local_port'], 'Local port')) { + $input_errors[] = $result; + } + + if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'IPv4 Tunnel Network', false, "ipv4")) { + $input_errors[] = $result; + } + + if ($result = openvpn_validate_cidr($pconfig['tunnel_networkv6'], 'IPv6 Tunnel Network', false, "ipv6")) { + $input_errors[] = $result; + } + + if ($result = openvpn_validate_cidr($pconfig['remote_network'], 'IPv4 Remote Network', true, "ipv4")) { + $input_errors[] = $result; + } + + if ($result = openvpn_validate_cidr($pconfig['remote_networkv6'], 'IPv6 Remote Network', true, "ipv6")) { + $input_errors[] = $result; + } + + if ($result = openvpn_validate_cidr($pconfig['local_network'], 'IPv4 Local Network', true, "ipv4")) { + $input_errors[] = $result; + } + + if ($result = openvpn_validate_cidr($pconfig['local_networkv6'], 'IPv6 Local Network', true, "ipv6")) { + $input_errors[] = $result; + } + + $portused = openvpn_port_used($pconfig['protocol'], $pconfig['interface'], $pconfig['local_port'], $vpnid); + if (($portused != $vpnid) && ($portused != 0)) { + $input_errors[] = gettext("The specified 'Local port' is in use. Please select another value"); + } + + if (!$tls_mode && empty($pconfig['autokey_enable'])) { + if (!strstr($pconfig['shared_key'], "-----BEGIN OpenVPN Static key V1-----") || + !strstr($pconfig['shared_key'], "-----END OpenVPN Static key V1-----")) { + $input_errors[] = gettext("The field 'Shared Key' does not appear to be valid"); + } + } + + if ($tls_mode && !empty($pconfig['tlsauth_enable']) && empty($pconfig['autotls_enable'])) { + if (!strstr($pconfig['tls'], "-----BEGIN OpenVPN Static key V1-----") || + !strstr($pconfig['tls'], "-----END OpenVPN Static key V1-----")) { + $input_errors[] = gettext("The field 'TLS Authentication Key' does not appear to be valid"); + } + } + + if (!empty($pconfig['dns_server1']) && !is_ipaddr(trim($pconfig['dns_server1']))) { + $input_errors[] = gettext("The field 'DNS Server #1' must contain a valid IP address"); + } + if (!empty($pconfig['dns_server2']) && !is_ipaddr(trim($pconfig['dns_server2']))) { + $input_errors[] = gettext("The field 'DNS Server #2' must contain a valid IP address"); + } + if (!empty($pconfig['dns_server3']) && !is_ipaddr(trim($pconfig['dns_server3']))) { + $input_errors[] = gettext("The field 'DNS Server #3' must contain a valid IP address"); + } + if (!empty($pconfig['dns_server4']) && !is_ipaddr(trim($pconfig['dns_server4']))) { + $input_errors[] = gettext("The field 'DNS Server #4' must contain a valid IP address"); + } + + if (!empty($pconfig['ntp_server1']) && !is_ipaddr(trim($pconfig['ntp_server1']))) { + $input_errors[] = gettext("The field 'NTP Server #1' must contain a valid IP address"); + } + if (!empty($pconfig['ntp_server2']) && !is_ipaddr(trim($pconfig['ntp_server2']))) { + $input_errors[] = gettext("The field 'NTP Server #2' must contain a valid IP address"); + } + if (!empty($pconfig['ntp_server3']) && !is_ipaddr(trim($pconfig['ntp_server3']))) { + $input_errors[] = gettext("The field 'NTP Server #3' must contain a valid IP address"); + } + if (!empty($pconfig['ntp_server4']) && !is_ipaddr(trim($pconfig['ntp_server4']))) { + $input_errors[] = gettext("The field 'NTP Server #4' must contain a valid IP address"); + } + + if (!empty($pconfig['wins_server_enable'])) { + if (!empty($pconfig['wins_server1']) && !is_ipaddr(trim($pconfig['wins_server1']))) { + $input_errors[] = gettext("The field 'WINS Server #1' must contain a valid IP address"); + } + if (!empty($pconfig['wins_server2']) && !is_ipaddr(trim($pconfig['wins_server2']))) { + $input_errors[] = gettext("The field 'WINS Server #2' must contain a valid IP address"); + } + } + if (!empty($pconfig['nbdd_server_enable'])) { + if (!empty($pconfig['nbdd_server1']) && !is_ipaddr(trim($pconfig['nbdd_server1']))) { + $input_errors[] = gettext("The field 'NetBIOS Data Distribution Server #1' must contain a valid IP address"); + } + } + + if (!empty($pconfig['client_mgmt_port_enable'])) { + if ($result = openvpn_validate_port($pconfig['client_mgmt_port'], 'Client management port')) { + $input_errors[] = $result; + } + } + + if (!empty($pconfig['maxclients']) && !is_numeric($pconfig['maxclients'])) { + $input_errors[] = gettext("The field 'Concurrent connections' must be numeric."); + } + + /* If we are not in shared key mode, then we need the CA/Cert. */ + if (isset($pconfig['mode']) && $pconfig['mode'] != "p2p_shared_key") { + $reqdfields = explode(" ", "caref certref"); + $reqdfieldsn = array(gettext("Certificate Authority"),gettext("Certificate")); + } elseif (empty($pconfig['autokey_enable'])) { + /* We only need the shared key filled in if we are in shared key mode and autokey is not selected. */ + $reqdfields = array('shared_key'); + $reqdfieldsn = array(gettext('Shared key')); + } + + if ($pconfig['dev_mode'] != "tap") { + $reqdfields[] = 'tunnel_network'; + $reqdfieldsn[] = gettext('Tunnel network'); + } else { + if ($pconfig['serverbridge_dhcp'] && $pconfig['tunnel_network']) { + $input_errors[] = gettext("Using a tunnel network and server bridge settings together is not allowed."); + } + if (($pconfig['serverbridge_dhcp_start'] && !$pconfig['serverbridge_dhcp_end']) + || (!$pconfig['serverbridge_dhcp_start'] && $pconfig['serverbridge_dhcp_end'])) { + $input_errors[] = gettext("Server Bridge DHCP Start and End must both be empty, or defined."); + } + if (($pconfig['serverbridge_dhcp_start'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_start']))) { + $input_errors[] = gettext("Server Bridge DHCP Start must be an IPv4 address."); + } + if (($pconfig['serverbridge_dhcp_end'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_end']))) { + $input_errors[] = gettext("Server Bridge DHCP End must be an IPv4 address."); + } + if (ip2ulong($pconfig['serverbridge_dhcp_start']) > ip2ulong($pconfig['serverbridge_dhcp_end'])) { + $input_errors[] = gettext("The Server Bridge DHCP range is invalid (start higher than end)."); + } + } + do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors); + + if (count($input_errors) == 0) { + // validation correct, save data + $server = array(); + + // delete(rename) old interface so a new TUN or TAP interface can be created. + if (isset($id) && $pconfig['dev_mode'] <> $a_server[$id]['dev_mode']) { + openvpn_delete('server', $a_server[$id]); + } + // 1 on 1 copy of config attributes + $copy_fields = "mode,protocol,dev_mode,local_port,description,crypto,digest,engine + ,tunnel_network,tunnel_networkv6,remote_network,remote_networkv6 + ,gwredir,local_network,local_networkv6,maxclients,compression + ,passtos,client2client,dynamic_ip,pool_enable,topology_subnet + ,serverbridge_dhcp,serverbridge_interface,serverbridge_dhcp_start + ,serverbridge_dhcp_end,dns_domain,dns_server1,dns_server2,dns_server3 + ,dns_server4,push_register_dns,ntp_server1,ntp_server2,netbios_enable + ,netbios_ntype,netbios_scope,no_tun_ipv6,verbosity_level,wins_server1 + ,wins_server2,nbdd_server1,client_mgmt_port"; + + foreach (explode(",",$copy_fields) as $fieldname) { + $fieldname = trim($fieldname); + if(isset($pconfig[$fieldname])) { + $server[$fieldname] = $pconfig[$fieldname]; + } + } + + // attributes containing some kind of logic + if ($vpnid != 0) { + $server['vpnid'] = $vpnid; + } else { + $server['vpnid'] = openvpn_vpnid_next(); + } + + if ($pconfig['disable'] == "yes") { + $server['disable'] = true; + } + if (!empty($pconfig['authmode'])) { + $server['authmode'] = implode(",", $pconfig['authmode']); + } + if (strpos($pconfig['interface'], "|") !== false) { + list($server['interface'], $server['ipaddr']) = explode("|", $pconfig['interface']); + } + + $server['custom_options'] = str_replace("\r\n", "\n", $pconfig['custom_options']); + + if ($tls_mode) { + if ($pconfig['tlsauth_enable']) { + if (!empty($pconfig['autotls_enable'])) { + $pconfig['tls'] = openvpn_create_key(); + } + $server['tls'] = base64_encode($pconfig['tls']); + } + foreach (array("caref","crlref", + "certref","dh_length","cert_depth") as $cpKey) { + if (isset($pconfig[$cpKey])) { + $server[$cpKey] = $pconfig[$cpKey]; + } + } + if (isset($pconfig['mode']) && $pconfig['mode'] == "server_tls_user" && isset($server['strictusercn'])) { + $server['strictusercn'] = $pconfig['strictusercn']; + } + } else { + $server['shared_key'] = base64_encode($pconfig['shared_key']); + } + + if (isset($_POST['duplicate_cn']) && $_POST['duplicate_cn'] == "yes") { + $server['duplicate_cn'] = true; + } + + // update or add to config + if (isset($id) && $a_server[$id]) { + $a_server[$id] = $server; + } else { + $a_server[] = $server; + } + + openvpn_resync('server', $server); + write_config(); + + header("Location: vpn_openvpn_server.php"); + exit; + } elseif (!empty($pconfig['authmode'])) { + $pconfig['authmode'] = implode(",", $pconfig['authmode']); + } + } } $pgtitle = array(gettext("OpenVPN"), gettext("Server")); $shortcut_section = "openvpn"; @@ -560,13 +411,52 @@ $main_buttons = array( array('href'=>'vpn_openvpn_server.php?act=new', 'label'=>gettext("add server")), ); - +legacy_html_escape_form_data($pconfig); ?> -