mirror of
https://github.com/lucaspalomodevelop/core.git
synced 2026-03-13 08:09:41 +00:00
VPN: OpenVPN: Instances (MVC) (#6636)
* VPN: OpenVPN: Instances (MVC) bugfixes and additions: o fix lookup in tls_verify.php o add auth attribute o fix connection status reporting non existing clients * VPN: OpenVPN: Instances (MVC) bugfixes and additions: o add missing syshook for startup at boot o show instances in connection states when not connected
This commit is contained in:
Ad Schellevis
GitHub
parent
1500419112
commit
db9abc9276
1
plist
1
plist
@ -136,6 +136,7 @@
|
||||
/usr/local/etc/rc.syshook.d/start/25-syslog
|
||||
/usr/local/etc/rc.syshook.d/start/90-carp
|
||||
/usr/local/etc/rc.syshook.d/start/90-cron
|
||||
/usr/local/etc/rc.syshook.d/start/90-openvpn
|
||||
/usr/local/etc/rc.syshook.d/start/90-sysctl
|
||||
/usr/local/etc/rc.syshook.d/start/95-beep
|
||||
/usr/local/etc/rc.syshook.d/stop/05-beep
|
||||
|
||||
3
src/etc/rc.syshook.d/start/90-openvpn
Executable file
3
src/etc/rc.syshook.d/start/90-openvpn
Executable file
@ -0,0 +1,3 @@
|
||||
#!/bin/sh
|
||||
|
||||
configctl -dq openvpn configure
|
||||
@ -55,10 +55,12 @@ class ServiceController extends ApiControllerBase
|
||||
}
|
||||
}
|
||||
foreach ((new OpenVPN())->Instances->Instance->iterateItems() as $node_uuid => $node) {
|
||||
$config_payload[$node_uuid] = [
|
||||
'enabled' => (string)$node->enabled,
|
||||
'description' => (string)$node->description
|
||||
];
|
||||
if ((string)$node->role == $role) {
|
||||
$config_payload[$node_uuid] = [
|
||||
'enabled' => (string)$node->enabled,
|
||||
'description' => (string)$node->description
|
||||
];
|
||||
}
|
||||
}
|
||||
return $config_payload;
|
||||
}
|
||||
|
||||
@ -143,6 +143,7 @@
|
||||
<id>instance.crl</id>
|
||||
<label>Certificate Revocation List</label>
|
||||
<type>dropdown</type>
|
||||
<style>selectpicker role role_server</style>
|
||||
<help>Select a certificate revocation list to use for this service.</help>
|
||||
</field>
|
||||
<field>
|
||||
@ -151,6 +152,13 @@
|
||||
<type>dropdown</type>
|
||||
<help>Specify if the client is required to offer a certificate.</help>
|
||||
</field>
|
||||
<field>
|
||||
<id>instance.cert_depth</id>
|
||||
<label>Certificate Depth</label>
|
||||
<type>dropdown</type>
|
||||
<style>selectpicker role role_server</style>
|
||||
<help>When a certificate-based client logs in, do not accept certificates below this depth. Useful for denying certificates made with intermediate CAs generated from the same CA as the server.</help>
|
||||
</field>
|
||||
<field>
|
||||
<id>instance.tls_key</id>
|
||||
<label>TLS static key</label>
|
||||
@ -160,6 +168,15 @@
|
||||
The prefixed mode determines if this measurement is only used for authentication (--tls-auth) or includes encryption (--tls-crypt).
|
||||
</help>
|
||||
</field>
|
||||
<field>
|
||||
<id>instance.auth</id>
|
||||
<label>Auth</label>
|
||||
<advanced>true</advanced>
|
||||
<type>dropdown</type>
|
||||
<help>
|
||||
Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg.
|
||||
</help>
|
||||
</field>
|
||||
<field>
|
||||
<id>instance.data-ciphers</id>
|
||||
<label>Data Ciphers</label>
|
||||
|
||||
@ -276,6 +276,7 @@ class OpenVPN extends BaseModel
|
||||
'tlsmode' => $this_mode,
|
||||
'certref' => (string)$node->cert,
|
||||
'caref' => $this_caref,
|
||||
'cert_depth' => (string)$node->cert_depth,
|
||||
'description' => (string)$node->description
|
||||
];
|
||||
}
|
||||
@ -311,6 +312,7 @@ class OpenVPN extends BaseModel
|
||||
'tlsmode' => (string)$item->tlsmode,
|
||||
'certref' => (string)$item->certref,
|
||||
'caref' => (string)$item->caref,
|
||||
'cert_depth' => (string)$item->cert_depth,
|
||||
'description' => (string)$item->description,
|
||||
// legacy only (backwards compatibility)
|
||||
'compression' => (string)$item->compression,
|
||||
@ -482,8 +484,9 @@ class OpenVPN extends BaseModel
|
||||
$options['verb'] = (string)$node->verb;
|
||||
$options['verify-client-cert'] = (string)$node->verify_client_cert;
|
||||
|
||||
foreach (
|
||||
['reneg-sec', 'auth-gen-token', 'port', 'local', 'data-ciphers', 'data-ciphers-fallback'] as $opt
|
||||
foreach ([
|
||||
'reneg-sec', 'auth-gen-token', 'port', 'local', 'data-ciphers', 'data-ciphers-fallback', 'auth'
|
||||
] as $opt
|
||||
) {
|
||||
if ((string)$node->$opt != '') {
|
||||
$options[$opt] = str_replace(',', ':', (string)$node->$opt);
|
||||
|
||||
@ -197,6 +197,17 @@
|
||||
<BlankDesc>None</BlankDesc>
|
||||
<ValidationMessage>Please select a valid certificate from the list</ValidationMessage>
|
||||
</crl>
|
||||
<cert_depth type="OptionField">
|
||||
<Required>N</Required>
|
||||
<BlankDesc>Do Not Check</BlankDesc>
|
||||
<OptionValues>
|
||||
<item1 value="1">One (Client+Server)</item1>
|
||||
<item2 value="2">Two (Client+Intermediate+Server)</item2>
|
||||
<item3 value="3">Three (Client+2xIntermediate+Server)</item3>
|
||||
<item4 value="4">Four (Client+3xIntermediate+Server)</item4>
|
||||
<item5 value="5">Five (Client+4xIntermediate+Server)</item5>
|
||||
</OptionValues>
|
||||
</cert_depth>
|
||||
<verify_client_cert type="OptionField">
|
||||
<Required>Y</Required>
|
||||
<default>require</default>
|
||||
@ -205,6 +216,33 @@
|
||||
<require>required</require>
|
||||
</OptionValues>
|
||||
</verify_client_cert>
|
||||
<auth type="OptionField">
|
||||
<Required>N</Required>
|
||||
<default>SHA1</default>
|
||||
<OptionValues>
|
||||
<BLAKE2b512>BLAKE2b512 (512-bit)</BLAKE2b512>
|
||||
<BLAKE2s256>BLAKE2s256 (256-bit)</BLAKE2s256>
|
||||
<MD4>MD4 (128-bit)</MD4>
|
||||
<MD5>MD5 (128-bit)</MD5>
|
||||
<MD5-SHA1>MD5-SHA1 (288-bit)</MD5-SHA1>
|
||||
<RIPEMD160>RIPEMD160 (160-bit)</RIPEMD160>
|
||||
<SHA1>SHA1 (160-bit)</SHA1>
|
||||
<SHA224>SHA224 (224-bit)</SHA224>
|
||||
<SHA256>SHA256 (256-bit)</SHA256>
|
||||
<SHA3-224>SHA3-224 (224-bit)</SHA3-224>
|
||||
<SHA3-256>SHA3-256 (256-bit)</SHA3-256>
|
||||
<SHA3-384>SHA3-384 (384-bit)</SHA3-384>
|
||||
<SHA3-512>SHA3-512 (512-bit)</SHA3-512>
|
||||
<SHA384>SHA384 (384-bit)</SHA384>
|
||||
<SHA512>SHA512 (512-bit)</SHA512>
|
||||
<SHA512-224>SHA512-224 (224-bit)</SHA512-224>
|
||||
<SHA512-256>SHA512-256 (256-bit)</SHA512-256>
|
||||
<SHAKE128>SHAKE128 (128-bit)</SHAKE128>
|
||||
<SHAKE256>SHAKE256 (256-bit)</SHAKE256>
|
||||
<whirlpool>whirlpool (512-bit)</whirlpool>
|
||||
<none>None (No Authentication)</none>
|
||||
</OptionValues>
|
||||
</auth>
|
||||
<data-ciphers type="OptionField">
|
||||
<Required>N</Required>
|
||||
<multiple>Y</multiple>
|
||||
|
||||
@ -34,7 +34,7 @@
|
||||
selection: false,
|
||||
formatters:{
|
||||
bytes: function(column, row) {
|
||||
if (row[column.id]) {
|
||||
if (row[column.id] && row[column.id] > 0) {
|
||||
return byteFormat(row[column.id], 2);
|
||||
}
|
||||
return '';
|
||||
|
||||
@ -133,7 +133,7 @@ if (isset($opts['h']) || empty($args) || !in_array($args[0], ['start', 'stop', '
|
||||
ovpn_start($node, $statHandle);
|
||||
break;
|
||||
case 'configure':
|
||||
if ($instance_stats['has_changed']) {
|
||||
if ($instance_stats['has_changed'] || !isvalidpid($node->pidFilename)) {
|
||||
ovpn_stop($node);
|
||||
ovpn_start($node, $statHandle);
|
||||
}
|
||||
|
||||
@ -36,16 +36,7 @@ require_once("config.inc");
|
||||
*/
|
||||
function do_verify($serverid)
|
||||
{
|
||||
global $config;
|
||||
$a_server = null;
|
||||
if (isset($config['openvpn']['openvpn-server'])) {
|
||||
foreach ($config['openvpn']['openvpn-server'] as $server) {
|
||||
if ($server['vpnid'] == $serverid) {
|
||||
$a_server = $server;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
$a_server = (new OPNsense\OpenVPN\OpenVPN())->getInstanceById($serverid, 'server');
|
||||
if ($a_server === null) {
|
||||
return "OpenVPN '$serverid' was not found. Denying authentication for user {$username}";
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user