From e2bd521ffa5f6537cc6c27cf45f3c17226e825b8 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 20 Apr 2018 17:34:41 +0200
Subject: [PATCH] OpenVPN, handle radius Framed-IP-Address Framed-IP-Network
 attributes, for https://github.com/opnsense/core/issues/2348

---
 .../inc/plugins.inc.d/openvpn/auth-user.php   | 27 ++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/src/etc/inc/plugins.inc.d/openvpn/auth-user.php b/src/etc/inc/plugins.inc.d/openvpn/auth-user.php
index e2f482280..4ce0451ef 100644
--- a/src/etc/inc/plugins.inc.d/openvpn/auth-user.php
+++ b/src/etc/inc/plugins.inc.d/openvpn/auth-user.php
@@ -39,6 +39,7 @@ require_once("config.inc");
 require_once("auth.inc");
 require_once("util.inc");
 require_once("interfaces.inc");
+require_once("plugins.inc.d/openvpn.inc");
 
 function get_openvpn_server($serverid)
 {
@@ -53,6 +54,16 @@ function get_openvpn_server($serverid)
     return null;
 }
 
+function parse_auth_properties($props)
+{
+    $result = array();
+    if (!empty($props['Framed-IP-Address']) && !empty($props['Framed-IP-Netmask'])) {
+        $cidrmask = 32-log((ip2long($props['Framed-IP-Netmask']) ^ ip2long('255.255.255.255'))+1,2);
+        $result['tunnel_network'] = $props['Framed-IP-Address'] . "/" . $cidrmask;
+    }
+    return $result;
+}
+
 /* setup syslog logging */
 openlog("openvpn", LOG_ODELAY, LOG_AUTH);
 
@@ -100,7 +111,21 @@ if (count($argv) > 6) {
         $authenticator = $authFactory->get($authName);
         if ($authenticator) {
             if ($authenticator->authenticate($username, $password)) {
-                syslog(LOG_NOTICE, "user '{$username}' authenticated using '{$authName}'");
+                $vpnid = filter_var($a_server['vpnid'], FILTER_SANITIZE_NUMBER_INT);
+                // fetch or  create client specif override
+                $all_cso = openvpn_fetch_csc_list();
+                if (!empty($all_cso[$vpnid][$common_name])) {
+                    $cso = $all_cso[$vpnid][$common_name];
+                } else {
+                    $cso = array("common_name" => $common_name);
+                }
+                $cso = array_merge($cso, parse_auth_properties($authenticator->getLastAuthProperties()));
+                $cso_filename = openvpn_csc_conf_write($cso, $a_server);
+                if (!empty($cso_filename)) {
+                    syslog(LOG_NOTICE, "user '{$username}' authenticated using '{$authName}' cso :{$cso_filename}");
+                } else {
+                    syslog(LOG_NOTICE, "user '{$username}' authenticated using '{$authName}'");
+                }
                 closelog();
                 exit(0);
             }