From ea4b494786632dfb66dd87153c7ba06c3330a585 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 9 Nov 2018 18:16:34 +0100
Subject: [PATCH] work in progress for
 https://github.com/opnsense/core/issues/2787

- add option : validate_server_cn
- send "auth-user-pass" in PlainOpenVPN when mode is server_user or server_tls_user
---
 .../controllers/OPNsense/OpenVPN/forms/export_options.xml  | 7 ++++++-
 .../mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php      | 7 +++++++
 src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml    | 4 ++++
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml
index a3e248fa7..0e9800c39 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml
@@ -31,7 +31,12 @@
         <type>checkbox</type>
         <help>Use a random local source port (lport) for traffic from the client. Without this set, two clients may not run concurrently.</help>
     </field>
-
+    <field>
+        <id>openvpn_export.validate_server_cn</id>
+        <label>Validate server CN</label>
+        <type>checkbox</type>
+        <help>Verify the server certificate Common Name (CN) when the client connects</help>
+    </field>
     <field>
         <id>openvpn_export.testxx1</id>
         <label>TestXX1</label>
diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php
index a0556965e..337cb9d6f 100644
--- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php
+++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php
@@ -100,6 +100,13 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider
             $conf[] = "lport 0";
         }
 
+        if ($this->config['mode'] !== 'server_user' && !empty($this->config['server_cn'])
+                && !empty($this->config['validate_server_cn'])) {
+            $conf[] = "verify-x509-name \"{$this->config['server_cn']}\" name";
+        } elseif (in_array($this->config['mode'], array('server_user', 'server_tls_user'))) {
+            $conf[] = "auth-user-pass";
+        }
+
         return $conf;
     }
 
diff --git a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml
index cb5f2feb7..5d1dcede2 100644
--- a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml
@@ -22,6 +22,10 @@
                     <default>1</default>
                     <Required>Y</Required>
                 </random_local_port>
+                <validate_server_cn type="BooleanField">
+                    <default>1</default>
+                    <Required>Y</Required>
+                </validate_server_cn>
             </server>
         </servers>
     </items>