lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-13 00:07:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

openvpn: remove the old wizard

Browse Source 
As discussed the wizard will be removed and the legacy component
it is feeding moved to a plugin for 25.7 so it makes no sense to
drag this along any further.
This commit is contained in:
Franco Fichtner 2025-02-12 12:18:05 +01:00
parent bac5dfe99e
commit f1f87d134b
6 changed files with 0 additions and 1948 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
plist
View File

@ -37,7 +37,6 @@
/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
/usr/local/etc/inc/plugins.inc.d/openvpn/tunnel_endpoint.php
/usr/local/etc/inc/plugins.inc.d/openvpn/wizard.inc
/usr/local/etc/inc/plugins.inc.d/pf.inc
/usr/local/etc/inc/plugins.inc.d/suricata.inc
/usr/local/etc/inc/plugins.inc.d/unbound.inc
@ -2387,7 +2386,6 @@
/usr/local/share/man/man8/opnsense-log.8.gz
/usr/local/share/man/man8/opnsense-shell.8.gz
/usr/local/share/man/man8/opnsense-version.8.gz
/usr/local/wizard/openvpn.xml
/usr/local/wizard/system.xml
/usr/local/www/authgui.inc
/usr/local/www/crash_reporter.php

985
src/etc/inc/plugins.inc.d/openvpn/wizard.inc
View File

@ -1,985 +0,0 @@
<?php
/*
* Copyright (C) 2010 Ermal Luçi
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
* AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*/
require_once("plugins.inc.d/openvpn.inc");
require_once("util.inc");
function cert_create(&$cert, $caref, $keylen_curve, $lifetime, $dn, $digest_alg, $x509_extensions = 'usr_cert', $extns = [])
{
$ca = &lookup_ca($caref);
if (!$ca) {
return false;
}
$ca_str_crt = base64_decode($ca['crt']);
$ca_str_key = base64_decode($ca['prv']);
$ca_res_crt = openssl_x509_read($ca_str_crt);
$ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => ""));
if (!$ca_res_key) {
return false;
}
$ca_serial = ++$ca['serial'];
// handle parameters which can only be set via the configuration file
$config_filename = create_temp_openssl_config($extns);
$args = array(
'config' => $config_filename,
'x509_extensions' => $x509_extensions,
'digest_alg' => $digest_alg,
'encrypt_key' => false
);
if (is_numeric($keylen_curve)) {
$args['private_key_type'] = OPENSSL_KEYTYPE_RSA;
$args['private_key_bits'] = (int)$keylen_curve;
} else {
$args['private_key_type'] = OPENSSL_KEYTYPE_EC;
$args['curve_name'] = $keylen_curve;
}
// generate a new key pair
$res_key = openssl_pkey_new($args);
if (!$res_key) {
return false;
}
// generate a certificate signing request
$res_csr = openssl_csr_new($dn, $res_key, $args);
if (!$res_csr) {
return false;
}
// self sign the certificate
$res_crt = openssl_csr_sign(
$res_csr,
$ca_res_crt,
$ca_res_key,
$lifetime,
$args,
$ca_serial
);
if (!$res_crt) {
return false;
}
// export our certificate data
if (
!openssl_pkey_export($res_key, $str_key) ||
!openssl_x509_export($res_crt, $str_crt)
) {
return false;
}
// return our certificate information
$cert['caref'] = $caref;
$cert['crt'] = base64_encode($str_crt);
$cert['prv'] = base64_encode($str_key);
// remove tempfile (template)
unlink($config_filename);
return true;
}
function ca_create(&$ca, $keylen_curve, $lifetime, $dn, $digest_alg, $caref = null, $x509_extensions = 'v3_ca', $extns = [])
{
// handle parameters which can only be set via the configuration file
$config_filename = create_temp_openssl_config($extns);
$args = [
'config' => $config_filename,
'x509_extensions' => $x509_extensions,
'digest_alg' => $digest_alg,
'encrypt_key' => false
];
if (is_numeric($keylen_curve)) {
$args['private_key_type'] = OPENSSL_KEYTYPE_RSA;
$args['private_key_bits'] = (int)$keylen_curve;
} else {
$args['private_key_type'] = OPENSSL_KEYTYPE_EC;
$args['curve_name'] = $keylen_curve;
}
if (!empty($caref)) {
// intermediate type CA, could also be an OCSP verification cert
$signing_ca = &lookup_ca($caref);
if (!$signing_ca) {
return false;
}
$signing_ca_res_crt = openssl_x509_read(base64_decode($signing_ca['crt']));
$signing_ca_res_key = openssl_pkey_get_private(array(0 => base64_decode($signing_ca['prv']) , 1 => ""));
if (!$signing_ca_res_crt || !$signing_ca_res_key) {
return false;
}
// XXX: side affect (unavoidable given legacy constraints), updating parent serial number
$signing_ca_serial = ++$signing_ca['serial'];
} else {
$signing_ca_serial = 0;
$signing_ca_res_crt = null;
// generate a new key pair
$signing_ca_res_key = openssl_pkey_new($args);
if (!$signing_ca_res_key) {
return false;
}
}
// generate a certificate signing request
$res_csr = openssl_csr_new($dn, $signing_ca_res_key, $args);
if (!$res_csr) {
return false;
}
// self sign the certificate
$res_crt = openssl_csr_sign($res_csr, $signing_ca_res_crt, $signing_ca_res_key, $lifetime, $args, $signing_ca_serial);
if (!$res_crt) {
return false;
}
// export our certificate data
if (!openssl_pkey_export($signing_ca_res_key, $str_key) || !openssl_x509_export($res_crt, $str_crt)) {
return false;
}
// return our ca information
$ca['crt'] = base64_encode($str_crt);
$ca['prv'] = base64_encode($str_key);
$ca['x509_extensions'] = $x509_extensions;
$ca['serial'] = 0;
if (!empty($caref)) {
$ca['caref'] = $caref;
}
return true;
}
/**
* Create a temporary config file, to help with calls that require properties that can only be set via the config file.
*
* @param $dn
* @return bool|string The name of the temporary config file.
*/
function create_temp_openssl_config(&$extns)
{
// define temp filename to use for openssl.cnf and add extensions values to it
$configFilename = tempnam(sys_get_temp_dir(), 'ssl');
$template = file_get_contents('/usr/local/etc/ssl/opnsense.cnf');
foreach (array_keys($extns) as $extnTag) {
$template_extn = $extnTag . ' = ' . str_replace(array("\r", "\n"), '', $extns[$extnTag]);
// Overwrite the placeholders for this property
$template = str_replace('###OPNsense:' . $extnTag . '###', $template_extn, $template);
}
file_put_contents($configFilename, $template);
return $configFilename;
}
function cert_get_subject_hash($crt)
{
$str_crt = base64_decode($crt);
$inf_crt = openssl_x509_parse($str_crt);
return $inf_crt['subject'];
}
function has_special_chars($text)
{
return !!preg_match('/[^A-Za-z0-9 _-]/', $text);
}
function step1_submitphpaction()
{
global $stepid, $config;
if ($_POST['authtype'] == "local") {
$stepid = 4;
$config['wizardtemp']['step1']['type'] = "local";
} elseif ($_POST['authtype'] == "ldap") {
$stepid = 0;
} elseif ($_POST['authtype'] == "radius") {
$stepid = 2;
$config['wizardtemp']['step1']['type'] = "radius";
unset($config['wizardtemp']['step1']['uselist']);
}
}
function step2_stepbeforeformdisplay()
{
global $pkg, $stepid;
$fields =& $pkg['step'][1]['fields']['field'];
$found = false;
$authlist = auth_get_authserver_list();
$fields[1]['options']['option'] = array();
foreach ($authlist as $key => $auth) {
if ($auth['type'] != 'ldap') {
continue;
}
$found = true;
$opts = array();
$opts['name'] = $auth['name'];
$opts['value'] = $key;
$fields[1]['options']['option'][] = $opts;
}
if ($found == false) {
$stepid = 2;
}
}
function step2_submitphpaction()
{
global $stepid;
if (isset($_POST['next'])) {
$_POST['uselist'] = "";
$stepid += 3;
}
}
function step3_submitphpaction()
{
global $stepid, $input_errors, $config;
/* Default LDAP port is 389 for TCP and 636 for SSL */
if (empty($_POST['port'])) {
if ($_POST['transport'] == "tcp") {
$config['wizardtemp']['step2']['port'] = 389;
} elseif ($_POST['transport'] == "ssl") {
$config['wizardtemp']['step2']['port'] = 636;
}
} elseif (!is_port($_POST['port'])) {
$input_errors[] = gettext('Please enter a valid port number.');
$stepid--;
return;
}
$authcfg = auth_get_authserver($_POST['name']);
if (
empty($_POST['name']) || empty($_POST['ip']) || empty($_POST['transport']) ||
empty($_POST['scope']) || empty($_POST['basedn']) || empty($_POST['authscope']) || empty($_POST['nameattr'])
) {
$input_errors[] = gettext('Please enter all information for authentication server.');
$stepid--;
} elseif ($authcfg !== false && !empty($authcfg)) {
$input_errors[] = gettext('Please choose a different name because an authentication ' .
'server with this name already exists.');
$stepid--;
} elseif (!is_fqdn($_POST['ip']) && !is_ipaddr($_POST['ip'])) {
$input_errors[] = gettext('Please enter a valid IP address or hostname for the authentication server.');
$stepid--;
} else {
$config['wizardtemp']['step2']['uselist'] = "on";
$_POST['uselist'] = "on";
$stepid += 2;
}
}
function step4_stepbeforeformdisplay()
{
global $pkg, $stepid;
$fields =& $pkg['step'][3]['fields']['field'];
$found = false;
$authlist = auth_get_authserver_list();
$fields[1]['options']['option'] = array();
foreach ($authlist as $key => $auth) {
if ($auth['type'] != 'radius') {
continue;
}
$found = true;
$opts = array();
$opts['name'] = $auth['name'];
$opts['value'] = $key;
$fields[1]['options']['option'][] = $opts;
}
if ($found == false) {
$stepid = 4;
}
}
function step4_submitphpaction()
{
global $stepid;
if (isset($_POST['next'])) {
$_POST['uselist'] = "";
$stepid++;
}
}
function step5_submitphpaction()
{
global $stepid, $input_errors, $config;
/* Default RADIUS Auth port = 1812 */
if (empty($_POST['port'])) {
$config['wizardtemp']['step2']['port'] = 1812;
} elseif (!is_port($_POST['port'])) {
$input_errors[] = gettext('Please enter a valid port number.');
$stepid--;
return;
}
$authcfg = auth_get_authserver($_POST['name']);
if (empty($_POST['name']) || empty($_POST['ip']) || empty($_POST['secret'])) {
$input_errors[] = gettext('Please enter all information for authentication server.');
$stepid--;
} elseif ($authcfg !== false && !empty($authcfg)) {
$input_errors[] = gettext('Please choose a different name because an authentication ' .
'server with this name already exists.');
$stepid--;
} elseif (!is_fqdn($_POST['ip']) && !is_ipaddr($_POST['ip'])) {
$input_errors[] = gettext('Please enter a valid IP address or hostname for the authentication server.');
$stepid--;
} else {
$config['wizardtemp']['step2']['uselist'] = "on";
$_POST['uselist'] = "on";
}
}
function step6_stepbeforeformdisplay()
{
global $stepid, $config;
$no_internal_ca = true;
if (empty($config['ca'])) {
$stepid++;
} else {
foreach ($config['ca'] as $ca) {
if (!empty($ca['prv'])) {
$no_internal_ca = false;
break;
}
}
if ($no_internal_ca) {
$stepid++;
}
}
}
function step6_submitphpaction()
{
global $stepid, $config;
if (isset($_POST['next'])) {
$_POST['uselist'] = "";
unset($config['wizardtemp']['step6']['uselist']);
$stepid++;
} else {
$config['wizardtemp']['step6']['uselist'] = "on";
$_POST['uselist'] = "on";
}
}
function step7_submitphpaction()
{
global $input_errors, $stepid, $_POST, $config;
$canames = array();
$cacns = array();
if (is_array($config['ca'])) {
foreach ($config['ca'] as $ca) {
$canames[] = $ca['descr'];
$cainfo = cert_get_subject_hash($ca['crt']);
$cacns[] = $cainfo["CN"];
}
}
if (
empty($_POST['descr']) || empty($_POST['keylength']) || empty($_POST['lifetime']) ||
empty($_POST['country']) || empty($_POST['state']) || empty($_POST['city']) ||
empty($_POST['organization']) || empty($_POST['email'])
) {
$input_errors[] = gettext('Please enter all information for the new Certificate Authority.');
$stepid--;
} elseif (
has_special_chars($_POST['country']) || has_special_chars($_POST['state']) ||
has_special_chars($_POST['city']) || has_special_chars($_POST['organization'])
) {
$input_errors[] = gettext('Please do not use special characters in Certificate field names.');
$stepid--;
} elseif (in_array($_POST['descr'], $canames) || in_array($_POST['descr'], $cacns)) {
$input_errors[] = gettext('Please enter a different name for the Certificate Authority. ' .
'A Certificate Authority with that name already exists.');
$stepid--;
} elseif (strlen($_POST['country']) != 2) {
$input_errors[] = gettext('Please enter only a two-letter ISO country code');
$stepid--;
} else {
$config['wizardtemp']['step6']['uselist'] = "on";
$_POST['uselist'] = "on";
}
}
function step8_stepbeforeformdisplay()
{
global $stepid, $config;
$no_server_cert = true;
if (empty($config['cert'])) {
$stepid++;
} else {
foreach ($config['cert'] as $cert) {
if (cert_get_purpose($cert['crt'])['id-kp-serverAuth'] == 'Yes') {
$no_server_cert = false;
break;
}
}
if ($no_server_cert) {
$stepid++;
}
}
}
function step8_submitphpaction()
{
global $stepid, $config, $_POST;
if (isset($_POST['next'])) {
$_POST['uselist'] = "";
unset($config['wizardtemp']['step9']['uselist']);
$stepid++;
} else {
$config['wizardtemp']['step6']['uselist'] = "on";
$_POST['uselist'] = "on";
}
}
function step9_stepbeforeformdisplay()
{
global $config, $pkg, $stepid;
$pconfig = $config['wizardtemp'];
if (isset($pconfig['step6']['uselist'])) {
$country = $pconfig['step6']['country'];
$state = $pconfig['step6']['state'];
$city = $pconfig['step6']['city'];
$org = $pconfig['step6']['organization'];
$email = $pconfig['step6']['email'];
} else {
$ca = lookup_ca($pconfig['step6']['authcertca']);
$cavl = cert_get_subject_array($ca['crt']);
$country = $cavl[0]['v'];
$state = $cavl[1]['v'];
$city = $cavl[2]['v'];
$org = $cavl[3]['v'];
$email = $cavl[4]['v'];
}
$fields =& $pkg['step'][$stepid]['fields']['field'];
foreach ($fields as $idx => $field) {
switch ($field['name']) {
case 'country':
$fields[$idx]['value'] = $country;
break;
case 'state':
$fields[$idx]['value'] = $state;
break;
case 'city':
$fields[$idx]['value'] = $city;
break;
case 'organization':
$fields[$idx]['value'] = $org;
break;
case 'email':
$fields[$idx]['value'] = $email;
break;
}
}
}
function step9_submitphpaction()
{
global $input_errors, $stepid, $_POST, $config;
$certnames = array();
$certcns = array();
if (is_array($config['cert'])) {
foreach ($config['cert'] as $cert) {
$certnames[] = $cert['descr'];
$certinfo = cert_get_subject_hash($cert['crt']);
$certcns[] = $certinfo["CN"];
}
}
if (
empty($_POST['descr']) || empty($_POST['keylength']) || empty($_POST['lifetime']) ||
empty($_POST['country']) || empty($_POST['state']) || empty($_POST['city']) ||
empty($_POST['organization']) || empty($_POST['email'])
) {
$input_errors[] = gettext('Please enter all information for the new certificate.');
$stepid--;
} elseif (
has_special_chars($_POST['country']) || has_special_chars($_POST['state']) ||
has_special_chars($_POST['city']) || has_special_chars($_POST['organization'])
) {
$input_errors[] = gettext('Please do not use special characters in Certificate field names.');
$stepid--;
} elseif (in_array($_POST['descr'], $certnames) || in_array($_POST['descr'], $certcns)) {
$input_errors[] = gettext('Please enter a different name for the Certificate. ' .
'A Certificate with that name/common name already exists.');
$stepid--;
} elseif (strlen($_POST['country']) != 2) {
$input_errors[] = gettext('Please enter only a two-letter ISO country code');
$stepid--;
} else {
$config['wizardtemp']['step9']['uselist'] = "on";
$_POST['uselist'] = "on";
}
}
function step10_stepbeforeformdisplay()
{
global $pkg, $stepid, $netbios_nodetypes;
foreach ($pkg['step'][$stepid]['fields']['field'] as $idx => $field) {
if ($field['name'] == "crypto") {
$pkg['step'][$stepid]['fields']['field'][$idx]['options']['option'] = array();
foreach (openvpn_get_cipherlist() as $name => $desc) {
$opt = array();
$opt['name'] = $desc;
$opt['value'] = $name;
$pkg['step'][$stepid]['fields']['field'][$idx]['options']['option'][] = $opt;
}
} elseif ($field['name'] == "digest") {
$pkg['step'][$stepid]['fields']['field'][$idx]['options']['option'] = array();
foreach (openvpn_get_digestlist() as $name => $desc) {
$opt = array();
$opt['name'] = $desc;
$opt['value'] = $name;
$pkg['step'][$stepid]['fields']['field'][$idx]['options']['option'][] = $opt;
}
} elseif ($field['name'] == "compression") {
$pkg['step'][$stepid]['fields']['field'][$idx]['options']['option'] = array();
foreach (openvpn_compression_modes() as $name => $desc) {
$opt = array();
$opt['name'] = $desc;
$opt['value'] = $name;
$pkg['step'][$stepid]['fields']['field'][$idx]['options']['option'][] = $opt;
}
} elseif ($field['name'] == "nbttype") {
$pkg['step'][$stepid]['fields']['field'][$idx]['options']['option'] = array();
foreach ($netbios_nodetypes as $type => $name) {
$opt = array();
$opt['name'] = $name;
$opt['value'] = $type;
$pkg['step'][$stepid]['fields']['field'][$idx]['options']['option'][] = $opt;
}
}
}
}
function step10_submitphpaction()
{
global $input_errors, $stepid, $config;
if (empty($_POST['localport'])) {
$config['wizardtemp']['step10']['localport'] = $_POST['localport'] = openvpn_port_next($_POST['protocol']);
}
if ($result = openvpn_validate_port($_POST['localport'], gettext('Local port'))) {
$input_errors[] = $result;
}
if ($result = openvpn_validate_cidr($_POST['tunnelnet'], gettext('IPv4 Tunnel Network'), false, 'ipv4')) {
$input_errors[] = $result;
} elseif (!empty($_POST['tunnelnet'])) {
// Check IPv4 tunnelnet pool size. Wizard makes tun mode with net30 server only.
list($ipv4tunnel_base, $ipv4tunnel_prefix) = explode('/', trim($_POST['tunnelnet']));
if ($ipv4tunnel_prefix > 28) {
$input_errors[] = gettext('A prefix longer than 28 cannot be used with a net30 topology.');
}
}
if ($result = openvpn_validate_cidr($_POST['tunnelnetv6'], gettext('IPv6 Tunnel Network'), false, 'ipv6')) {
$input_errors[] = $result;
}
if ($result = openvpn_validate_cidr($_POST['localnet'], gettext('IPv4 Local Network'), true, 'ipv4')) {
$input_errors[] = $result;
}
if ($result = openvpn_validate_cidr($_POST['localnetv6'], gettext('IPv6 Local Network'), true, 'ipv6')) {
$input_errors[] = $result;
}
if ($result = openvpn_validate_cidr($_POST['remotenet'], gettext('IPv4 Remote Network'), true, 'ipv4')) {
$input_errors[] = $result;
}
if ($result = openvpn_validate_cidr($_POST['remotenetv6'], gettext('IPv6 Remote Network'), true, 'ipv6')) {
$input_errors[] = $result;
}
$portused = openvpn_port_used($_POST['protocol'], $_POST['interface'], $_POST['localport']);
if ($portused != 0) {
$input_errors[] = gettext("The specified 'Local port' is in use. Please select another value.");
}
if (!isset($_POST['generatetlskey']) && isset($_POST['tlsauthentication'])) {
if (
!strstr($_POST['tlssharedkey'], "-----BEGIN OpenVPN Static key V1-----") ||
!strstr($_POST['tlssharedkey'], "-----END OpenVPN Static key V1-----")
) {
$input_errors[] = gettext("The field 'TLS Authentication Key' does not appear to be valid.");
}
}
if (!empty($_POST['dnsserver1']) && !is_ipaddr(trim($_POST['dnsserver1']))) {
$input_errors[] = gettext("The field 'DNS Server #1' must contain a valid IP address");
}
if (!empty($_POST['dnsserver2']) && !is_ipaddr(trim($_POST['dnsserver2']))) {
$input_errors[] = gettext("The field 'DNS Server #2' must contain a valid IP address");
}
if (!empty($_POST['dnsserver3']) && !is_ipaddr(trim($_POST['dnsserver3']))) {
$input_errors[] = gettext("The field 'DNS Server #3' must contain a valid IP address");
}
if (!empty($_POST['dnsserver4']) && !is_ipaddr(trim($_POST['dnsserver4']))) {
$input_errors[] = gettext("The field 'DNS Server #4' must contain a valid IP address");
}
if (!empty($_POST['ntpserver1']) && !is_ipaddr(trim($_POST['ntpserver1']))) {
$input_errors[] = gettext("The field 'NTP Server #1' must contain a valid IP address");
}
if (!empty($_POST['ntpserver2']) && !is_ipaddr(trim($_POST['ntpserver2']))) {
$input_errors[] = gettext("The field 'NTP Server #2' must contain a valid IP address");
}
if (!empty($_POST['winsserver1']) && !is_ipaddr(trim($_POST['winsserver1']))) {
$input_errors[] = gettext("The field 'WINS Server #1' must contain a valid IP address");
}
if (!empty($_POST['winsserver2']) && !is_ipaddr(trim($_POST['winsserver2']))) {
$input_errors[] = gettext("The field 'WINS Server #2' must contain a valid IP address");
}
if ($_POST['concurrentcon'] && !is_numeric($_POST['concurrentcon'])) {
$input_errors[] = gettext("The field 'Concurrent connections' must be numeric.");
}
if (empty($_POST['tunnelnet']) && empty($_POST['tunnelnetv6'])) {
$input_errors[] = gettext("You must specify a 'Tunnel network'.");
}
if (!empty($input_errors)) {
$stepid = $stepid - 1;
}
}
function step12_submitphpaction()
{
global $config;
$pconfig = $config['wizardtemp'];
if (!is_array($config['wizardtemp'])) {
$message = "No configuration found please retry again.";
header(url_safe('Location: /wizard.php?xml=openvpn&stepid=1&message=%s', array($message)));
exit;
}
if ($pconfig['step1']['type'] == "local") {
$auth = array();
$auth['name'] = "Local Database";
$auth['type'] = "local";
} elseif (isset($pconfig['step2']['uselist'])) {
$auth = array();
$auth['type'] = $pconfig['step1']['type'];
$auth['refid'] = uniqid();
$auth['name'] = $pconfig['step2']['authtype'];
if ($auth['type'] == "ldap") {
$auth['host'] = $pconfig['step2']['ip'];
$auth['ldap_port'] = $pconfig['step2']['port'];
if ($pconfig['step1']['transport'] == "tcp") {
$auth['ldap_urltype'] = 'TCP - Standard';
} else {
$auth['ldap_urltype'] = 'SSL - Encrypted';
}
$auth['ldap_protver'] = 3;
$auth['ldap_scope'] = $pconfig['step2']['scope'];
$auth['ldap_basedn'] = $pconfig['step2']['basedn'];
$auth['ldap_authcn'] = $pconfig['step2']['authscope'];
$auth['ldap_binddn'] = $pconfig['step2']['userdn'];
$auth['ldap_bindpw'] = $pconfig['step2']['passdn'];
$auth['ldap_attr_user'] = $pconfig['step1']['nameattr'];
$auth['ldap_attr_member'] = $pconfig['step1']['memberattr'];
$auth['ldap_attr_group'] = $pconfig['step1']['groupattr'];
} elseif ($auth['type'] == "radius") {
$auth['host'] = $pconfig['step2']['ip'];
$auth['radius_auth_port'] = $pconfig['step2']['port'];
$auth['radius_secret'] = $pconfig['step2']['password'];
$auth['radius_srvcs'] = "auth";
}
$a_auth = &config_read_array('system', 'authserver');
$a_auth[] = $auth;
} elseif (!isset($pconfig['step2']['uselist']) && empty($pconfig['step2']['authserv'])) {
$message = "Please choose an authentication server.";
header(url_safe('Location: /wizard.php?xml=openvpn&stepid=1&message=%s', array($message)));
exit;
} elseif (!($auth = auth_get_authserver($pconfig['step2']['authserv']))) {
$message = "No valid authentication server has been specified.";
header(url_safe('Location: /wizard.php?xml=openvpn&stepid=1&message=%s', array($message)));
exit;
}
if (isset($pconfig['step6']['uselist']) && !empty($pconfig['step6']['certca'])) {
$ca = array();
$ca['refid'] = uniqid();
$ca['descr'] = $pconfig['step6']['certca'];
$dn = array(
'countryName' => $pconfig['step6']['country'],
'stateOrProvinceName' => $pconfig['step6']['state'],
'localityName' => $pconfig['step6']['city'],
'organizationName' => $pconfig['step6']['organization'],
'emailAddress' => $pconfig['step6']['email'],
'commonName' => $pconfig['step6']['certca']);
ca_create($ca, $pconfig['step6']['keylength'], $pconfig['step6']['lifetime'], $dn, "sha256");
$a_ca = &config_read_array('ca');
$a_ca[] = $ca;
} elseif (!isset($pconfig['step6']['uselist']) && empty($pconfig['step6']['authcertca'])) {
$message = "Please choose a Certificate Authority.";
header(url_safe('Location: /wizard.php?xml=openvpn&stepid=5&message=%s', array($message)));
exit;
} elseif (!($ca = lookup_ca($pconfig['step6']['authcertca']))) {
$message = "Not a valid Certificate Authority specified.";
header(url_safe('Location: /wizard.php?xml=openvpn&stepid=5&message=%s', array($message)));
exit;
}
if (isset($pconfig['step9']['uselist'])) {
$cert = array();
$cert['refid'] = uniqid();
$cert['descr'] = $pconfig['step9']['certname'];
$dn = array(
'countryName' => $pconfig['step9']['country'],
'stateOrProvinceName' => $pconfig['step9']['state'],
'localityName' => $pconfig['step9']['city'],
'organizationName' => $pconfig['step9']['organization'],
'emailAddress' => $pconfig['step9']['email'],
'commonName' => $pconfig['step9']['certname']
);
cert_create(
$cert,
$ca['refid'],
$pconfig['step9']['keylength'],
$pconfig['step9']['lifetime'],
$dn,
'sha256',
'server_cert',
[]
);
$a_cert = &config_read_array('cert');
$a_cert[] = $cert;
} elseif (!isset($pconfig['step9']['uselist']) && empty($pconfig['step9']['authcertname'])) {
$message = "Please choose a Certificate.";
header(url_safe('Location: /wizard.php?xml=openvpn&stepid=7&message=%s', array($message)));
exit;
} elseif (!($cert = lookup_cert($pconfig['step9']['authcertname']))) {
$message = "Not a valid Certificate specified.";
header(url_safe('Location: /wizard.php?xml=openvpn&stepid=7&message=%s', array($message)));
exit;
}
$server = array();
$server['vpnid'] = openvpn_vpnid_next();
switch ($auth['type']) {
case "ldap":
$server['authmode'] = $auth['name'];
$server['mode'] = "server_user";
break;
case "radius":
$server['authmode'] = $auth['name'];
$server['mode'] = "server_user";
break;
default:
$server['authmode'] = "Local Database";
$server['mode'] = "server_tls_user";
break;
}
$server['caref'] = $ca['refid'];
$server['certref'] = $cert['refid'];
$server['protocol'] = $pconfig['step10']['protocol'];
$server['interface'] = $pconfig['step10']['interface'];
$server['local_port'] = $pconfig['step10']['localport'];
if (strlen($pconfig['step10']['descr']) > 30) {
$pconfig['step10']['descr'] = substr($pconfig['step10']['descr'], 0, 30);
}
$server['description'] = $pconfig['step10']['descr'];
if (isset($pconfig['step10']['tlsauth'])) {
if (isset($pconfig['step10']['gentlskey'])) {
$tlskey = openvpn_create_key();
} else {
$tlskey = $pconfig['step10']['tlskey'];
}
$server['tls'] = base64_encode($tlskey);
$server['tlsmode'] = 'auth';
}
if (isset($pconfig['step10']['tunnelnet'])) {
$server['tunnel_network'] = $pconfig['step10']['tunnelnet'];
}
if (isset($pconfig['step10']['tunnelnetv6'])) {
$server['tunnel_networkv6'] = $pconfig['step10']['tunnelnetv6'];
}
if (isset($pconfig['step10']['rdrgw'])) {
$server['gwredir'] = $pconfig['step10']['rdrgw'];
}
if (isset($pconfig['step10']['localnet'])) {
$server['local_network'] = $pconfig['step10']['localnet'];
}
if (isset($pconfig['step10']['localnetv6'])) {
$server['local_networkv6'] = $pconfig['step10']['localnetv6'];
}
if (isset($pconfig['step10']['remotenet'])) {
$server['remote_network'] = $pconfig['step10']['remotenet'];
}
if (isset($pconfig['step10']['remotenetv6'])) {
$server['remote_networkv6'] = $pconfig['step10']['remotenetv6'];
}
if (isset($pconfig['step10']['concurrentcon'])) {
$server['maxclients'] = $pconfig['step10']['concurrentcon'];
}
if (isset($pconfig['step10']['compression'])) {
$server['compression'] = $pconfig['step10']['compression'];
}
if (isset($pconfig['step10']['tos'])) {
$server['passtos'] = $pconfig['step10']['tos'];
}
if (isset($pconfig['step10']['interclient'])) {
$server['client2client'] = $pconfig['step10']['interclient'];
}
if (isset($pconfig['step10']['duplicate_cn'])) {
$server['duplicate_cn'] = $pconfig['step10']['duplicate_cn'];
}
if (isset($pconfig['step10']['dynip'])) {
$server['dynamic_ip'] = $pconfig['step10']['dynip'];
}
if (isset($pconfig['step10']['defaultdomain'])) {
$server['dns_domain'] = $pconfig['step10']['defaultdomain'];
}
if (isset($pconfig['step10']['dns1'])) {
$server['dns_server1'] = $pconfig['step10']['dns1'];
}
if (isset($pconfig['step10']['dns2'])) {
$server['dns_server2'] = $pconfig['step10']['dns2'];
}
if (isset($pconfig['step10']['dns3'])) {
$server['dns_server3'] = $pconfig['step10']['dns3'];
}
if (isset($pconfig['step10']['dns4'])) {
$server['dns_server4'] = $pconfig['step10']['dns4'];
}
if (isset($pconfig['step10']['ntp1'])) {
$server['ntp_server1'] = $pconfig['step10']['ntp1'];
}
if (isset($pconfig['step10']['ntp2'])) {
$server['ntp_server2'] = $pconfig['step10']['ntp2'];
}
if (isset($pconfig['step10']['wins1'])) {
$server['wins_server1'] = $pconfig['step10']['wins1'];
}
if (isset($pconfig['step10']['wins2'])) {
$server['wins_server2'] = $pconfig['step10']['wins2'];
}
if (isset($pconfig['step10']['nbtenable'])) {
$server['netbios_ntype'] = $pconfig['step10']['nbttype'];
if (isset($pconfig['step10']['nbtscope'])) {
$server['netbios_scope'] = $pconfig['step10']['nbtscope'];
}
$server['netbios_enable'] = $pconfig['step10']['nbtenable'];
}
$server['crypto'] = $pconfig['step10']['crypto'];
$server['digest'] = $pconfig['step10']['digest'];
if (isset($pconfig['step11']['ovpnrule'])) {
$rule = array();
$rule['descr'] = sprintf(gettext("OpenVPN %s wizard allow client access"), $server['description']);
/* Ensure the rule descr is not too long for pf to handle */
if (strlen($rule['descr']) > 52) {
$rule['descr'] = substr($rule['descr'], 0, 52);
}
$rule['direction'] = "in";
$rule['source']['any'] = true;
if ($server['interface'] != "any") {
$rule['destination']['network'] = $server['interface'] . "ip";
$rule['interface'] = $server['interface'];
} else {
$rule['destination']['network'] = "(self)";
$rule['floating'] = "yes";
}
$rule['destination']['port'] = $server['local_port'];
$proto = strtolower($server['protocol']);
if (strpos($proto, '4') !== false) {
$rule['protocol'] = substr($proto, 0, -1);
$rule['ipprotocol'] = "inet";
} elseif (strpos($proto, '6') !== false) {
$rule['protocol'] = substr($proto, 0, -1);
$rule['ipprotocol'] = "inet6";
} else {
$rule['protocol'] = $proto;
$rule['ipprotocol'] = "inet46";
}
$rule['type'] = "pass";
$rule['enabled'] = "on";
$rule['created'] = make_config_revision_entry();
$config['filter']['rule'][] = $rule;
}
if (isset($pconfig['step11']['ovpnallow'])) {
$rule = array();
$rule['descr'] = sprintf(gettext("OpenVPN %s wizard"), $server['description']);
/* Ensure the rule descr is not too long for pf to handle */
if (strlen($rule['descr']) > 52) {
$rule['descr'] = substr($rule['descr'], 0, 52);
}
$rule['source']['any'] = true;
$rule['destination']['any'] = true;
$rule['interface'] = "openvpn";
$rule['type'] = "pass";
$rule['enabled'] = "on";
$rule['created'] = make_config_revision_entry();
$config['filter']['rule'][] = $rule;
}
$a_server = &config_read_array('openvpn', 'openvpn-server');
$a_server[] = $server;
unset($config['wizardtemp']);
write_config();
openvpn_configure_single($server['vpnid']);
header(url_safe('Location: /vpn_openvpn_server.php'));
exit;
}

1
src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml
View File

@ -680,7 +680,6 @@
<name>VPN: OpenVPN: Server</name>
<patterns>
<pattern>vpn_openvpn_server.php*</pattern>
<pattern>wizard.php?xml=openvpn&amp;*</pattern>
</patterns>
</page-openvpn-server>
<page-xmlrpclibrary>

1
src/opnsense/mvc/app/models/OPNsense/Core/Menu/Menu.xml
View File

@ -139,7 +139,6 @@
<Instances url="/ui/openvpn/instances"/>
<Servers VisibleName="Servers [legacy]" order="10" url="/vpn_openvpn_server.php">
<Edit url="/vpn_openvpn_server.php?*" visibility="hidden"/>
<Step url="/wizard.php?xml=openvpn*" visibility="hidden"/>
</Servers>
<Clients VisibleName="Clients [legacy]" order="20" url="/vpn_openvpn_client.php">
<Edit url="/vpn_openvpn_client.php?*" visibility="hidden"/>

956
src/wizard/openvpn.xml
View File

@ -1,956 +0,0 @@
<?xml version="1.0" encoding="utf-8" ?>
<wizard>
<copyright>
/*
Copyright (C) 2014 Deciso B.V.
Copyright (C) 2010 Ermal Luçi
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
</copyright>
<includefile>plugins.inc.d/openvpn/wizard.inc</includefile>
<totalsteps>12</totalsteps>
<step>
<id>1</id>
<title>Authentication Type Selection</title>
<fields>
<field>
<type>listtopic</type>
<name>Select an Authentication Backend Type</name>
</field>
<field>
<type>select</type>
<displayname>Type of Server</displayname>
<name>authtype</name>
<description>If you are unsure, leave this set to "Local User Access".</description>
<bindstofield>wizardtemp->step1->type</bindstofield>
<options>
<option>
<name>Local User Access</name>
<value>local</value>
</option>
<option>
<name>LDAP</name>
<value>ldap</value>
</option>
<option>
<name>Radius</name>
<value>radius</value>
</option>
</options>
</field>
<field>
<name>Next</name>
<type>submit</type>
</field>
</fields>
<stepsubmitbeforesave>
if (isset($config['wizardtemp'])) {
unset($config['wizardtemp']);
}
</stepsubmitbeforesave>
<stepsubmitphpaction>step1_submitphpaction();</stepsubmitphpaction>
</step>
<step>
<id>2</id>
<title>LDAP Server Selection</title>
<fields>
<field>
<type>listtopic</type>
<name>LDAP Authentication Server List</name>
</field>
<field>
<name>authserv</name>
<displayname>LDAP servers</displayname>
<type>select</type>
<bindstofield>wizardtemp->step2->authserv</bindstofield>
<options>
<option>
<name>dummy</name>
<value>dummy</value>
</option>
</options>
</field>
<field>
<type>submit</type>
<name>Add new LDAP server</name>
</field>
<field>
<type>submit</type>
<name>Next</name>
</field>
</fields>
<stepbeforeformdisplay>step2_stepbeforeformdisplay();</stepbeforeformdisplay>
<stepsubmitphpaction>step2_submitphpaction();</stepsubmitphpaction>
<javascriptafterformdisplay>enablechange();</javascriptafterformdisplay>
</step>
<step>
<id>3</id>
<title>Add LDAP Server</title>
<fields>
<field>
<type>listtopic</type>
<name>LDAP Authentication Server Parameters</name>
</field>
<field>
<name>name</name>
<displayname>Name</displayname>
<type>input</type>
<bindstofield>wizardtemp->step2->authtype</bindstofield>
<size>30</size>
<description>Descriptive server name, for your own reference.</description>
</field>
<field>
<name>ip</name>
<displayname>Hostname or IP address</displayname>
<type>input</type>
<bindstofield>wizardtemp->step2->ip</bindstofield>
<description>Address of the LDAP server.</description>
</field>
<field>
<name>port</name>
<displayname>Port</displayname>
<type>input</type>
<size>8</size>
<bindstofield>wizardtemp->step2->port</bindstofield>
<description>LDAP Server port, leave blank for the default (389 for TCP, 636 for SSL).</description>
</field>
<field>
<name>transport</name>
<displayname>Transport</displayname>
<type>select</type>
<bindstofield>wizardtemp->step2->transport</bindstofield>
<options>
<option>
<name>TCP - Standard</name>
<value>tcp</value>
</option>
<option>
<name>SSL - Encrypted</name>
<value>ssl</value>
</option>
</options>
<description>The protocol used by your LDAP server. It can either be standard TCP or SSL encrypted.</description>
</field>
<field>
<name>scope</name>
<displayname>Search Scope Level</displayname>
<type>select</type>
<options>
<option>
<name>One Level</name>
<value>one</value>
</option>
<option>
<name>Entire Subtree</name>
<value>subtree</value>
</option>
</options>
<bindstofield>wizardtemp->step2->scope</bindstofield>
</field>
<field>
<name>basedn</name>
<displayname>Search Scope Base DN</displayname>
<type>input</type>
<size>40</size>
<bindstofield>wizardtemp->step2->basedn</bindstofield>
</field>
<field>
<name>authscope</name>
<displayname>Authentication Containers</displayname>
<type>input</type>
<size>40</size>
<bindstofield>wizardtemp->step2->authscope</bindstofield>
<description>Semicolon separated. This will be prepended to the search base DN above or you can specify full container path, e.g. CN=Users;DC=example or CN=Users,DC=example,DC=com;OU=OtherUsers,DC=example,DC=com</description>
</field>
<field>
<name>userdn</name>
<displayname>LDAP Bind User DN</displayname>
<type>input</type>
<size>20</size>
<description>If left blank, an anonymous bind will be done.</description>
<bindstofield>wizardtemp->step2->userdn</bindstofield>
</field>
<field>
<name>passdn</name>
<displayname>LDAP Bind Password</displayname>
<type>password</type>
<size>20</size>
<bindstofield>wizardtemp->step2->passdn</bindstofield>
<description>If a user DN was supplied above, this password will also be used when performing a bind operation.</description>
</field>
<field>
<name>nameattr</name>
<displayname>User Naming Attribute</displayname>
<type>input</type>
<bindstofield>wizardtemp->step2->nameattr</bindstofield>
<description>Typically "cn" (OpenLDAP, Novell eDirectory), "sAMAccountName" (Microsoft AD)</description>
</field>
<field>
<name>groupattr</name>
<displayname>Group Naming Attribute</displayname>
<type>input</type>
<bindstofield>wizardtemp->step2->groupattr</bindstofield>
<description>Typically "cn" (OpenLDAP, Microsoft AD, and Novell eDirectory)</description>
</field>
<field>
<name>memberattr</name>
<displayname>Member Naming Attribute</displayname>
<type>input</type>
<bindstofield>wizardtemp->step2->memberattr</bindstofield>
<description>Typically "member" (OpenLDAP), "memberOf" (Microsoft AD), "uniqueMember" (Novell eDirectory)</description>
</field>
<field>
<type>submit</type>
<name>Add new Server</name>
</field>
</fields>
<stepsubmitphpaction>step3_submitphpaction();</stepsubmitphpaction>
<javascriptafterformdisplay>enablechange();</javascriptafterformdisplay>
</step>
<step>
<id>4</id>
<title>RADIUS Server Selection</title>
<fields>
<field>
<type>listtopic</type>
<name>RADIUS Authentication Server List</name>
</field>
<field>
<name>authserv</name>
<displayname>RADIUS servers</displayname>
<type>select</type>
<bindstofield>wizardtemp->step2->authserv</bindstofield>
<options>
<option>
<name>dummy</name>
<value>dummy</value>
</option>
</options>
</field>
<field>
<type>submit</type>
<name>Add new RADIUS server</name>
</field>
<field>
<type>submit</type>
<name>Next</name>
</field>
</fields>
<stepbeforeformdisplay>step4_stepbeforeformdisplay();</stepbeforeformdisplay>
<stepsubmitphpaction>step4_submitphpaction();</stepsubmitphpaction>
<javascriptafterformdisplay>enablechange();</javascriptafterformdisplay>
</step>
<step>
<id>5</id>
<title>Add RADIUS Server</title>
<fields>
<field>
<type>listtopic</type>
<name>RADIUS Authentication Server Parameters</name>
</field>
<field>
<name>name</name>
<displayname>Name</displayname>
<type>input</type>
<bindstofield>wizardtemp->step2->authtype</bindstofield>
<size>20</size>
<description>Descriptive name for the RADIUS server, for your reference.</description>
</field>
<field>
<name>ip</name>
<displayname>Hostname or IP address</displayname>
<type>input</type>
<bindstofield>wizardtemp->step2->ip</bindstofield>
<description>Address of the RADIUS server.</description>
</field>
<field>
<name>port</name>
<displayname>Authentication Port</displayname>
<type>input</type>
<size>8</size>
<bindstofield>wizardtemp->step2->port</bindstofield>
<description>Port used by the RADIUS server for accepting Authentication requests, typically 1812.</description>
</field>
<field>
<name>secret</name>
<displayname>Shared Secret</displayname>
<type>password</type>
<size>20</size>
<bindstofield>wizardtemp->step2->password</bindstofield>
</field>
<field>
<name>Add new Server</name>
<type>submit</type>
</field>
</fields>
<stepsubmitphpaction>step5_submitphpaction();</stepsubmitphpaction>
</step>
<step>
<id>6</id>
<title>Certificate Authority Selection</title>
<fields>
<field>
<name>Choose a Certificate Authority (CA)</name>
<type>listtopic</type>
</field>
<field>
<type>certca_selection</type>
<internal>1</internal>
<name>certca</name>
<displayname>Certificate Authority</displayname>
<bindstofield>wizardtemp->step6->authcertca</bindstofield>
</field>
<field>
<type>submit</type>
<name>Add new CA</name>
</field>
<field>
<name>Next</name>
<type>submit</type>
</field>
</fields>
<stepbeforeformdisplay>step6_stepbeforeformdisplay();</stepbeforeformdisplay>
<stepsubmitphpaction>step6_submitphpaction();</stepsubmitphpaction>
</step>
<step>
<id>7</id>
<title>Add Certificate Authority</title>
<fields>
<field>
<name>Create a New Certificate Authority (CA) Certificate</name>
<type>listtopic</type>
</field>
<field>
<name>descr</name>
<displayname>Descriptive name</displayname>
<description>A name for your reference, to identify this certificate. This is the same as common-name field for other Certificates.</description>
<type>input</type>
<size>20</size>
<bindstofield>wizardtemp->step6->certca</bindstofield>
</field>
<field>
<name>keylength</name>
<displayname>Key length</displayname>
<description>Size of the key which will be generated. The larger the key, the more security is offers, but larger keys are generally slower to use.</description>
<type>select</type>
<value>2048</value>
<bindstofield>wizardtemp->step6->keylength</bindstofield>
<options>
<option>
<name>512 bit</name>
<value>512</value>
</option>
<option>
<name>1024 bit</name>
<value>1024</value>
</option>
<option>
<name>2048 bit</name>
<value>2048</value>
</option>
<option>
<name>3072 bit</name>
<value>3072</value>
</option>
<option>
<name>4096 bit</name>
<value>4096</value>
</option>
</options>
</field>
<field>
<name>lifetime</name>
<displayname>Lifetime</displayname>
<type>input</type>
<size>10</size>
<value>825</value>
<description>Lifetime in days. This is commonly set to 825 (approximately 2 years).</description>
<bindstofield>wizardtemp->step6->lifetime</bindstofield>
</field>
<field>
<name>country</name>
<displayname>Country Code</displayname>
<description>Two-letter ISO country code (e.g. NL, DE, US)</description>
<type>input</type>
<size>5</size>
<bindstofield>wizardtemp->step6->country</bindstofield>
</field>
<field>
<name>state</name>
<displayname>State or Province</displayname>
<description>Full State of Province name, not abbreviated (e.g. Zuid Holland, Sachsen, Kentucky).</description>
<type>input</type>
<size>30</size>
<bindstofield>wizardtemp->step6->state</bindstofield>
</field>
<field>
<name>city</name>
<displayname>City</displayname>
<description>City or other Locality name (e.g. Middelharnis, Leipzig, Louisville).</description>
<type>input</type>
<size>30</size>
<bindstofield>wizardtemp->step6->city</bindstofield>
</field>
<field>
<name>organization</name>
<displayname>Organization</displayname>
<description>Organization name, often the Company or Group name.</description>
<type>input</type>
<size>30</size>
<bindstofield>wizardtemp->step6->organization</bindstofield>
</field>
<field>
<name>email</name>
<displayname>Email</displayname>
<description>Email address for the Certificate contact. Often the email of the person generating the certificate (i.e. You.)</description>
<type>input</type>
<size>30</size>
<bindstofield>wizardtemp->step6->email</bindstofield>
</field>
<field>
<name>Add new CA</name>
<type>submit</type>
</field>
</fields>
<stepsubmitphpaction>step7_submitphpaction();</stepsubmitphpaction>
<javascriptafterformdisplay>enablechange();</javascriptafterformdisplay>
</step>
<step>
<id>8</id>
<title>Server Certificate Selection</title>
<fields>
<field>
<name>Choose a Server Certificate</name>
<type>listtopic</type>
</field>
<field>
<type>cert_selection</type>
<name>certname</name>
<displayname>Certificate</displayname>
<bindstofield>wizardtemp->step9->authcertname</bindstofield>
</field>
<field>
<type>submit</type>
<name>Add new Certificate</name>
</field>
<field>
<name>Next</name>
<type>submit</type>
</field>
</fields>
<stepbeforeformdisplay>step8_stepbeforeformdisplay();</stepbeforeformdisplay>
<stepsubmitphpaction>step8_submitphpaction();</stepsubmitphpaction>
</step>
<step>
<id>9</id>
<title>Add a Server Certificate</title>
<fields>
<field>
<name>Create a New Server Certificate</name>
<type>listtopic</type>
</field>
<field>
<name>descr</name>
<displayname>Descriptive name</displayname>
<description>A name for your reference, to identify this certificate. This is also known as the certificate's "Common Name".</description>
<type>input</type>
<size>20</size>
<bindstofield>wizardtemp->step9->certname</bindstofield>
</field>
<field>
<name>keylength</name>
<displayname>Key length</displayname>
<description>Size of the key which will be generated. The larger the key, the more security is offers, but larger keys are generally slower to use.</description>
<type>select</type>
<value>2048</value>
<bindstofield>wizardtemp->step9->keylength</bindstofield>
<options>
<option>
<name>512 bit</name>
<value>512</value>
</option>
<option>
<name>1024 bit</name>
<value>1024</value>
</option>
<option>
<name>2048 bit</name>
<value>2048</value>
</option>
<option>
<name>3072 bit</name>
<value>3072</value>
</option>
<option>
<name>4096 bit</name>
<value>4096</value>
</option>
</options>
</field>
<field>
<name>lifetime</name>
<displayname>Lifetime</displayname>
<description>Lifetime in days. This is commonly set to 397 (approximately 1 year).</description>
<type>input</type>
<size>10</size>
<value>397</value>
<bindstofield>wizardtemp->step9->lifetime</bindstofield>
</field>
<field>
<name>country</name>
<displayname>Country Code</displayname>
<description>Two-letter ISO country code (e.g. NL, DE, US)</description>
<type>input</type>
<size>5</size>
<bindstofield>wizardtemp->step9->country</bindstofield>
</field>
<field>
<name>state</name>
<displayname>State or Province</displayname>
<description>Full State of Province name, not abbreviated (e.g. Zuid Holland, Sachsen, Kentucky).</description>
<type>input</type>
<size>30</size>
<bindstofield>wizardtemp->step9->state</bindstofield>
</field>
<field>
<name>city</name>
<displayname>City</displayname>
<description>City or other Locality name (e.g. Middelharnis, Leipzig, Louisville).</description>
<type>input</type>
<size>30</size>
<bindstofield>wizardtemp->step9->city</bindstofield>
</field>
<field>
<name>organization</name>
<displayname>Organization</displayname>
<description>Organization name, often the Company or Group name.</description>
<type>input</type>
<size>30</size>
<bindstofield>wizardtemp->step9->organization</bindstofield>
</field>
<field>
<name>email</name>
<displayname>Email</displayname>
<description>Email address for the Certificate contact. Often the email of the person generating the certificate (i.e. You.)</description>
<type>input</type>
<size>30</size>
<bindstofield>wizardtemp->step9->email</bindstofield>
</field>
<field>
<name>Create new Certificate</name>
<type>submit</type>
</field>
</fields>
<stepbeforeformdisplay>step9_stepbeforeformdisplay();</stepbeforeformdisplay>
<stepsubmitphpaction>step9_submitphpaction();</stepsubmitphpaction>
</step>
<step>
<id>10</id>
<title>Server Setup</title>
<fields>
<field>
<type>listtopic</type>
<name>General OpenVPN Server Information</name>
</field>
<field>
<name>interface</name>
<type>interfaces_selection</type>
<subtype>openvpn</subtype>
<value>any</value>
<description>The interface where OpenVPN will listen for incoming connections.</description>
<displayname>Interface</displayname>
<bindstofield>wizardtemp->step10->interface</bindstofield>
</field>
<field>
<name>Protocol</name>
<type>select</type>
<bindstofield>wizardtemp->step10->protocol</bindstofield>
<value>UDP</value>
<options>
<option>
<name>UDP</name>
<value>UDP</value>
</option>
<option>
<name>UDP4</name>
<value>UDP4</value>
</option>
<option>
<name>UDP6</name>
<value>UDP6</value>
</option>
<option>
<name>TCP</name>
<value>TCP</value>
</option>
<option>
<name>TCP4</name>
<value>TCP4</value>
</option>
<option>
<name>TCP6</name>
<value>TCP6</value>
</option>
</options>
<description>Protocol to use for OpenVPN connections. If you are unsure, leave this set to UDP.</description>
</field>
<field>
<name>localport</name>
<displayname>Local Port</displayname>
<description>Local port upon which OpenVPN will listen for connections. The default port is 1194. Leave this blank to auto-select an unused port.</description>
<type>input</type>
<size>10</size>
<bindstofield>wizardtemp->step10->localport</bindstofield>
</field>
<field>
<name>description</name>
<displayname>Description</displayname>
<description>A name for this OpenVPN instance, for your reference. It can be set however you like, but is often used to distinguish the purpose of the service (e.g. "Remote Technical Staff").</description>
<type>input</type>
<size>30</size>
<bindstofield>wizardtemp->step10->descr</bindstofield>
</field>
<field>
<type>listtopic</type>
<name>Cryptographic Settings</name>
</field>
<field>
<name>TLS Authentication</name>
<type>checkbox</type>
<value>on</value>
<typehint>Enable authentication of TLS packets.</typehint>
<bindstofield>wizardtemp->step10->tlsauth</bindstofield>
</field>
<field>
<displayname>Generate TLS Key</displayname>
<name>generatetlskey</name>
<disablefields>tlssharedkey</disablefields>
<value>on</value>
<type>checkbox</type>
<typehint>Automatically generate a shared TLS authentication key.</typehint>
<bindstofield>wizardtemp->step10->gentlskey</bindstofield>
</field>
<field>
<displayname>TLS Shared Key</displayname>
<name>tlssharedkey</name>
<description>Paste in a shared TLS key if one has already been generated.</description>
<type>textarea</type>
<cols>30</cols>
<rows>5</rows>
<bindstofield>wizardtemp->step10->tlskey</bindstofield>
</field>
<field>
<name>crypto</name>
<type>select</type>
<displayname>Encryption algorithm (fallback)</displayname>
<bindstofield>wizardtemp->step10->crypto</bindstofield>
<options>
<option>
<name>dummy</name>
<value>dummy</value>
</option>
</options>
<description>Fallback cipher selection in case none of the default data-ciphers is supported by the client. Only preserved for backwards compatibility reasons.</description>
</field>
<field>
<name>digest</name>
<type>select</type>
<displayname>Auth Digest Algorithm</displayname>
<bindstofield>wizardtemp->step10->digest</bindstofield>
<options>
<option>
<name>dummy</name>
<value>dummy</value>
</option>
</options>
<value>SHA1</value>
<description>The method used to authenticate traffic between endpoints. This setting must match on the client and server side, but is otherwise set however you like.</description>
</field>
<field>
<type>listtopic</type>
<name>Tunnel Settings</name>
</field>
<field>
<displayname>IPv4 Tunnel Network</displayname>
<name>tunnelnet</name>
<type>input</type>
<size>20</size>
<bindstofield>wizardtemp->step10->tunnelnet</bindstofield>
<description>This is the IPv4 virtual network used for private communications between this server and client hosts expressed using CIDR (eg. 10.0.8.0/24). The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients. (see Address Pool)</description>
</field>
<field>
<displayname>IPv6 Tunnel Network</displayname>
<name>tunnelnetv6</name>
<type>input</type>
<size>20</size>
<bindstofield>wizardtemp->step10->tunnelnetv6</bindstofield>
<description>This is the IPv6 virtual network used for private communications between this server and client hosts expressed using CIDR (eg. fe80::/64). The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients. (see Address Pool)</description>
</field>
<field>
<displayname>Redirect Gateway</displayname>
<name>redirectgw</name>
<type>checkbox</type>
<typehint>Force all client generated traffic through the tunnel.</typehint>
<bindstofield>wizardtemp->step10->rdrgw</bindstofield>
</field>
<field>
<displayname>IPv4 Local Network</displayname>
<name>localnet</name>
<type>input</type>
<size>20</size>
<bindstofield>wizardtemp->step10->localnet</bindstofield>
<description>These are the IPv4 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more CIDR ranges. You may leave this blank if you don't want to add a route to the local network through this tunnel on the remote machine. This is generally set to your LAN network.</description>
</field>
<field>
<displayname>IPv6 Local Network</displayname>
<name>localnetv6</name>
<type>input</type>
<size>20</size>
<bindstofield>wizardtemp->step10->localnetv6</bindstofield>
<description>These are the IPv6 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more IP/PREFIX. You may leave this blank if you don't want to add a route to the local network through this tunnel on the remote machine. This is generally set to your LAN network.</description>
</field>
<field>
<displayname>IPv4 Remote Network</displayname>
<name>remotenet</name>
<type>input</type>
<size>20</size>
<bindstofield>wizardtemp->step10->remotenet</bindstofield>
<description>These are the IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. If this is a site-to-site VPN, enter the remote LAN/s here. You may leave this blank if you don't want a site-to-site VPN.</description>
</field>
<field>
<displayname>IPv6 Remote Network</displayname>
<name>remotenetv6</name>
<type>input</type>
<size>20</size>
<bindstofield>wizardtemp->step10->remotenetv6</bindstofield>
<description>These are the IPv6 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more IP/PREFIX. If this is a site-to-site VPN, enter the remote LAN/s here. You may leave this blank if you don't want a site-to-site VPN.</description>
</field>
<field>
<displayname>Concurrent Connections</displayname>
<name>concurrentcon</name>
<description>Specify the maximum number of clients allowed to concurrently connect to this server.</description>
<type>input</type>
<size>10</size>
<bindstofield>wizardtemp->step10->concurrentcon</bindstofield>
</field>
<field>
<displayname>Compression</displayname>
<name>compression</name>
<description>Compress tunnel packets using the LZO algorithm. Adaptive compression will dynamically disable compression for a period of time if OpenVPN detects that the data in the packets is not being compressed efficiently.</description>
<bindstofield>wizardtemp->step10->compression</bindstofield>
<type>select</type>
<options>
<option>
<name>dummy</name>
<value>dummy</value>
</option>
</options>
</field>
<field>
<displayname>Type-of-Service</displayname>
<name>tos</name>
<type>checkbox</type>
<typehint>Set the TOS IP header value of tunnel packets to match the encapsulated packet value.</typehint>
<bindstofield>wizardtemp->step10->tos</bindstofield>
</field>
<field>
<displayname>Inter-Client Communication</displayname>
<name>interclient</name>
<type>checkbox</type>
<typehint>Allow communication between clients connected to this server.</typehint>
<bindstofield>wizardtemp->step10->interclient</bindstofield>
</field>
<field>
<displayname>Duplicate Connections</displayname>
<name>duplicate_cn</name>
<type>checkbox</type>
<typehint>Allow multiple concurrent connections from clients using the same Common Name. This is not generally recommended, but may be needed for some scenarios.</typehint>
<bindstofield>wizardtemp->step10->duplicate_cn</bindstofield>
</field>
<field>
<type>listtopic</type>
<name>Client Settings</name>
</field>
<field>
<displayname>Dynamic IP</displayname>
<name>dynip</name>
<type>checkbox</type>
<value>on</value>
<typehint>Allow connected clients to retain their connections if their IP address changes.</typehint>
<bindstofield>wizardtemp->step10->dynip</bindstofield>
</field>
<field>
<displayname>DNS Default Domain</displayname>
<name>defaultdomain</name>
<type>input</type>
<description>Provide a default domain name to clients.</description>
<bindstofield>wizardtemp->step10->defaultdomain</bindstofield>
</field>
<field>
<displayname>DNS Server 1</displayname>
<name>dnsserver1</name>
<type>input</type>
<bindstofield>wizardtemp->step10->dns1</bindstofield>
<description>DNS server to provide for connecting client systems.</description>
</field>
<field>
<displayname>DNS Server 2</displayname>
<name>dnsserver2</name>
<type>input</type>
<bindstofield>wizardtemp->step10->dns2</bindstofield>
<description>DNS server to provide for connecting client systems.</description>
</field>
<field>
<displayname>DNS Server 3</displayname>
<name>dnsserver3</name>
<type>input</type>
<bindstofield>wizardtemp->step10->dns3</bindstofield>
<description>DNS server to provide for connecting client systems.</description>
</field>
<field>
<displayname>DNS Server 4</displayname>
<name>dnsserver4</name>
<type>input</type>
<bindstofield>wizardtemp->step10->dns4</bindstofield>
<description>DNS server to provide for connecting client systems.</description>
</field>
<field>
<displayname>NTP Server</displayname>
<name>ntpserver1</name>
<type>input</type>
<bindstofield>wizardtemp->step10->ntp1</bindstofield>
<description>Network Time Protocol server to provide for connecting client systems.</description>
</field>
<field>
<displayname>NTP Server 2</displayname>
<name>ntpserver2</name>
<type>input</type>
<bindstofield>wizardtemp->step10->ntp2</bindstofield>
<description>Network Time Protocol server to provide for connecting client systems.</description>
</field>
<field>
<name>nbtenable</name>
<type>checkbox</type>
<displayname>NetBIOS Options</displayname>
<bindstofield>wizardtemp->step10->nbtenable</bindstofield>
<typehint>Enable NetBIOS over TCP/IP. If this option is not set, all NetBIOS-over-TCP/IP options (including WINS) will be disabled.</typehint>
</field>
<field>
<displayname>NetBIOS Node Type</displayname>
<name>nbttype</name>
<type>select</type>
<bindstofield>wizardtemp->step10->nbttype</bindstofield>
<options>
<option>
<name>dummy</name>
<value>dummy</value>
</option>
</options>
<description>Possible options: b-node (broadcasts), p-node (point-to-point name queries to a WINS server), m-node (broadcast then query name server), and h-node (query name server, then broadcast).</description>
</field>
<field>
<displayname>NetBIOS Scope ID</displayname>
<name>nbtscope</name>
<type>input</type>
<bindstofield>wizardtemp->step10->nbtscope</bindstofield>
<description>A NetBIOS Scope ID provides an extended naming service for NetBIOS over TCP/IP. The NetBIOS Scope ID isolates NetBIOS traffic on a single network to only those nodes with the same NetBIOS Scope ID.</description>
</field>
<field>
<displayname>WINS Server 1</displayname>
<name>winsserver1</name>
<type>input</type>
<bindstofield>wizardtemp->step10->wins1</bindstofield>
<description>A Windows Internet Name Service (WINS) server to provide for connecting clients, which allows them to browse Windows shares. This is typically an Active Directory Domain Controller, designated WINS server, or Samba server.</description>
</field>
<field>
<displayname>WINS Server 2</displayname>
<name>winsserver2</name>
<type>input</type>
<bindstofield>wizardtemp->step10->wins2</bindstofield>
<description>A Windows Internet Name Service (WINS) server to provide for connecting clients, which allows them to browse Windows shares. This is typically an Active Directory Domain Controller, designated WINS server, or Samba server.</description>
</field>
<field>
<name>Next</name>
<type>submit</type>
</field>
</fields>
<stepbeforeformdisplay>step10_stepbeforeformdisplay();</stepbeforeformdisplay>
<stepsubmitphpaction>step10_submitphpaction();</stepsubmitphpaction>
</step>
<step>
<id>11</id>
<title>Firewall Rule Configuration</title>
<fields>
<field>
<type>listtopic</type>
<name>Firewall Rule Configuration</name>
</field>
<field>
<type>text</type>
<description>Firewall Rules control what network traffic is permitted. You must add rules to allow traffic to the OpenVPN server's IP and port, as well as allowing traffic from connected clients through the tunnel. These rules can be automatically added here, or configured manually after completing the wizard.</description>
</field>
<field>
<type>listtopic</type>
<name>Traffic from clients to server</name>
</field>
<field>
<name>ovpnrule</name>
<displayname>Firewall Rule</displayname>
<typehint>Add a rule to permit traffic from clients on the Internet to the OpenVPN server process.</typehint>
<type>checkbox</type>
<bindstofield>wizardtemp->step11->ovpnrule</bindstofield>
</field>
<field>
<type>listtopic</type>
<name>Traffic from clients through VPN</name>
</field>
<field>
<name>ovpnallow</name>
<displayname>OpenVPN rule</displayname>
<typehint>Add a rule to allow all traffic from connected clients to pass across the VPN tunnel.</typehint>
<type>checkbox</type>
<bindstofield>wizardtemp->step11->ovpnallow</bindstofield>
</field>
<field>
<name>Next</name>
<type>submit</type>
</field>
</fields>
</step>
<step>
<id>12</id>
<title>Finished!</title>
<fields>
<field>
<type>text</type>
<description>Your configuration is now complete.</description>
</field>
<field>
<type>submit</type>
<name>Finish</name>
</field>
</fields>
<stepsubmitphpaction>step12_submitphpaction();</stepsubmitphpaction>
</step>
</wizard>

3
src/www/vpn_openvpn_server.php
View File

@ -1649,9 +1649,6 @@ $( document ).ready(function() {
<a href="vpn_openvpn_server.php?act=new" class="btn btn-primary btn-xs" data-toggle="tooltip" title="<?= html_safe(gettext('Add')) ?>">
<i class="fa fa-plus fa-fw"></i>
</a>
<a href="wizard.php?xml=openvpn" class="btn btn-defaultu btn-xs" data-toggle="tooltip" title="<?= html_safe(gettext('Use a wizard to setup a new server')) ?>">
<i class="fa fa-magic fa-fw"></i>
</a>
</td>
</tr>
</thead>