/* Copyright (C) 2014 Deciso B.V. Copyright (C) 2010 Ermal Luçi All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ plugins.inc.d/openvpn/wizard.inc 12 1 listtopic Select an Authentication Backend Type select Type of Server authtype If you are unsure, leave this set to "Local User Access". wizardtemp->step1->type Local User Access local LDAP ldap Radius radius Next submit if (isset($config['wizardtemp'])) { unset($config['wizardtemp']); } step1_submitphpaction(); 2 listtopic LDAP Authentication Server List authserv LDAP servers select wizardtemp->step2->authserv dummy dummy submit Add new LDAP server submit Next step2_stepbeforeformdisplay(); step2_submitphpaction(); enablechange(); 3 listtopic LDAP Authentication Server Parameters name Name input wizardtemp->step2->authtype 30 Descriptive server name, for your own reference. ip Hostname or IP address input wizardtemp->step2->ip Address of the LDAP server. port Port input 8 wizardtemp->step2->port LDAP Server port, leave blank for the default (389 for TCP, 636 for SSL). transport Transport select wizardtemp->step2->transport TCP - Standard tcp SSL - Encrypted ssl The protocol used by your LDAP server. It can either be standard TCP or SSL encrypted. scope Search Scope Level select One Level one Entire Subtree subtree wizardtemp->step2->scope basedn Search Scope Base DN input 40 wizardtemp->step2->basedn authscope Authentication Containers input 40 wizardtemp->step2->authscope Semicolon separated. This will be prepended to the search base DN above or you can specify full container path, e.g. CN=Users;DC=example or CN=Users,DC=example,DC=com;OU=OtherUsers,DC=example,DC=com userdn LDAP Bind User DN input 20 If left blank, an anonymous bind will be done. wizardtemp->step2->userdn passdn LDAP Bind Password password 20 wizardtemp->step2->passdn If a user DN was supplied above, this password will also be used when performing a bind operation. nameattr User Naming Attribute input wizardtemp->step2->nameattr Typically "cn" (OpenLDAP, Novell eDirectory), "sAMAccountName" (Microsoft AD) groupattr Group Naming Attribute input wizardtemp->step2->groupattr Typically "cn" (OpenLDAP, Microsoft AD, and Novell eDirectory) memberattr Member Naming Attribute input wizardtemp->step2->memberattr Typically "member" (OpenLDAP), "memberOf" (Microsoft AD), "uniqueMember" (Novell eDirectory) submit Add new Server step3_submitphpaction(); enablechange(); 4 listtopic RADIUS Authentication Server List authserv RADIUS servers select wizardtemp->step2->authserv dummy dummy submit Add new RADIUS server submit Next step4_stepbeforeformdisplay(); step4_submitphpaction(); enablechange(); 5 listtopic RADIUS Authentication Server Parameters name Name input wizardtemp->step2->authtype 20 Descriptive name for the RADIUS server, for your reference. ip Hostname or IP address input wizardtemp->step2->ip Address of the RADIUS server. port Authentication Port input 8 wizardtemp->step2->port Port used by the RADIUS server for accepting Authentication requests, typically 1812. secret Shared Secret password 20 wizardtemp->step2->password Add new Server submit step5_submitphpaction(); 6 Choose a Certificate Authority (CA) listtopic certca_selection 1 certca Certificate Authority wizardtemp->step6->authcertca submit Add new CA Next submit step6_stepbeforeformdisplay(); step6_submitphpaction(); 7 Create a New Certificate Authority (CA) Certificate listtopic descr Descriptive name A name for your reference, to identify this certificate. This is the same as common-name field for other Certificates. input 20 wizardtemp->step6->certca keylength Key length Size of the key which will be generated. The larger the key, the more security is offers, but larger keys are generally slower to use. select 2048 wizardtemp->step6->keylength 512 bit 512 1024 bit 1024 2048 bit 2048 3072 bit 3072 4096 bit 4096 lifetime Lifetime input 10 825 Lifetime in days. This is commonly set to 825 (approximately 2 years). wizardtemp->step6->lifetime country Country Code Two-letter ISO country code (e.g. NL, DE, US) input 5 wizardtemp->step6->country state State or Province Full State of Province name, not abbreviated (e.g. Zuid Holland, Sachsen, Kentucky). input 30 wizardtemp->step6->state city City City or other Locality name (e.g. Middelharnis, Leipzig, Louisville). input 30 wizardtemp->step6->city organization Organization Organization name, often the Company or Group name. input 30 wizardtemp->step6->organization email Email Email address for the Certificate contact. Often the email of the person generating the certificate (i.e. You.) input 30 wizardtemp->step6->email Add new CA submit step7_submitphpaction(); enablechange(); 8 Choose a Server Certificate listtopic cert_selection certname Certificate wizardtemp->step9->authcertname submit Add new Certificate Next submit step8_stepbeforeformdisplay(); step8_submitphpaction(); 9 Create a New Server Certificate listtopic descr Descriptive name A name for your reference, to identify this certificate. This is also known as the certificate's "Common Name". input 20 wizardtemp->step9->certname keylength Key length Size of the key which will be generated. The larger the key, the more security is offers, but larger keys are generally slower to use. select 2048 wizardtemp->step9->keylength 512 bit 512 1024 bit 1024 2048 bit 2048 3072 bit 3072 4096 bit 4096 lifetime Lifetime Lifetime in days. This is commonly set to 397 (approximately 1 year). input 10 397 wizardtemp->step9->lifetime country Country Code Two-letter ISO country code (e.g. NL, DE, US) input 5 wizardtemp->step9->country state State or Province Full State of Province name, not abbreviated (e.g. Zuid Holland, Sachsen, Kentucky). input 30 wizardtemp->step9->state city City City or other Locality name (e.g. Middelharnis, Leipzig, Louisville). input 30 wizardtemp->step9->city organization Organization Organization name, often the Company or Group name. input 30 wizardtemp->step9->organization email Email Email address for the Certificate contact. Often the email of the person generating the certificate (i.e. You.) input 30 wizardtemp->step9->email Create new Certificate submit step9_stepbeforeformdisplay(); step9_submitphpaction(); 10 listtopic General OpenVPN Server Information interface interfaces_selection openvpn any The interface where OpenVPN will listen for incoming connections. Interface wizardtemp->step10->interface Protocol select wizardtemp->step10->protocol UDP UDP UDP UDP4 UDP4 UDP6 UDP6 TCP TCP TCP4 TCP4 TCP6 TCP6 Protocol to use for OpenVPN connections. If you are unsure, leave this set to UDP. localport Local Port Local port upon which OpenVPN will listen for connections. The default port is 1194. Leave this blank to auto-select an unused port. input 10 wizardtemp->step10->localport description Description A name for this OpenVPN instance, for your reference. It can be set however you like, but is often used to distinguish the purpose of the service (e.g. "Remote Technical Staff"). input 30 wizardtemp->step10->descr listtopic Cryptographic Settings TLS Authentication checkbox on Enable authentication of TLS packets. wizardtemp->step10->tlsauth Generate TLS Key generatetlskey tlssharedkey on checkbox Automatically generate a shared TLS authentication key. wizardtemp->step10->gentlskey TLS Shared Key tlssharedkey Paste in a shared TLS key if one has already been generated. textarea 30 5 wizardtemp->step10->tlskey crypto select Encryption Algorithm wizardtemp->step10->crypto dummy dummy The method used to encrypt traffic between endpoints. This setting must match on the client and server side, but is otherwise set however you like. Certain algorithms will perform better on different hardware, depending on the availability of supported VPN accelerator chips. digest select Auth Digest Algorithm wizardtemp->step10->digest dummy dummy SHA1 The method used to authenticate traffic between endpoints. This setting must match on the client and server side, but is otherwise set however you like. listtopic Tunnel Settings IPv4 Tunnel Network tunnelnet input 20 wizardtemp->step10->tunnelnet This is the IPv4 virtual network used for private communications between this server and client hosts expressed using CIDR (eg. 10.0.8.0/24). The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients. (see Address Pool) IPv6 Tunnel Network tunnelnetv6 input 20 wizardtemp->step10->tunnelnetv6 This is the IPv6 virtual network used for private communications between this server and client hosts expressed using CIDR (eg. fe80::/64). The first network address will be assigned to the server virtual interface. The remaining network addresses can optionally be assigned to connecting clients. (see Address Pool) Redirect Gateway redirectgw checkbox Force all client generated traffic through the tunnel. wizardtemp->step10->rdrgw IPv4 Local Network localnet input 20 wizardtemp->step10->localnet These are the IPv4 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more CIDR ranges. You may leave this blank if you don't want to add a route to the local network through this tunnel on the remote machine. This is generally set to your LAN network. IPv6 Local Network localnetv6 input 20 wizardtemp->step10->localnetv6 These are the IPv6 networks that will be accessible from the remote endpoint. Expressed as a comma-separated list of one or more IP/PREFIX. You may leave this blank if you don't want to add a route to the local network through this tunnel on the remote machine. This is generally set to your LAN network. IPv4 Remote Network remotenet input 20 wizardtemp->step10->remotenet These are the IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. If this is a site-to-site VPN, enter the remote LAN/s here. You may leave this blank if you don't want a site-to-site VPN. IPv6 Remote Network remotenetv6 input 20 wizardtemp->step10->remotenetv6 These are the IPv6 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more IP/PREFIX. If this is a site-to-site VPN, enter the remote LAN/s here. You may leave this blank if you don't want a site-to-site VPN. Concurrent Connections concurrentcon Specify the maximum number of clients allowed to concurrently connect to this server. input 10 wizardtemp->step10->concurrentcon Compression compression Compress tunnel packets using the LZO algorithm. Adaptive compression will dynamically disable compression for a period of time if OpenVPN detects that the data in the packets is not being compressed efficiently. wizardtemp->step10->compression select dummy dummy Type-of-Service tos checkbox Set the TOS IP header value of tunnel packets to match the encapsulated packet value. wizardtemp->step10->tos Inter-Client Communication interclient checkbox Allow communication between clients connected to this server. wizardtemp->step10->interclient Duplicate Connections duplicate_cn checkbox Allow multiple concurrent connections from clients using the same Common Name. This is not generally recommended, but may be needed for some scenarios. wizardtemp->step10->duplicate_cn listtopic Client Settings Dynamic IP dynip checkbox on Allow connected clients to retain their connections if their IP address changes. wizardtemp->step10->dynip Address Pool addrpool checkbox on Provide a virtual adapter IP address to clients (see Tunnel Network). wizardtemp->step10->addrpool DNS Default Domain defaultdomain input Provide a default domain name to clients. wizardtemp->step10->defaultdomain DNS Server 1 dnsserver1 input wizardtemp->step10->dns1 DNS server to provide for connecting client systems. DNS Server 2 dnsserver2 input wizardtemp->step10->dns2 DNS server to provide for connecting client systems. DNS Server 3 dnsserver3 input wizardtemp->step10->dns3 DNS server to provide for connecting client systems. DNS Server 4 dnsserver4 input wizardtemp->step10->dns4 DNS server to provide for connecting client systems. NTP Server ntpserver1 input wizardtemp->step10->ntp1 Network Time Protocol server to provide for connecting client systems. NTP Server 2 ntpserver2 input wizardtemp->step10->ntp2 Network Time Protocol server to provide for connecting client systems. nbtenable checkbox NetBIOS Options wizardtemp->step10->nbtenable Enable NetBIOS over TCP/IP. If this option is not set, all NetBIOS-over-TCP/IP options (including WINS) will be disabled. NetBIOS Node Type nbttype select wizardtemp->step10->nbttype dummy dummy Possible options: b-node (broadcasts), p-node (point-to-point name queries to a WINS server), m-node (broadcast then query name server), and h-node (query name server, then broadcast). NetBIOS Scope ID nbtscope input wizardtemp->step10->nbtscope A NetBIOS Scope ID provides an extended naming service for NetBIOS over TCP/IP. The NetBIOS Scope ID isolates NetBIOS traffic on a single network to only those nodes with the same NetBIOS Scope ID. WINS Server 1 winsserver1 input wizardtemp->step10->wins1 A Windows Internet Name Service (WINS) server to provide for connecting clients, which allows them to browse Windows shares. This is typically an Active Directory Domain Controller, designated WINS server, or Samba server. WINS Server 2 winsserver2 input wizardtemp->step10->wins2 A Windows Internet Name Service (WINS) server to provide for connecting clients, which allows them to browse Windows shares. This is typically an Active Directory Domain Controller, designated WINS server, or Samba server. Next submit step10_stepbeforeformdisplay(); step10_submitphpaction(); 11 listtopic Firewall Rule Configuration text Firewall Rules control what network traffic is permitted. You must add rules to allow traffic to the OpenVPN server's IP and port, as well as allowing traffic from connected clients through the tunnel. These rules can be automatically added here, or configured manually after completing the wizard. listtopic Traffic from clients to server ovpnrule Firewall Rule Add a rule to permit traffic from clients on the Internet to the OpenVPN server process. checkbox wizardtemp->step11->ovpnrule listtopic Traffic from clients through VPN ovpnallow OpenVPN rule Add a rule to allow all traffic from connected clients to pass across the VPN tunnel. checkbox wizardtemp->step11->ovpnallow Next submit 12 text Your configuration is now complete. submit Finish step12_submitphpaction();