aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--config/openvpn_tapfix_20x/openvpn_tapfix_20x.inc18
-rw-r--r--config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch289
-rw-r--r--config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml65
-rw-r--r--pkg_config.8.xml10
-rw-r--r--pkg_config.8.xml.amd6410
5 files changed, 392 insertions, 0 deletions
diff --git a/config/openvpn_tapfix_20x/openvpn_tapfix_20x.inc b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.inc
new file mode 100644
index 00000000..197a5e25
--- /dev/null
+++ b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.inc
@@ -0,0 +1,18 @@
+<?php
+
+function openvpn_tapfix_20x_install() {
+ global $g, $config;
+
+ // Test to make sure the patch is not already applied.
+ $out = `patch -fslC --reverse -p1 -b .before_openvpn_tapfix_20x -d / -i /usr/local/pkg/openvpn_tapfix_20x.patch |& grep -ci reject`;
+ if ($out == 0) {
+ // If the patch has not already been applied, test to see if it will apply cleanly.
+ $out = `patch -fsNlC -p1 -b .before_openvpn_tapfix_20x -d / -i /usr/local/pkg/openvpn_tapfix_20x.patch |& grep -ci reject`;
+ if ($out == 0) {
+ // The patch should apply cleanly, let 'er rip.
+ mwexec("patch -fsNl -p1 -b .before_openvpn_tapfix_20x -d / -i /usr/local/pkg/openvpn_tapfix_20x.patch ");
+ }
+ }
+}
+
+?> \ No newline at end of file
diff --git a/config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch
new file mode 100644
index 00000000..d23d9290
--- /dev/null
+++ b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch
@@ -0,0 +1,289 @@
+diff --git /etc/inc/openvpn.inc.orig /etc/inc/openvpn.inc
+index 777b395..701a032 100644
+--- a/etc/inc/openvpn.inc
++++ b/etc/inc/openvpn.inc
+@@ -394,21 +394,39 @@ function openvpn_reconfigure($mode, $settings) {
+ // If the CIDR is less than a /30, OpenVPN will complain if you try to
+ // use the server directive. It works for a single client without it.
+ // See ticket #1417
+- if ($cidr < 30) {
++ if (!empty($ip) && !empty($mask) && ($cidr < 30)) {
+ $conf .= "server {$ip} {$mask}\n";
+ $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n";
+ }
+ case 'p2p_shared_key':
+- $baselong = ip2long32($ip) & ip2long($mask);
+- $ip1 = long2ip32($baselong + 1);
+- $ip2 = long2ip32($baselong + 2);
+- $conf .= "ifconfig $ip1 $ip2\n";
++ if (!empty($ip) && !empty($mask)) {
++ $baselong = ip2long32($ip) & ip2long($mask);
++ $ip1 = long2ip32($baselong + 1);
++ $ip2 = long2ip32($baselong + 2);
++ $conf .= "ifconfig $ip1 $ip2\n";
++ }
+ break;
+ case 'server_tls':
+ case 'server_user':
+ case 'server_tls_user':
+- $conf .= "server {$ip} {$mask}\n";
+- $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n";
++ if (!empty($ip) && !empty($mask)) {
++ $conf .= "server {$ip} {$mask}\n";
++ $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n";
++ } else {
++ if ($settings['serverbridge_dhcp']) {
++ if ((!empty($settings['serverbridge_interface'])) && (strcmp($settings['serverbridge_interface'], "none"))) {
++ $biface_ip=get_interface_ip($settings['serverbridge_interface']);
++ $biface_sm=gen_subnet_mask(get_interface_subnet($settings['serverbridge_interface']));
++ if (is_ipaddr($biface_ip) && is_ipaddr($settings['serverbridge_dhcp_start']) && is_ipaddr($settings['serverbridge_dhcp_end'])) {
++ $conf .= "server-bridge {$biface_ip} {$biface_sm} {$settings['serverbridge_dhcp_start']} {$settings['serverbridge_dhcp_end']}\n";
++ } else {
++ $conf .= "mode server\n";
++ }
++ } else {
++ $conf .= "mode server\n";
++ }
++ }
++ }
+ break;
+ }
+
+@@ -1021,4 +1039,4 @@ function openvpn_refresh_crls() {
+ }
+ }
+
+-?>
+\ No newline at end of file
++?>
+diff --git /usr/local/www/vpn_openvpn_server.php.orig /usr/local/www/vpn_openvpn_server.php
+index 0ef67a7..bd9f527 100644
+--- a/usr/local/www/vpn_openvpn_server.php
++++ b/usr/local/www/vpn_openvpn_server.php
+@@ -147,6 +147,11 @@ if($_GET['act']=="edit"){
+ $pconfig['dynamic_ip'] = $a_server[$id]['dynamic_ip'];
+ $pconfig['pool_enable'] = $a_server[$id]['pool_enable'];
+
++ $pconfig['serverbridge_dhcp'] = $a_server[$id]['serverbridge_dhcp'];
++ $pconfig['serverbridge_interface'] = $a_server[$id]['serverbridge_interface'];
++ $pconfig['serverbridge_dhcp_start'] = $a_server[$id]['serverbridge_dhcp_start'];
++ $pconfig['serverbridge_dhcp_end'] = $a_server[$id]['serverbridge_dhcp_end'];
++
+ $pconfig['dns_domain'] = $a_server[$id]['dns_domain'];
+ if ($pconfig['dns_domain'])
+ $pconfig['dns_domain_enable'] = true;
+@@ -188,7 +193,6 @@ if($_GET['act']=="edit"){
+ $pconfig['duplicate_cn'] = isset($a_server[$id]['duplicate_cn']);
+ }
+ }
+-
+ if ($_POST) {
+
+ unset($input_errors);
+@@ -284,9 +288,22 @@ if ($_POST) {
+ $reqdfieldsn = array(gettext('Shared key'));
+ }
+
+- $reqdfields[] = 'tunnel_network';
+- $reqdfieldsn[] = gettext('Tunnel network');
+-
++ if ($pconfig['dev_mode'] != "tap") {
++ $reqdfields[] = 'tunnel_network';
++ $reqdfieldsn[] = gettext('Tunnel network');
++ } else {
++ if ($pconfig['serverbridge_dhcp'] && $pconfig['tunnel_network'])
++ $input_errors[] = gettext("Using a tunnel network and server bridge settings together is not allowed.");
++ if (($pconfig['serverbridge_dhcp_start'] && !$pconfig['serverbridge_dhcp_end'])
++ || (!$pconfig['serverbridge_dhcp_start'] && $pconfig['serverbridge_dhcp_end']))
++ $input_errors[] = gettext("Server Bridge DHCP Start and End must both be empty, or defined.");
++ if (($pconfig['serverbridge_dhcp_start'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_start'])))
++ $input_errors[] = gettext("Server Bridge DHCP Start must be an IPv4 address.");
++ if (($pconfig['serverbridge_dhcp_end'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_end'])))
++ $input_errors[] = gettext("Server Bridge DHCP End must be an IPv4 address.");
++ if (ip2ulong($pconfig['serverbridge_dhcp_start']) > ip2ulong($pconfig['serverbridge_dhcp_end']))
++ $input_errors[] = gettext("The Server Bridge DHCP range is invalid (start higher than end).");
++ }
+ do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
+
+ if (!$input_errors) {
+@@ -341,6 +358,11 @@ if ($_POST) {
+ $server['dynamic_ip'] = $pconfig['dynamic_ip'];
+ $server['pool_enable'] = $pconfig['pool_enable'];
+
++ $server['serverbridge_dhcp'] = $pconfig['serverbridge_dhcp'];
++ $server['serverbridge_interface'] = $pconfig['serverbridge_interface'];
++ $server['serverbridge_dhcp_start'] = $pconfig['serverbridge_dhcp_start'];
++ $server['serverbridge_dhcp_end'] = $pconfig['serverbridge_dhcp_end'];
++
+ if ($pconfig['dns_domain_enable'])
+ $server['dns_domain'] = $pconfig['dns_domain'];
+
+@@ -559,6 +581,56 @@ function netbios_change() {
+ }
+ }
+
++function tuntap_change() {
++
++ mindex = document.iform.mode.selectedIndex;
++ mvalue = document.iform.mode.options[mindex].value;
++
++ switch(mvalue) {
++ case "p2p_tls":
++ case "p2p_shared_key":
++ p2p = true;
++ break;
++ default:
++ p2p = false;
++ break;
++ }
++
++ index = document.iform.dev_mode.selectedIndex;
++ value = document.iform.dev_mode.options[index].value;
++ switch(value) {
++ case "tun":
++ document.getElementById("ipv4_tunnel_network").className="vncellreq";
++ document.getElementById("serverbridge_dhcp").style.display="none";
++ document.getElementById("serverbridge_interface").style.display="none";
++ document.getElementById("serverbridge_dhcp_start").style.display="none";
++ document.getElementById("serverbridge_dhcp_end").style.display="none";
++ break;
++ case "tap":
++ document.getElementById("ipv4_tunnel_network").className="vncell";
++ if (!p2p) {
++ document.getElementById("serverbridge_dhcp").style.display="";
++ document.getElementById("serverbridge_interface").style.display="";
++ document.getElementById("serverbridge_dhcp_start").style.display="";
++ document.getElementById("serverbridge_dhcp_end").style.display="";
++ if (document.iform.serverbridge_dhcp.checked) {
++ document.iform.serverbridge_interface.disabled = false;
++ document.iform.serverbridge_dhcp_start.disabled = false;
++ document.iform.serverbridge_dhcp_end.disabled = false;
++ } else {
++ document.iform.serverbridge_interface.disabled = true;
++ document.iform.serverbridge_dhcp_start.disabled = true;
++ document.iform.serverbridge_dhcp_end.disabled = true;
++ }
++ } else {
++ document.iform.serverbridge_dhcp.disabled = true;
++ document.iform.serverbridge_interface.disabled = true;
++ document.iform.serverbridge_dhcp_start.disabled = true;
++ document.iform.serverbridge_dhcp_end.disabled = true;
++ }
++ break;
++ }
++}
+ //-->
+ </script>
+ <?php
+@@ -619,7 +691,7 @@ if ($savemsg)
+ <tr>
+ <td width="22%" valign="top" class="vncellreq"><?=gettext("Server Mode");?></td>
+ <td width="78%" class="vtable">
+- <select name='mode' id='mode' class="formselect" onchange='mode_change()'>
++ <select name='mode' id='mode' class="formselect" onchange='mode_change(); tuntap_change()'>
+ <?php
+ foreach ($openvpn_server_modes as $name => $desc):
+ $selected = "";
+@@ -666,7 +738,7 @@ if ($savemsg)
+ <tr>
+ <td width="22%" valign="top" class="vncellreq"><?=gettext("Device Mode"); ?></td>
+ <td width="78%" class="vtable">
+- <select name="dev_mode" class="formselect">
++ <select name="dev_mode" class="formselect" onchange='tuntap_change()'>
+ <?php
+ foreach ($openvpn_dev_mode as $device):
+ $selected = "";
+@@ -976,7 +1048,7 @@ if ($savemsg)
+ <td colspan="2" valign="top" class="listtopic"><?=gettext("Tunnel Settings"); ?></td>
+ </tr>
+ <tr>
+- <td width="22%" valign="top" class="vncellreq"><?=gettext("Tunnel Network"); ?></td>
++ <td width="22%" valign="top" class="vncellreq" id="ipv4_tunnel_network"><?=gettext("IPv4 Tunnel Network"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="tunnel_network" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['tunnel_network']);?>">
+ <br>
+@@ -989,6 +1061,76 @@ if ($savemsg)
+ "to connecting clients. (see Address Pool)"); ?>
+ </td>
+ </tr>
++ <tr id="serverbridge_dhcp">
++ <td width="22%" valign="top" class="vncell"><?=gettext("Bridge DHCP"); ?></td>
++ <td width="78%" class="vtable">
++ <table border="0" cellpadding="2" cellspacing="0">
++ <tr>
++ <td>
++ <?php set_checked($pconfig['serverbridge_dhcp'],$chk); ?>
++ <input name="serverbridge_dhcp" type="checkbox" value="yes" <?=$chk;?> onchange='tuntap_change()' />
++ </td>
++ <td>
++ <span class="vexpl">
++ <?=gettext("Allow clients on the bridge to obtain DHCP."); ?><br>
++ </span>
++ </td>
++ </tr>
++ </table>
++ </td>
++ </tr>
++ <tr id="serverbridge_interface">
++ <td width="22%" valign="top" class="vncell"><?=gettext("Bridge Interface"); ?></td>
++ <td width="78%" class="vtable">
++ <select name="serverbridge_interface" class="formselect">
++ <?php
++ $serverbridge_interface['none'] = "none";
++ $serverbridge_interface = array_merge($serverbridge_interface, get_configured_interface_with_descr());
++ $carplist = get_configured_carp_interface_list();
++ foreach ($carplist as $cif => $carpip)
++ $serverbridge_interface[$cif.'|'.$carpip] = $carpip." (".get_vip_descr($carpip).")";
++ $aliaslist = get_configured_ip_aliases_list();
++ foreach ($aliaslist as $aliasip => $aliasif)
++ $serverbridge_interface[$aliasif.'|'.$aliasip] = $aliasip." (".get_vip_descr($aliasip).")";
++ foreach ($serverbridge_interface as $iface => $ifacename):
++ $selected = "";
++ if ($iface == $pconfig['serverbridge_interface'])
++ $selected = "selected";
++ ?>
++ <option value="<?=$iface;?>" <?=$selected;?>>
++ <?=htmlspecialchars($ifacename);?>
++ </option>
++ <?php endforeach; ?>
++ </select> <br>
++ <?=gettext("The interface to which this tap instance will be, " .
++ "bridged. This is not done automatically. You must assign this " .
++ "interface and create the bridge separately. " .
++ "This setting controls which existing IP address and subnet " .
++ "mask are used by OpenVPN for the bridge. Setting this to " .
++ "'none' will cause the Server Bridge DHCP settings below to be ignored."); ?>
++ </td>
++ </tr>
++ <tr id="serverbridge_dhcp_start">
++ <td width="22%" valign="top" class="vncell"><?=gettext("Server Bridge DHCP Start"); ?></td>
++ <td width="78%" class="vtable">
++ <input name="serverbridge_dhcp_start" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['serverbridge_dhcp_start']);?>">
++ <br>
++ <?=gettext("When using tap mode as multi-point server, " .
++ "you may optionally supply a DHCP range to use on the " .
++ "interface to which this tap instance is bridged. " .
++ "If these settings are left blank, DHCP will be passed " .
++ "through to the LAN, and the interface setting above " .
++ "will be ignored."); ?>
++ </td>
++ </tr>
++ <tr id="serverbridge_dhcp_end">
++ <td width="22%" valign="top" class="vncell"><?=gettext("Server Bridge DHCP Start"); ?></td>
++ <td width="78%" class="vtable">
++ <input name="serverbridge_dhcp_end" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['serverbridge_dhcp_end']);?>">
++ <br>
++ <?=gettext(""); ?>
++ </td>
++ </tr>
+ <tr id="gwredir_opts">
+ <td width="22%" valign="top" class="vncell"><?=gettext("Redirect Gateway"); ?></td>
+ <td width="78%" class="vtable">
+@@ -1486,6 +1628,7 @@ dns_server_change();
+ wins_server_change();
+ ntp_server_change();
+ netbios_change();
++tuntap_change();
+ //-->
+ </script>
+ </body>
diff --git a/config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml
new file mode 100644
index 00000000..17a59947
--- /dev/null
+++ b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ openvpn_tapfix_20x.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2011 to whom it may belong
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>OpenVPN tap Bridging Fix</description>
+ <requirements>pfSense 2.0.x</requirements>
+ <faq>None</faq>
+ <name>OpenVPN tap Bridging Fix</name>
+ <version>0.1</version>
+ <title>OpenVPN tap Bridging Fix</title>
+ <include_file>/usr/local/pkg/openvpn_tapfix_20x.inc</include_file>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/openvpn_tapfix_20x/openvpn_tapfix_20x.inc</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>077</chmod>
+ <item>http://www.pfsense.com/packages/config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch</item>
+ </additional_files_needed>
+ <custom_php_install_command>
+ openvpn_tapfix_20x_install();
+ </custom_php_install_command>
+</packagegui>
diff --git a/pkg_config.8.xml b/pkg_config.8.xml
index b5270ae8..bb957701 100644
--- a/pkg_config.8.xml
+++ b/pkg_config.8.xml
@@ -1263,5 +1263,15 @@
<config_file>http://www.pfsense.com/packages/config/zebedee/zebedee.xml</config_file>
<configurationfile>zebedee.xml</configurationfile>
</package>
+ <package>
+ <name>OpenVPN tap Bridging Fix</name>
+ <descr>Patch to fix OpenVPN tap bridging on 2.0.x. WARNING! Cannot be uninstalled.</descr>
+ <category>System</category>
+ <config_file>http://www.pfsense.com/packages/config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml</config_file>
+ <version>0.1</version>
+ <status>BETA</status>
+ <required_version>2.0</required_version>
+ <maximum_version>2.1</maximum_version>
+ </package>
</packages>
</pfsensepkgs>
diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64
index 175359c1..2928b4a1 100644
--- a/pkg_config.8.xml.amd64
+++ b/pkg_config.8.xml.amd64
@@ -1196,5 +1196,15 @@
<config_file>http://www.pfsense.com/packages/config/zebedee/zebedee.xml</config_file>
<configurationfile>zebedee.xml</configurationfile>
</package>
+ <package>
+ <name>OpenVPN tap Bridging Fix</name>
+ <descr>Patch to fix OpenVPN tap bridging on 2.0.x. WARNING! Cannot be uninstalled.</descr>
+ <category>System</category>
+ <config_file>http://www.pfsense.com/packages/config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml</config_file>
+ <version>0.1</version>
+ <status>BETA</status>
+ <required_version>2.0</required_version>
+ <maximum_version>2.1</maximum_version>
+ </package>
</packages>
</pfsensepkgs>