diff options
-rw-r--r-- | config/openvpn_tapfix_20x/openvpn_tapfix_20x.inc | 18 | ||||
-rw-r--r-- | config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch | 289 | ||||
-rw-r--r-- | config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml | 65 | ||||
-rw-r--r-- | pkg_config.8.xml | 10 | ||||
-rw-r--r-- | pkg_config.8.xml.amd64 | 10 |
5 files changed, 392 insertions, 0 deletions
diff --git a/config/openvpn_tapfix_20x/openvpn_tapfix_20x.inc b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.inc new file mode 100644 index 00000000..197a5e25 --- /dev/null +++ b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.inc @@ -0,0 +1,18 @@ +<?php + +function openvpn_tapfix_20x_install() { + global $g, $config; + + // Test to make sure the patch is not already applied. + $out = `patch -fslC --reverse -p1 -b .before_openvpn_tapfix_20x -d / -i /usr/local/pkg/openvpn_tapfix_20x.patch |& grep -ci reject`; + if ($out == 0) { + // If the patch has not already been applied, test to see if it will apply cleanly. + $out = `patch -fsNlC -p1 -b .before_openvpn_tapfix_20x -d / -i /usr/local/pkg/openvpn_tapfix_20x.patch |& grep -ci reject`; + if ($out == 0) { + // The patch should apply cleanly, let 'er rip. + mwexec("patch -fsNl -p1 -b .before_openvpn_tapfix_20x -d / -i /usr/local/pkg/openvpn_tapfix_20x.patch "); + } + } +} + +?>
\ No newline at end of file diff --git a/config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch new file mode 100644 index 00000000..d23d9290 --- /dev/null +++ b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch @@ -0,0 +1,289 @@ +diff --git /etc/inc/openvpn.inc.orig /etc/inc/openvpn.inc +index 777b395..701a032 100644 +--- a/etc/inc/openvpn.inc ++++ b/etc/inc/openvpn.inc +@@ -394,21 +394,39 @@ function openvpn_reconfigure($mode, $settings) { + // If the CIDR is less than a /30, OpenVPN will complain if you try to + // use the server directive. It works for a single client without it. + // See ticket #1417 +- if ($cidr < 30) { ++ if (!empty($ip) && !empty($mask) && ($cidr < 30)) { + $conf .= "server {$ip} {$mask}\n"; + $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; + } + case 'p2p_shared_key': +- $baselong = ip2long32($ip) & ip2long($mask); +- $ip1 = long2ip32($baselong + 1); +- $ip2 = long2ip32($baselong + 2); +- $conf .= "ifconfig $ip1 $ip2\n"; ++ if (!empty($ip) && !empty($mask)) { ++ $baselong = ip2long32($ip) & ip2long($mask); ++ $ip1 = long2ip32($baselong + 1); ++ $ip2 = long2ip32($baselong + 2); ++ $conf .= "ifconfig $ip1 $ip2\n"; ++ } + break; + case 'server_tls': + case 'server_user': + case 'server_tls_user': +- $conf .= "server {$ip} {$mask}\n"; +- $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; ++ if (!empty($ip) && !empty($mask)) { ++ $conf .= "server {$ip} {$mask}\n"; ++ $conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n"; ++ } else { ++ if ($settings['serverbridge_dhcp']) { ++ if ((!empty($settings['serverbridge_interface'])) && (strcmp($settings['serverbridge_interface'], "none"))) { ++ $biface_ip=get_interface_ip($settings['serverbridge_interface']); ++ $biface_sm=gen_subnet_mask(get_interface_subnet($settings['serverbridge_interface'])); ++ if (is_ipaddr($biface_ip) && is_ipaddr($settings['serverbridge_dhcp_start']) && is_ipaddr($settings['serverbridge_dhcp_end'])) { ++ $conf .= "server-bridge {$biface_ip} {$biface_sm} {$settings['serverbridge_dhcp_start']} {$settings['serverbridge_dhcp_end']}\n"; ++ } else { ++ $conf .= "mode server\n"; ++ } ++ } else { ++ $conf .= "mode server\n"; ++ } ++ } ++ } + break; + } + +@@ -1021,4 +1039,4 @@ function openvpn_refresh_crls() { + } + } + +-?> +\ No newline at end of file ++?> +diff --git /usr/local/www/vpn_openvpn_server.php.orig /usr/local/www/vpn_openvpn_server.php +index 0ef67a7..bd9f527 100644 +--- a/usr/local/www/vpn_openvpn_server.php ++++ b/usr/local/www/vpn_openvpn_server.php +@@ -147,6 +147,11 @@ if($_GET['act']=="edit"){ + $pconfig['dynamic_ip'] = $a_server[$id]['dynamic_ip']; + $pconfig['pool_enable'] = $a_server[$id]['pool_enable']; + ++ $pconfig['serverbridge_dhcp'] = $a_server[$id]['serverbridge_dhcp']; ++ $pconfig['serverbridge_interface'] = $a_server[$id]['serverbridge_interface']; ++ $pconfig['serverbridge_dhcp_start'] = $a_server[$id]['serverbridge_dhcp_start']; ++ $pconfig['serverbridge_dhcp_end'] = $a_server[$id]['serverbridge_dhcp_end']; ++ + $pconfig['dns_domain'] = $a_server[$id]['dns_domain']; + if ($pconfig['dns_domain']) + $pconfig['dns_domain_enable'] = true; +@@ -188,7 +193,6 @@ if($_GET['act']=="edit"){ + $pconfig['duplicate_cn'] = isset($a_server[$id]['duplicate_cn']); + } + } +- + if ($_POST) { + + unset($input_errors); +@@ -284,9 +288,22 @@ if ($_POST) { + $reqdfieldsn = array(gettext('Shared key')); + } + +- $reqdfields[] = 'tunnel_network'; +- $reqdfieldsn[] = gettext('Tunnel network'); +- ++ if ($pconfig['dev_mode'] != "tap") { ++ $reqdfields[] = 'tunnel_network'; ++ $reqdfieldsn[] = gettext('Tunnel network'); ++ } else { ++ if ($pconfig['serverbridge_dhcp'] && $pconfig['tunnel_network']) ++ $input_errors[] = gettext("Using a tunnel network and server bridge settings together is not allowed."); ++ if (($pconfig['serverbridge_dhcp_start'] && !$pconfig['serverbridge_dhcp_end']) ++ || (!$pconfig['serverbridge_dhcp_start'] && $pconfig['serverbridge_dhcp_end'])) ++ $input_errors[] = gettext("Server Bridge DHCP Start and End must both be empty, or defined."); ++ if (($pconfig['serverbridge_dhcp_start'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_start']))) ++ $input_errors[] = gettext("Server Bridge DHCP Start must be an IPv4 address."); ++ if (($pconfig['serverbridge_dhcp_end'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_end']))) ++ $input_errors[] = gettext("Server Bridge DHCP End must be an IPv4 address."); ++ if (ip2ulong($pconfig['serverbridge_dhcp_start']) > ip2ulong($pconfig['serverbridge_dhcp_end'])) ++ $input_errors[] = gettext("The Server Bridge DHCP range is invalid (start higher than end)."); ++ } + do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + if (!$input_errors) { +@@ -341,6 +358,11 @@ if ($_POST) { + $server['dynamic_ip'] = $pconfig['dynamic_ip']; + $server['pool_enable'] = $pconfig['pool_enable']; + ++ $server['serverbridge_dhcp'] = $pconfig['serverbridge_dhcp']; ++ $server['serverbridge_interface'] = $pconfig['serverbridge_interface']; ++ $server['serverbridge_dhcp_start'] = $pconfig['serverbridge_dhcp_start']; ++ $server['serverbridge_dhcp_end'] = $pconfig['serverbridge_dhcp_end']; ++ + if ($pconfig['dns_domain_enable']) + $server['dns_domain'] = $pconfig['dns_domain']; + +@@ -559,6 +581,56 @@ function netbios_change() { + } + } + ++function tuntap_change() { ++ ++ mindex = document.iform.mode.selectedIndex; ++ mvalue = document.iform.mode.options[mindex].value; ++ ++ switch(mvalue) { ++ case "p2p_tls": ++ case "p2p_shared_key": ++ p2p = true; ++ break; ++ default: ++ p2p = false; ++ break; ++ } ++ ++ index = document.iform.dev_mode.selectedIndex; ++ value = document.iform.dev_mode.options[index].value; ++ switch(value) { ++ case "tun": ++ document.getElementById("ipv4_tunnel_network").className="vncellreq"; ++ document.getElementById("serverbridge_dhcp").style.display="none"; ++ document.getElementById("serverbridge_interface").style.display="none"; ++ document.getElementById("serverbridge_dhcp_start").style.display="none"; ++ document.getElementById("serverbridge_dhcp_end").style.display="none"; ++ break; ++ case "tap": ++ document.getElementById("ipv4_tunnel_network").className="vncell"; ++ if (!p2p) { ++ document.getElementById("serverbridge_dhcp").style.display=""; ++ document.getElementById("serverbridge_interface").style.display=""; ++ document.getElementById("serverbridge_dhcp_start").style.display=""; ++ document.getElementById("serverbridge_dhcp_end").style.display=""; ++ if (document.iform.serverbridge_dhcp.checked) { ++ document.iform.serverbridge_interface.disabled = false; ++ document.iform.serverbridge_dhcp_start.disabled = false; ++ document.iform.serverbridge_dhcp_end.disabled = false; ++ } else { ++ document.iform.serverbridge_interface.disabled = true; ++ document.iform.serverbridge_dhcp_start.disabled = true; ++ document.iform.serverbridge_dhcp_end.disabled = true; ++ } ++ } else { ++ document.iform.serverbridge_dhcp.disabled = true; ++ document.iform.serverbridge_interface.disabled = true; ++ document.iform.serverbridge_dhcp_start.disabled = true; ++ document.iform.serverbridge_dhcp_end.disabled = true; ++ } ++ break; ++ } ++} + //--> + </script> + <?php +@@ -619,7 +691,7 @@ if ($savemsg) + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Server Mode");?></td> + <td width="78%" class="vtable"> +- <select name='mode' id='mode' class="formselect" onchange='mode_change()'> ++ <select name='mode' id='mode' class="formselect" onchange='mode_change(); tuntap_change()'> + <?php + foreach ($openvpn_server_modes as $name => $desc): + $selected = ""; +@@ -666,7 +738,7 @@ if ($savemsg) + <tr> + <td width="22%" valign="top" class="vncellreq"><?=gettext("Device Mode"); ?></td> + <td width="78%" class="vtable"> +- <select name="dev_mode" class="formselect"> ++ <select name="dev_mode" class="formselect" onchange='tuntap_change()'> + <?php + foreach ($openvpn_dev_mode as $device): + $selected = ""; +@@ -976,7 +1048,7 @@ if ($savemsg) + <td colspan="2" valign="top" class="listtopic"><?=gettext("Tunnel Settings"); ?></td> + </tr> + <tr> +- <td width="22%" valign="top" class="vncellreq"><?=gettext("Tunnel Network"); ?></td> ++ <td width="22%" valign="top" class="vncellreq" id="ipv4_tunnel_network"><?=gettext("IPv4 Tunnel Network"); ?></td> + <td width="78%" class="vtable"> + <input name="tunnel_network" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['tunnel_network']);?>"> + <br> +@@ -989,6 +1061,76 @@ if ($savemsg) + "to connecting clients. (see Address Pool)"); ?> + </td> + </tr> ++ <tr id="serverbridge_dhcp"> ++ <td width="22%" valign="top" class="vncell"><?=gettext("Bridge DHCP"); ?></td> ++ <td width="78%" class="vtable"> ++ <table border="0" cellpadding="2" cellspacing="0"> ++ <tr> ++ <td> ++ <?php set_checked($pconfig['serverbridge_dhcp'],$chk); ?> ++ <input name="serverbridge_dhcp" type="checkbox" value="yes" <?=$chk;?> onchange='tuntap_change()' /> ++ </td> ++ <td> ++ <span class="vexpl"> ++ <?=gettext("Allow clients on the bridge to obtain DHCP."); ?><br> ++ </span> ++ </td> ++ </tr> ++ </table> ++ </td> ++ </tr> ++ <tr id="serverbridge_interface"> ++ <td width="22%" valign="top" class="vncell"><?=gettext("Bridge Interface"); ?></td> ++ <td width="78%" class="vtable"> ++ <select name="serverbridge_interface" class="formselect"> ++ <?php ++ $serverbridge_interface['none'] = "none"; ++ $serverbridge_interface = array_merge($serverbridge_interface, get_configured_interface_with_descr()); ++ $carplist = get_configured_carp_interface_list(); ++ foreach ($carplist as $cif => $carpip) ++ $serverbridge_interface[$cif.'|'.$carpip] = $carpip." (".get_vip_descr($carpip).")"; ++ $aliaslist = get_configured_ip_aliases_list(); ++ foreach ($aliaslist as $aliasip => $aliasif) ++ $serverbridge_interface[$aliasif.'|'.$aliasip] = $aliasip." (".get_vip_descr($aliasip).")"; ++ foreach ($serverbridge_interface as $iface => $ifacename): ++ $selected = ""; ++ if ($iface == $pconfig['serverbridge_interface']) ++ $selected = "selected"; ++ ?> ++ <option value="<?=$iface;?>" <?=$selected;?>> ++ <?=htmlspecialchars($ifacename);?> ++ </option> ++ <?php endforeach; ?> ++ </select> <br> ++ <?=gettext("The interface to which this tap instance will be, " . ++ "bridged. This is not done automatically. You must assign this " . ++ "interface and create the bridge separately. " . ++ "This setting controls which existing IP address and subnet " . ++ "mask are used by OpenVPN for the bridge. Setting this to " . ++ "'none' will cause the Server Bridge DHCP settings below to be ignored."); ?> ++ </td> ++ </tr> ++ <tr id="serverbridge_dhcp_start"> ++ <td width="22%" valign="top" class="vncell"><?=gettext("Server Bridge DHCP Start"); ?></td> ++ <td width="78%" class="vtable"> ++ <input name="serverbridge_dhcp_start" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['serverbridge_dhcp_start']);?>"> ++ <br> ++ <?=gettext("When using tap mode as multi-point server, " . ++ "you may optionally supply a DHCP range to use on the " . ++ "interface to which this tap instance is bridged. " . ++ "If these settings are left blank, DHCP will be passed " . ++ "through to the LAN, and the interface setting above " . ++ "will be ignored."); ?> ++ </td> ++ </tr> ++ <tr id="serverbridge_dhcp_end"> ++ <td width="22%" valign="top" class="vncell"><?=gettext("Server Bridge DHCP Start"); ?></td> ++ <td width="78%" class="vtable"> ++ <input name="serverbridge_dhcp_end" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['serverbridge_dhcp_end']);?>"> ++ <br> ++ <?=gettext(""); ?> ++ </td> ++ </tr> + <tr id="gwredir_opts"> + <td width="22%" valign="top" class="vncell"><?=gettext("Redirect Gateway"); ?></td> + <td width="78%" class="vtable"> +@@ -1486,6 +1628,7 @@ dns_server_change(); + wins_server_change(); + ntp_server_change(); + netbios_change(); ++tuntap_change(); + //--> + </script> + </body> diff --git a/config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml new file mode 100644 index 00000000..17a59947 --- /dev/null +++ b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml @@ -0,0 +1,65 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + openvpn_tapfix_20x.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2011 to whom it may belong + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>OpenVPN tap Bridging Fix</description> + <requirements>pfSense 2.0.x</requirements> + <faq>None</faq> + <name>OpenVPN tap Bridging Fix</name> + <version>0.1</version> + <title>OpenVPN tap Bridging Fix</title> + <include_file>/usr/local/pkg/openvpn_tapfix_20x.inc</include_file> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/openvpn_tapfix_20x/openvpn_tapfix_20x.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch</item> + </additional_files_needed> + <custom_php_install_command> + openvpn_tapfix_20x_install(); + </custom_php_install_command> +</packagegui> diff --git a/pkg_config.8.xml b/pkg_config.8.xml index b5270ae8..bb957701 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -1263,5 +1263,15 @@ <config_file>http://www.pfsense.com/packages/config/zebedee/zebedee.xml</config_file> <configurationfile>zebedee.xml</configurationfile> </package> + <package> + <name>OpenVPN tap Bridging Fix</name> + <descr>Patch to fix OpenVPN tap bridging on 2.0.x. WARNING! Cannot be uninstalled.</descr> + <category>System</category> + <config_file>http://www.pfsense.com/packages/config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml</config_file> + <version>0.1</version> + <status>BETA</status> + <required_version>2.0</required_version> + <maximum_version>2.1</maximum_version> + </package> </packages> </pfsensepkgs> diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index 175359c1..2928b4a1 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -1196,5 +1196,15 @@ <config_file>http://www.pfsense.com/packages/config/zebedee/zebedee.xml</config_file> <configurationfile>zebedee.xml</configurationfile> </package> + <package> + <name>OpenVPN tap Bridging Fix</name> + <descr>Patch to fix OpenVPN tap bridging on 2.0.x. WARNING! Cannot be uninstalled.</descr> + <category>System</category> + <config_file>http://www.pfsense.com/packages/config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml</config_file> + <version>0.1</version> + <status>BETA</status> + <required_version>2.0</required_version> + <maximum_version>2.1</maximum_version> + </package> </packages> </pfsensepkgs> |