aboutsummaryrefslogtreecommitdiffstats
path: root/config/openvpn-client-export
diff options
context:
space:
mode:
Diffstat (limited to 'config/openvpn-client-export')
-rwxr-xr-xconfig/openvpn-client-export/openvpn-client-export.inc169
-rwxr-xr-xconfig/openvpn-client-export/vpn_openvpn_export.php102
2 files changed, 197 insertions, 74 deletions
diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc
index 15096e6c..ddc97025 100755
--- a/config/openvpn-client-export/openvpn-client-export.inc
+++ b/config/openvpn-client-export/openvpn-client-export.inc
@@ -35,6 +35,7 @@ require_once("globals.inc");
require_once("openvpn.inc");
function openvpn_client_export_install() {
+ conf_mount_rw();
$tarpath = "/tmp/openvpn-client-export.tgz";
$phpfile = "vpn_openvpn_export.php";
$ovpndir = "/usr/local/share/openvpn";
@@ -45,15 +46,18 @@ function openvpn_client_export_install() {
exec("/usr/bin/tar zxf {$tarpath} -C {$ovpndir}");
unlink($tarpath);
+ conf_mount_ro();
}
function openvpn_client_export_deinstall() {
+ conf_mount_rw();
$phpfile = "vpn_openvpn_export.php";
$ovpndir = "/usr/local/share/openvpn";
$workdir = "{$ovpndir}/client-export";
unlink_if_exists("/usr/local/www/{$phpfile}");
exec("/bin/rm -r {$workdir}");
+ conf_mount_ro();
}
function openvpn_client_export_prefix($srvid) {
@@ -86,8 +90,8 @@ function openvpn_client_pem_to_pk12($outpath, $outpass, $crtpath, $keypath, $cap
unlink($capath);
}
-function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoken, $nokeys = false, $proxy) {
- global $config, $input_errors;
+function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoken, $nokeys = false, $proxy, $zipconf = false, $outpass = "") {
+ global $config, $input_errors, $g;
// lookup server settings
$settings = $config['openvpn']['openvpn-server'][$srvid];
@@ -109,10 +113,12 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke
}
// lookup user info
- $user =& $config['system']['user'][$usrid];
- if (!$user) {
- $input_errors[] = "Could not find user settings.";
- return false;
+ if ($usrid) {
+ $user =& $config['system']['user'][$usrid];
+ if (!$user) {
+ $input_errors[] = "Could not find user settings.";
+ return false;
+ }
}
// determine basic variables
@@ -177,12 +183,11 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke
} else {
$conf .= "pkcs12 {$prefix}.p12\n";
}
- }
+ } else if ($settings['mode'] == "server_user")
+ $conf .= "ca {$prefix}-ca.crt\n";
- if($nokeys == false) {
- if ($settings['tls'])
- $conf .= "tls-auth {$prefix}-tls.key\n";
- }
+ if ($settings['tls'])
+ $conf .= "tls-auth {$prefix}-tls.key 1\n";
// add optional settings
if ($settings['compression'])
@@ -190,37 +195,86 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke
if ($settings['passtos'])
$conf .= "passtos\n";
- return $conf;
+ if ($zipconf == true) {
+ // create template directory
+ $tempdir = "{$g['tmp_path']}/{$prefix}";
+ mkdir($tempdir, 0700, true);
+
+ file_put_contents("{$tempdir}/{$prefix}-ovpn.conf", $conf);
+
+ file_put_contents("{$tempdir}/{$prefix}-ca.crt", base64_decode($server_ca['crt']));
+ if ($settings['tls']) {
+ $tlsfile = "{$tempdir}/{$prefix}-tls.key";
+ file_put_contents($tlsfile, base64_decode($settings['tls']));
+ }
+
+ // write key files
+ if ($settings['mode'] != "server_user") {
+ $crtfile = "{$tempdir}/{$prefix}-cert.crt";
+ file_put_contents($crtfile, base64_decode($cert['crt']));
+ $keyfile = "{$tempdir}/{$prefix}.key";
+ file_put_contents($keyfile, base64_decode($cert['prv']));
+
+ // convert to pkcs12 format
+ $p12file = "{$tempdir}/{$prefix}.p12";
+ if ($usetoken)
+ openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile);
+ else
+ openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile, $cafile);
+
+ exec("cd {$tempdir}/.. && /usr/local/bin/zip -r {$g['tmp_path']}/{$prefix}-config.zip {$prefix}");
+
+ // Remove temporary directory
+ exec("rm -rf {$tempdir}");
+ return "{$prefix}-config.zip";
+ }
+ } else
+ return $conf;
}
function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $usetoken, $outpass, $proxy) {
- global $config, $g;
+ global $config, $g, $input_errors;
$ovpndir = "/usr/local/share/openvpn";
$workdir = "{$ovpndir}/client-export";
// lookup server settings
$settings = $config['openvpn']['openvpn-server'][$srvid];
- if (empty($settings))
+ if (empty($settings)) {
+ $input_errors[] = "Could not find a valid server config for id: {$srvid}";
return false;
- if ($settings['disable'])
+ }
+ if ($settings['disable']) {
+ $input_errors[] = "This server is disabled.";
return false;
+ }
+
+ $nokeys = false;
// lookup server certificate info
$server_cert =& lookup_cert($settings['certref']);
$server_ca =& lookup_ca($server_cert['caref']);
- if (!$server_cert || !$server_ca)
+ if (!$server_cert || !$server_ca) {
+ $input_errors[] = "Could not find a valid certificate.";
return false;
+ }
// lookup user info
- $user =& $config['system']['user'][$usrid];
- if (!$user)
- return false;
+ if ($usrid) {
+ $user =& $config['system']['user'][$usrid];
+ if (!$user) {
+ $input_errors[] = "Could not find the details about userid: {$usrid}";
+ return false;
+ }
+ }
// lookup user certificate info
- $cert =& $user['cert'][$crtid];
- if (!$cert)
- return false;
+ if ($settings['mode'] != "server_user") {
+ $cert =& $user['cert'][$crtid];
+ if (!$cert)
+ return false;
+ } else
+ $nokeys = true;
// create template directory
$tempdir = $g['tmp_path'] . "/openvpn-export-".uniqid();
@@ -243,30 +297,34 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $uset
$pwdfle .= "{$proxy['password']}\n";
file_put_contents("{$confdir}/{$proxy['passwdfile']}", $pwdfle);
}
- $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoken, false, $proxy);
- if (!$conf)
+ $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoken, $nokeys, $proxy);
+ if (!$conf) {
+ $input_errors[] = "Could not create a config to export.";
return false;
+ }
file_put_contents($cfgfile, $conf);
- // write key files
$cafile = "{$tempdir}/config/{$prefix}-ca.crt";
file_put_contents($cafile, base64_decode($server_ca['crt']));
- $crtfile = "{$tempdir}/config/{$prefix}-{$user['name']}.crt";
- file_put_contents($crtfile, base64_decode($cert['crt']));
- $keyfile = "{$tempdir}/config/{$prefix}-{$user['name']}.key";
- file_put_contents($keyfile, base64_decode($cert['prv']));
if ($settings['tls']) {
$tlsfile = "{$tempdir}/config/{$prefix}-tls.key";
file_put_contents($tlsfile, base64_decode($settings['tls']));
}
- // convert to pkcs12 format
- $p12file = "{$tempdir}/config/{$prefix}.p12";
- if ($usetoken)
- openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile);
- else
- openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile, $cafile);
+ // write key files
+ if ($settings['mode'] != "server_user") {
+ $crtfile = "{$tempdir}/config/{$prefix}-{$user['name']}.crt";
+ file_put_contents($crtfile, base64_decode($cert['crt']));
+ $keyfile = "{$tempdir}/config/{$prefix}-{$user['name']}.key";
+ file_put_contents($keyfile, base64_decode($cert['prv']));
+ // convert to pkcs12 format
+ $p12file = "{$tempdir}/{$prefix}.p12";
+ if ($usetoken)
+ openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile);
+ else
+ openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile, $cafile);
+ }
// 7zip the configuration data
chdir($tempdir);
@@ -278,6 +336,7 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $uset
$files .= "procchain-import";
else
$files .= "procchain-standard";
+
exec("/usr/local/libexec/p7zip/7z -y a archive.7z {$files}");
// create the final installer
@@ -316,14 +375,18 @@ function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $usead
return false;
// lookup user info
- $user =& $config['system']['user'][$usrid];
- if (!$user)
- return false;
+ if ($usrid) {
+ $user =& $config['system']['user'][$usrid];
+ if (!$user)
+ return false;
+ }
// lookup user certificate info
- $cert =& $user['cert'][$crtid];
- if (!$cert)
- return false;
+ if ($settings['mode'] != "server_user") {
+ $cert =& $user['cert'][$crtid];
+ if (!$cert)
+ return false;
+ }
// create template directory
mkdir($tempdir, 0700, true);
@@ -357,12 +420,15 @@ function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $usead
EOF;
$configfile = "{$tempdir}/config.conf";
- $conf .= <<<EOF
+ $conf .= "ca ca.crt\n";
+ $conf .= "tls-auth ta.key 1\n";
+ if ($settings['mode'] != "server_user") {
+ $conf .= <<<EOF
cert cert.crt
-tls-auth ta.key
-ca ca.crt
key key.key
EOF;
+ }
+
file_put_contents($configfile, $visc_settings . "\n" . $conf);
// ca.crt cert.crt config.conf key.key ta.key
@@ -371,13 +437,16 @@ EOF;
$cafile = "{$tempdir}/ca.crt";
file_put_contents($cafile, base64_decode($server_ca['crt']));
- // write user .crt
- $crtfile = "{$tempdir}/cert.crt";
- file_put_contents($crtfile, base64_decode($cert['crt']));
+ if ($settings['mode'] != "server_user") {
- // write user .key
- $keyfile = "{$tempdir}/key.key";
- file_put_contents($keyfile, base64_decode($cert['prv']));
+ // write user .crt
+ $crtfile = "{$tempdir}/cert.crt";
+ file_put_contents($crtfile, base64_decode($cert['crt']));
+
+ // write user .key
+ $keyfile = "{$tempdir}/key.key";
+ file_put_contents($keyfile, base64_decode($cert['prv']));
+ }
// TLS support?
if ($settings['tls']) {
diff --git a/config/openvpn-client-export/vpn_openvpn_export.php b/config/openvpn-client-export/vpn_openvpn_export.php
index 2af4da59..861dda89 100755
--- a/config/openvpn-client-export/vpn_openvpn_export.php
+++ b/config/openvpn-client-export/vpn_openvpn_export.php
@@ -67,8 +67,6 @@ foreach($a_server as $sindex => & $server) {
$ras_user[] = $ras_userent;
}
}
- if (!count($ras_user))
- continue;
$ras_serverent = array();
$prot = $server['protocol'];
$port = $server['local_port'];
@@ -79,6 +77,7 @@ foreach($a_server as $sindex => & $server) {
$ras_serverent['index'] = $sindex;
$ras_serverent['name'] = $name;
$ras_serverent['users'] = $ras_user;
+ $ras_serverent['mode'] = $server['mode'];
$ras_server[] = $ras_serverent;
}
@@ -91,14 +90,24 @@ if (isset($_POST['act']))
$act = $_POST['act'];
$error = false;
-if($act == "conf") {
+if($act == "conf" || $act == "confall") {
$srvid = $_GET['srvid'];
$usrid = $_GET['usrid'];
$crtid = $_GET['crtid'];
- if (($srvid === false) || ($usrid === false) || ($crtid === false)) {
+ if ($srvid === false) {
+ pfSenseHeader("vpn_openvpn_export.php");
+ exit;
+ } else if (($config['openvpn']['openvpn-server'][$srvid]['mode'] != "server_user") &&
+ (($usrid === false) || ($crtid === false))) {
pfSenseHeader("vpn_openvpn_export.php");
exit;
}
+
+ if ($config['openvpn']['openvpn-server'][$srvid]['mode'] == "server_user")
+ $nokeys = true;
+ else
+ $nokeys = false;
+
if (empty($_GET['useaddr'])) {
$error = true;
$input_errors[] = "You need to specify an IP or hostname.";
@@ -106,6 +115,9 @@ if($act == "conf") {
$useaddr = $_GET['useaddr'];
$usetoken = $_GET['usetoken'];
+ $password = "";
+ if ($_GET['password'])
+ $password = $_GET['password'];
$proxy = "";
if (!empty($_GET['proxy_addr']) || !empty($_GET['proxy_port'])) {
@@ -136,20 +148,31 @@ if($act == "conf") {
}
$exp_name = openvpn_client_export_prefix($srvid);
- $exp_data = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoken, false, $proxy);
+ if ($act == "confall")
+ $zipconf = true;
+ $exp_data = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoken, $nokeys, $proxy, $zipconf, $password);
if (!$exp_data) {
$input_errors[] = "Failed to export config files!";
$error = true;
}
if (!$error) {
- $exp_name = urlencode($exp_name."-config.ovpn");
- $exp_size = strlen($exp_data);
+ if ($act == "confall") {
+ $exp_name = urlencode($exp_data);
+ $exp_size = filesize("{$g['tmp_path']}/{$exp_data}");
+ } else {
+ $exp_name = urlencode($exp_name."-config.ovpn");
+ $exp_size = strlen($exp_data);
+ }
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename={$exp_name}");
header("Content-Length: $exp_size");
- echo $exp_data;
+ if ($act == "confall")
+ readfile("{$g['tmp_path']}/{$exp_data}");
+ else
+ echo $exp_data;
+ @unlink($exp_data);
exit;
}
}
@@ -158,10 +181,14 @@ if($act == "visc") {
$srvid = $_GET['srvid'];
$usrid = $_GET['usrid'];
$crtid = $_GET['crtid'];
- if (($srvid === false) || ($usrid === false) || ($crtid === false)) {
- pfSenseHeader("vpn_openvpn_export.php");
- exit;
- }
+ if ($srvid === false) {
+ pfSenseHeader("vpn_openvpn_export.php");
+ exit;
+ } else if (($config['openvpn']['openvpn-server'][$srvid]['mode'] != "server_user") &&
+ (($usrid === false) || ($crtid === false))) {
+ pfSenseHeader("vpn_openvpn_export.php");
+ exit;
+ }
if (empty($_GET['useaddr'])) {
$error = true;
$input_errors[] = "You need to specify an IP or hostname.";
@@ -171,7 +198,7 @@ if($act == "visc") {
$usetoken = $_GET['usetoken'];
$password = "";
if ($_GET['password'])
- $password = $_GET['password']; ;
+ $password = $_GET['password'];
$proxy = "";
if (!empty($_GET['proxy_addr']) || !empty($_GET['proxy_port'])) {
@@ -224,10 +251,14 @@ if($act == "inst") {
$srvid = $_GET['srvid'];
$usrid = $_GET['usrid'];
$crtid = $_GET['crtid'];
- if (($srvid === false) || ($usrid === false) || ($crtid === false)) {
- pfSenseHeader("vpn_openvpn_export.php");
- exit;
- }
+ if ($srvid === false) {
+ pfSenseHeader("vpn_openvpn_export.php");
+ exit;
+ } else if (($config['openvpn']['openvpn-server'][$srvid]['mode'] != "server_user") &&
+ (($usrid === false) || ($crtid === false))) {
+ pfSenseHeader("vpn_openvpn_export.php");
+ exit;
+ }
if (empty($_GET['useaddr'])) {
$error = true;
$input_errors[] = "You need to specify an IP or hostname.";
@@ -301,12 +332,13 @@ var servers = new Array();
servers[<?=$sindex;?>] = new Array();
servers[<?=$sindex;?>][0] = '<?=$server['index'];?>';
servers[<?=$sindex;?>][1] = new Array();
+servers[<?=$sindex;?>][2] = '<?=$server['mode'];?>';;
<?php foreach ($server['users'] as $uindex => & $user): ?>
servers[<?=$sindex;?>][1][<?=$uindex;?>] = new Array();
servers[<?=$sindex;?>][1][<?=$uindex;?>][0] = '<?=$user['uindex'];?>';
servers[<?=$sindex;?>][1][<?=$uindex;?>][1] = '<?=$user['cindex'];?>';
servers[<?=$sindex;?>][1][<?=$uindex;?>][2] = '<?=$user['name'];?>';
-servers[<?=$sindex;?>][1][<?=$uindex;?>][3] = '<?=$user['certname'];?>';
+servers[<?=$sindex;?>][1][<?=$uindex;?>][3] = '<?=str_replace("'", "\\'", $user['certname']);?>';
<? endforeach; ?>
<? endforeach; ?>
@@ -384,8 +416,10 @@ function download_begin(act, i) {
var dlurl;
dlurl = "/vpn_openvpn_export.php?act=" + act;
dlurl += "&srvid=" + servers[index][0];
- dlurl += "&usrid=" + users[i][0];
- dlurl += "&crtid=" + users[i][1];
+ if (users[i]) {
+ dlurl += "&usrid=" + users[i][0];
+ dlurl += "&crtid=" + users[i][1];
+ }
dlurl += "&useaddr=" + useaddr;
dlurl += "&usetoken=" + usetoken;
if (usepass)
@@ -421,12 +455,32 @@ function server_changed() {
cell1.className = "listr";
cell1.innerHTML = users[i][3];
cell2.className = "listr";
- cell2.innerHTML = "<a href='javascript:download_begin(\"conf\"," + i + ")'>Configuration</a>";
+ cell2.innerHTML = "<a href='javascript:download_begin(\"conf\"," + i + ")'>Configuration</a>";
+ cell2.innerHTML += "&nbsp;/&nbsp;";
+ cell2.innerHTML += "<a href='javascript:download_begin(\"confall\"," + i + ")'>Configuration archive</a>";
cell2.innerHTML += "&nbsp;/&nbsp;";
cell2.innerHTML += "<a href='javascript:download_begin(\"inst\"," + i + ")'>Windows Installer</a>";
cell2.innerHTML += "&nbsp;/&nbsp;";
cell2.innerHTML += "<a href='javascript:download_begin(\"visc\"," + i + ")'>Viscosity Bundle</a>";
}
+ if (servers[index][2] == 'server_user') {
+ var row = table.insertRow(table.rows.length);
+ var cell0 = row.insertCell(0);
+ var cell1 = row.insertCell(1);
+ var cell2 = row.insertCell(2);
+ cell0.className = "listlr";
+ cell0.innerHTML = "External authentication users";
+ cell1.className = "listr";
+ cell1.innerHTML = "none";
+ cell2.className = "listr";
+ cell2.innerHTML = "<a href='javascript:download_begin(\"conf\"," + i + ")'>Configuration</a>";
+ cell2.innerHTML += "&nbsp;/&nbsp;";
+ cell2.innerHTML += "<a href='javascript:download_begin(\"confall\"," + i + ")'>Configuration archive</a>";
+ cell2.innerHTML += "&nbsp;/&nbsp;";
+ cell2.innerHTML += "<a href='javascript:download_begin(\"inst\"," + i + ")'>Windows Installer</a>";
+ cell2.innerHTML += "&nbsp;/&nbsp;";
+ cell2.innerHTML += "<a href='javascript:download_begin(\"visc\"," + i + ")'>Viscosity Bundle</a>";
+ }
}
function useaddr_changed(obj) {
@@ -449,7 +503,7 @@ function usepass_changed() {
function useproxy_changed(obj) {
if ((obj.id == "useproxy" && obj.checked) ||
- $(obj.id).value != 'none') {
+ $(obj.id + 'pass').value != 'none') {
$(obj.id + '_opts').show();
} else {
$(obj.id + '_opts').hide();
@@ -505,7 +559,7 @@ function useproxy_changed(obj) {
<div style="display:none;" name="HostName" id="HostName">
<input name="useaddr_hostname" id="useaddr_hostname" />
<span class="vexpl">
- Enter the hostname or ip address desired to be used for the config.
+ Enter the hostname or IP address the client will use to connect to this server.
</span>
</div>
</td>
@@ -584,7 +638,7 @@ function useproxy_changed(obj) {
<tr>
<td align="right" width='25%'>
<span class="vexpl">
- &nbsp; Ip Addr :&nbsp;
+ &nbsp; IP Address :&nbsp;
</span>
</td>
<td>