diff options
Diffstat (limited to 'config/openvpn-client-export')
-rwxr-xr-x | config/openvpn-client-export/openvpn-client-export.inc | 169 | ||||
-rwxr-xr-x | config/openvpn-client-export/vpn_openvpn_export.php | 102 |
2 files changed, 197 insertions, 74 deletions
diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc index 15096e6c..ddc97025 100755 --- a/config/openvpn-client-export/openvpn-client-export.inc +++ b/config/openvpn-client-export/openvpn-client-export.inc @@ -35,6 +35,7 @@ require_once("globals.inc"); require_once("openvpn.inc"); function openvpn_client_export_install() { + conf_mount_rw(); $tarpath = "/tmp/openvpn-client-export.tgz"; $phpfile = "vpn_openvpn_export.php"; $ovpndir = "/usr/local/share/openvpn"; @@ -45,15 +46,18 @@ function openvpn_client_export_install() { exec("/usr/bin/tar zxf {$tarpath} -C {$ovpndir}"); unlink($tarpath); + conf_mount_ro(); } function openvpn_client_export_deinstall() { + conf_mount_rw(); $phpfile = "vpn_openvpn_export.php"; $ovpndir = "/usr/local/share/openvpn"; $workdir = "{$ovpndir}/client-export"; unlink_if_exists("/usr/local/www/{$phpfile}"); exec("/bin/rm -r {$workdir}"); + conf_mount_ro(); } function openvpn_client_export_prefix($srvid) { @@ -86,8 +90,8 @@ function openvpn_client_pem_to_pk12($outpath, $outpass, $crtpath, $keypath, $cap unlink($capath); } -function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoken, $nokeys = false, $proxy) { - global $config, $input_errors; +function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoken, $nokeys = false, $proxy, $zipconf = false, $outpass = "") { + global $config, $input_errors, $g; // lookup server settings $settings = $config['openvpn']['openvpn-server'][$srvid]; @@ -109,10 +113,12 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke } // lookup user info - $user =& $config['system']['user'][$usrid]; - if (!$user) { - $input_errors[] = "Could not find user settings."; - return false; + if ($usrid) { + $user =& $config['system']['user'][$usrid]; + if (!$user) { + $input_errors[] = "Could not find user settings."; + return false; + } } // determine basic variables @@ -177,12 +183,11 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke } else { $conf .= "pkcs12 {$prefix}.p12\n"; } - } + } else if ($settings['mode'] == "server_user") + $conf .= "ca {$prefix}-ca.crt\n"; - if($nokeys == false) { - if ($settings['tls']) - $conf .= "tls-auth {$prefix}-tls.key\n"; - } + if ($settings['tls']) + $conf .= "tls-auth {$prefix}-tls.key 1\n"; // add optional settings if ($settings['compression']) @@ -190,37 +195,86 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoke if ($settings['passtos']) $conf .= "passtos\n"; - return $conf; + if ($zipconf == true) { + // create template directory + $tempdir = "{$g['tmp_path']}/{$prefix}"; + mkdir($tempdir, 0700, true); + + file_put_contents("{$tempdir}/{$prefix}-ovpn.conf", $conf); + + file_put_contents("{$tempdir}/{$prefix}-ca.crt", base64_decode($server_ca['crt'])); + if ($settings['tls']) { + $tlsfile = "{$tempdir}/{$prefix}-tls.key"; + file_put_contents($tlsfile, base64_decode($settings['tls'])); + } + + // write key files + if ($settings['mode'] != "server_user") { + $crtfile = "{$tempdir}/{$prefix}-cert.crt"; + file_put_contents($crtfile, base64_decode($cert['crt'])); + $keyfile = "{$tempdir}/{$prefix}.key"; + file_put_contents($keyfile, base64_decode($cert['prv'])); + + // convert to pkcs12 format + $p12file = "{$tempdir}/{$prefix}.p12"; + if ($usetoken) + openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile); + else + openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile, $cafile); + + exec("cd {$tempdir}/.. && /usr/local/bin/zip -r {$g['tmp_path']}/{$prefix}-config.zip {$prefix}"); + + // Remove temporary directory + exec("rm -rf {$tempdir}"); + return "{$prefix}-config.zip"; + } + } else + return $conf; } function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $usetoken, $outpass, $proxy) { - global $config, $g; + global $config, $g, $input_errors; $ovpndir = "/usr/local/share/openvpn"; $workdir = "{$ovpndir}/client-export"; // lookup server settings $settings = $config['openvpn']['openvpn-server'][$srvid]; - if (empty($settings)) + if (empty($settings)) { + $input_errors[] = "Could not find a valid server config for id: {$srvid}"; return false; - if ($settings['disable']) + } + if ($settings['disable']) { + $input_errors[] = "This server is disabled."; return false; + } + + $nokeys = false; // lookup server certificate info $server_cert =& lookup_cert($settings['certref']); $server_ca =& lookup_ca($server_cert['caref']); - if (!$server_cert || !$server_ca) + if (!$server_cert || !$server_ca) { + $input_errors[] = "Could not find a valid certificate."; return false; + } // lookup user info - $user =& $config['system']['user'][$usrid]; - if (!$user) - return false; + if ($usrid) { + $user =& $config['system']['user'][$usrid]; + if (!$user) { + $input_errors[] = "Could not find the details about userid: {$usrid}"; + return false; + } + } // lookup user certificate info - $cert =& $user['cert'][$crtid]; - if (!$cert) - return false; + if ($settings['mode'] != "server_user") { + $cert =& $user['cert'][$crtid]; + if (!$cert) + return false; + } else + $nokeys = true; // create template directory $tempdir = $g['tmp_path'] . "/openvpn-export-".uniqid(); @@ -243,30 +297,34 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $uset $pwdfle .= "{$proxy['password']}\n"; file_put_contents("{$confdir}/{$proxy['passwdfile']}", $pwdfle); } - $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoken, false, $proxy); - if (!$conf) + $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoken, $nokeys, $proxy); + if (!$conf) { + $input_errors[] = "Could not create a config to export."; return false; + } file_put_contents($cfgfile, $conf); - // write key files $cafile = "{$tempdir}/config/{$prefix}-ca.crt"; file_put_contents($cafile, base64_decode($server_ca['crt'])); - $crtfile = "{$tempdir}/config/{$prefix}-{$user['name']}.crt"; - file_put_contents($crtfile, base64_decode($cert['crt'])); - $keyfile = "{$tempdir}/config/{$prefix}-{$user['name']}.key"; - file_put_contents($keyfile, base64_decode($cert['prv'])); if ($settings['tls']) { $tlsfile = "{$tempdir}/config/{$prefix}-tls.key"; file_put_contents($tlsfile, base64_decode($settings['tls'])); } - // convert to pkcs12 format - $p12file = "{$tempdir}/config/{$prefix}.p12"; - if ($usetoken) - openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile); - else - openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile, $cafile); + // write key files + if ($settings['mode'] != "server_user") { + $crtfile = "{$tempdir}/config/{$prefix}-{$user['name']}.crt"; + file_put_contents($crtfile, base64_decode($cert['crt'])); + $keyfile = "{$tempdir}/config/{$prefix}-{$user['name']}.key"; + file_put_contents($keyfile, base64_decode($cert['prv'])); + // convert to pkcs12 format + $p12file = "{$tempdir}/{$prefix}.p12"; + if ($usetoken) + openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile); + else + openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile, $cafile); + } // 7zip the configuration data chdir($tempdir); @@ -278,6 +336,7 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $uset $files .= "procchain-import"; else $files .= "procchain-standard"; + exec("/usr/local/libexec/p7zip/7z -y a archive.7z {$files}"); // create the final installer @@ -316,14 +375,18 @@ function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $usead return false; // lookup user info - $user =& $config['system']['user'][$usrid]; - if (!$user) - return false; + if ($usrid) { + $user =& $config['system']['user'][$usrid]; + if (!$user) + return false; + } // lookup user certificate info - $cert =& $user['cert'][$crtid]; - if (!$cert) - return false; + if ($settings['mode'] != "server_user") { + $cert =& $user['cert'][$crtid]; + if (!$cert) + return false; + } // create template directory mkdir($tempdir, 0700, true); @@ -357,12 +420,15 @@ function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $usead EOF; $configfile = "{$tempdir}/config.conf"; - $conf .= <<<EOF + $conf .= "ca ca.crt\n"; + $conf .= "tls-auth ta.key 1\n"; + if ($settings['mode'] != "server_user") { + $conf .= <<<EOF cert cert.crt -tls-auth ta.key -ca ca.crt key key.key EOF; + } + file_put_contents($configfile, $visc_settings . "\n" . $conf); // ca.crt cert.crt config.conf key.key ta.key @@ -371,13 +437,16 @@ EOF; $cafile = "{$tempdir}/ca.crt"; file_put_contents($cafile, base64_decode($server_ca['crt'])); - // write user .crt - $crtfile = "{$tempdir}/cert.crt"; - file_put_contents($crtfile, base64_decode($cert['crt'])); + if ($settings['mode'] != "server_user") { - // write user .key - $keyfile = "{$tempdir}/key.key"; - file_put_contents($keyfile, base64_decode($cert['prv'])); + // write user .crt + $crtfile = "{$tempdir}/cert.crt"; + file_put_contents($crtfile, base64_decode($cert['crt'])); + + // write user .key + $keyfile = "{$tempdir}/key.key"; + file_put_contents($keyfile, base64_decode($cert['prv'])); + } // TLS support? if ($settings['tls']) { diff --git a/config/openvpn-client-export/vpn_openvpn_export.php b/config/openvpn-client-export/vpn_openvpn_export.php index 2af4da59..861dda89 100755 --- a/config/openvpn-client-export/vpn_openvpn_export.php +++ b/config/openvpn-client-export/vpn_openvpn_export.php @@ -67,8 +67,6 @@ foreach($a_server as $sindex => & $server) { $ras_user[] = $ras_userent; } } - if (!count($ras_user)) - continue; $ras_serverent = array(); $prot = $server['protocol']; $port = $server['local_port']; @@ -79,6 +77,7 @@ foreach($a_server as $sindex => & $server) { $ras_serverent['index'] = $sindex; $ras_serverent['name'] = $name; $ras_serverent['users'] = $ras_user; + $ras_serverent['mode'] = $server['mode']; $ras_server[] = $ras_serverent; } @@ -91,14 +90,24 @@ if (isset($_POST['act'])) $act = $_POST['act']; $error = false; -if($act == "conf") { +if($act == "conf" || $act == "confall") { $srvid = $_GET['srvid']; $usrid = $_GET['usrid']; $crtid = $_GET['crtid']; - if (($srvid === false) || ($usrid === false) || ($crtid === false)) { + if ($srvid === false) { + pfSenseHeader("vpn_openvpn_export.php"); + exit; + } else if (($config['openvpn']['openvpn-server'][$srvid]['mode'] != "server_user") && + (($usrid === false) || ($crtid === false))) { pfSenseHeader("vpn_openvpn_export.php"); exit; } + + if ($config['openvpn']['openvpn-server'][$srvid]['mode'] == "server_user") + $nokeys = true; + else + $nokeys = false; + if (empty($_GET['useaddr'])) { $error = true; $input_errors[] = "You need to specify an IP or hostname."; @@ -106,6 +115,9 @@ if($act == "conf") { $useaddr = $_GET['useaddr']; $usetoken = $_GET['usetoken']; + $password = ""; + if ($_GET['password']) + $password = $_GET['password']; $proxy = ""; if (!empty($_GET['proxy_addr']) || !empty($_GET['proxy_port'])) { @@ -136,20 +148,31 @@ if($act == "conf") { } $exp_name = openvpn_client_export_prefix($srvid); - $exp_data = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoken, false, $proxy); + if ($act == "confall") + $zipconf = true; + $exp_data = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $usetoken, $nokeys, $proxy, $zipconf, $password); if (!$exp_data) { $input_errors[] = "Failed to export config files!"; $error = true; } if (!$error) { - $exp_name = urlencode($exp_name."-config.ovpn"); - $exp_size = strlen($exp_data); + if ($act == "confall") { + $exp_name = urlencode($exp_data); + $exp_size = filesize("{$g['tmp_path']}/{$exp_data}"); + } else { + $exp_name = urlencode($exp_name."-config.ovpn"); + $exp_size = strlen($exp_data); + } header("Content-Type: application/octet-stream"); header("Content-Disposition: attachment; filename={$exp_name}"); header("Content-Length: $exp_size"); - echo $exp_data; + if ($act == "confall") + readfile("{$g['tmp_path']}/{$exp_data}"); + else + echo $exp_data; + @unlink($exp_data); exit; } } @@ -158,10 +181,14 @@ if($act == "visc") { $srvid = $_GET['srvid']; $usrid = $_GET['usrid']; $crtid = $_GET['crtid']; - if (($srvid === false) || ($usrid === false) || ($crtid === false)) { - pfSenseHeader("vpn_openvpn_export.php"); - exit; - } + if ($srvid === false) { + pfSenseHeader("vpn_openvpn_export.php"); + exit; + } else if (($config['openvpn']['openvpn-server'][$srvid]['mode'] != "server_user") && + (($usrid === false) || ($crtid === false))) { + pfSenseHeader("vpn_openvpn_export.php"); + exit; + } if (empty($_GET['useaddr'])) { $error = true; $input_errors[] = "You need to specify an IP or hostname."; @@ -171,7 +198,7 @@ if($act == "visc") { $usetoken = $_GET['usetoken']; $password = ""; if ($_GET['password']) - $password = $_GET['password']; ; + $password = $_GET['password']; $proxy = ""; if (!empty($_GET['proxy_addr']) || !empty($_GET['proxy_port'])) { @@ -224,10 +251,14 @@ if($act == "inst") { $srvid = $_GET['srvid']; $usrid = $_GET['usrid']; $crtid = $_GET['crtid']; - if (($srvid === false) || ($usrid === false) || ($crtid === false)) { - pfSenseHeader("vpn_openvpn_export.php"); - exit; - } + if ($srvid === false) { + pfSenseHeader("vpn_openvpn_export.php"); + exit; + } else if (($config['openvpn']['openvpn-server'][$srvid]['mode'] != "server_user") && + (($usrid === false) || ($crtid === false))) { + pfSenseHeader("vpn_openvpn_export.php"); + exit; + } if (empty($_GET['useaddr'])) { $error = true; $input_errors[] = "You need to specify an IP or hostname."; @@ -301,12 +332,13 @@ var servers = new Array(); servers[<?=$sindex;?>] = new Array(); servers[<?=$sindex;?>][0] = '<?=$server['index'];?>'; servers[<?=$sindex;?>][1] = new Array(); +servers[<?=$sindex;?>][2] = '<?=$server['mode'];?>';; <?php foreach ($server['users'] as $uindex => & $user): ?> servers[<?=$sindex;?>][1][<?=$uindex;?>] = new Array(); servers[<?=$sindex;?>][1][<?=$uindex;?>][0] = '<?=$user['uindex'];?>'; servers[<?=$sindex;?>][1][<?=$uindex;?>][1] = '<?=$user['cindex'];?>'; servers[<?=$sindex;?>][1][<?=$uindex;?>][2] = '<?=$user['name'];?>'; -servers[<?=$sindex;?>][1][<?=$uindex;?>][3] = '<?=$user['certname'];?>'; +servers[<?=$sindex;?>][1][<?=$uindex;?>][3] = '<?=str_replace("'", "\\'", $user['certname']);?>'; <? endforeach; ?> <? endforeach; ?> @@ -384,8 +416,10 @@ function download_begin(act, i) { var dlurl; dlurl = "/vpn_openvpn_export.php?act=" + act; dlurl += "&srvid=" + servers[index][0]; - dlurl += "&usrid=" + users[i][0]; - dlurl += "&crtid=" + users[i][1]; + if (users[i]) { + dlurl += "&usrid=" + users[i][0]; + dlurl += "&crtid=" + users[i][1]; + } dlurl += "&useaddr=" + useaddr; dlurl += "&usetoken=" + usetoken; if (usepass) @@ -421,12 +455,32 @@ function server_changed() { cell1.className = "listr"; cell1.innerHTML = users[i][3]; cell2.className = "listr"; - cell2.innerHTML = "<a href='javascript:download_begin(\"conf\"," + i + ")'>Configuration</a>"; + cell2.innerHTML = "<a href='javascript:download_begin(\"conf\"," + i + ")'>Configuration</a>"; + cell2.innerHTML += " / "; + cell2.innerHTML += "<a href='javascript:download_begin(\"confall\"," + i + ")'>Configuration archive</a>"; cell2.innerHTML += " / "; cell2.innerHTML += "<a href='javascript:download_begin(\"inst\"," + i + ")'>Windows Installer</a>"; cell2.innerHTML += " / "; cell2.innerHTML += "<a href='javascript:download_begin(\"visc\"," + i + ")'>Viscosity Bundle</a>"; } + if (servers[index][2] == 'server_user') { + var row = table.insertRow(table.rows.length); + var cell0 = row.insertCell(0); + var cell1 = row.insertCell(1); + var cell2 = row.insertCell(2); + cell0.className = "listlr"; + cell0.innerHTML = "External authentication users"; + cell1.className = "listr"; + cell1.innerHTML = "none"; + cell2.className = "listr"; + cell2.innerHTML = "<a href='javascript:download_begin(\"conf\"," + i + ")'>Configuration</a>"; + cell2.innerHTML += " / "; + cell2.innerHTML += "<a href='javascript:download_begin(\"confall\"," + i + ")'>Configuration archive</a>"; + cell2.innerHTML += " / "; + cell2.innerHTML += "<a href='javascript:download_begin(\"inst\"," + i + ")'>Windows Installer</a>"; + cell2.innerHTML += " / "; + cell2.innerHTML += "<a href='javascript:download_begin(\"visc\"," + i + ")'>Viscosity Bundle</a>"; + } } function useaddr_changed(obj) { @@ -449,7 +503,7 @@ function usepass_changed() { function useproxy_changed(obj) { if ((obj.id == "useproxy" && obj.checked) || - $(obj.id).value != 'none') { + $(obj.id + 'pass').value != 'none') { $(obj.id + '_opts').show(); } else { $(obj.id + '_opts').hide(); @@ -505,7 +559,7 @@ function useproxy_changed(obj) { <div style="display:none;" name="HostName" id="HostName"> <input name="useaddr_hostname" id="useaddr_hostname" /> <span class="vexpl"> - Enter the hostname or ip address desired to be used for the config. + Enter the hostname or IP address the client will use to connect to this server. </span> </div> </td> @@ -584,7 +638,7 @@ function useproxy_changed(obj) { <tr> <td align="right" width='25%'> <span class="vexpl"> - Ip Addr : + IP Address : </span> </td> <td> |