diff options
Diffstat (limited to 'config/openvpn-client-export')
-rwxr-xr-x | config/openvpn-client-export/openvpn-client-export.inc | 179 | ||||
-rwxr-xr-x | config/openvpn-client-export/openvpn-client-export.xml | 2 | ||||
-rwxr-xr-x | config/openvpn-client-export/vpn_openvpn_export.php | 7 |
3 files changed, 155 insertions, 33 deletions
diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc index 06a0928c..c7afb9e6 100755 --- a/config/openvpn-client-export/openvpn-client-export.inc +++ b/config/openvpn-client-export/openvpn-client-export.inc @@ -33,6 +33,10 @@ require_once("globals.inc"); require_once("openvpn.inc"); +require_once("filter.inc"); +require_once("shaper.inc"); +require_once("util.inc"); +require_once("pfsense-utils.inc"); function openvpn_client_export_install() { conf_mount_rw(); @@ -78,8 +82,8 @@ function openvpn_client_export_prefix($srvid, $usrid = null, $crtid = null) { $filename_addition = ""; if ($usrid && is_numeric($usrid)) $filename_addition = "-".$config['system']['user'][$usrid]['name']; - if ($crtid && is_numeric($crtid) && function_exists("cert_get_cn")) - $filename_addition = "-".cert_get_cn($config['cert'][$crtid]['crt']); + elseif ($crtid && is_numeric($crtid) && function_exists("cert_get_cn")) + $filename_addition = "-" . str_replace(' ', '_', cert_get_cn($config['cert'][$crtid]['crt'])); return "{$host}-{$prot}-{$port}{$filename_addition}"; } @@ -156,7 +160,7 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) { } elseif (($settings['mode'] == "server_tls") || (($settings['mode'] == "server_tls_user") && ($settings['authmode'] != "Local Database"))) { $cert = $config['cert'][$crtid]; if (!$cert) - $input_errors[] = "Could not find client certifficate."; + $input_errors[] = "Could not find client certificate."; } else $nokeys = true; @@ -168,6 +172,7 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) { function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $nokeys = false, $proxy, $expformat = "baseconf", $outpass = "", $skiptls=false, $doslines=false, $openvpnmanager, $advancedoptions = "") { global $config, $input_errors, $g; + $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); $nl = ($doslines) ? "\r\n" : "\n"; $conf = ""; @@ -180,27 +185,10 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese } // determine basic variables - if ($useaddr == "serveraddr") { - $interface = $settings['interface']; - if (!empty($settings['ipaddr']) && is_ipaddr($settings['ipaddr'])) { - $server_host = $settings['ipaddr']; - } else { - if (!$interface || ($interface == "any")) - $interface = "wan"; - $server_host = get_interface_ip($interface); - } - } else if ($useaddr == "serverhostname" || empty($useaddr)) { - $server_host = empty($config['system']['hostname']) ? "" : "{$config['system']['hostname']}."; - $server_host .= "{$config['system']['domain']}"; - } else - $server_host = $useaddr; - + $remotes = openvpn_client_export_build_remote_lines($settings, $useaddr, $interface, $expformat, $nl); $server_port = $settings['local_port']; - $proto = (strtoupper($settings['protocol']) == 'UDP' ? 'udp' : "tcp"); - if (($expformat == "inlineios") && ($proto == "tcp-client")) - $proto = "tcp"; - $cipher = $settings['crypto']; + $digest = !empty($settings['digest']) ? $settings['digest'] : "SHA1"; // add basic settings $devmode = empty($settings['dev_mode']) ? "tun" : $settings['dev_mode']; @@ -215,14 +203,15 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese // if ((($expformat != "inlinedroid") && ($expformat != "inlineios")) && ($proto == "tcp")) // $conf .= "proto tcp-client{$nl}"; $conf .= "cipher {$cipher}{$nl}"; + $conf .= "auth {$digest}{$nl}"; $conf .= "tls-client{$nl}"; $conf .= "client{$nl}"; if (($expformat != "inlinedroid") && ($expformat != "inlineios")) $conf .= "resolv-retry infinite{$nl}"; - $conf .= "remote {$server_host} {$server_port} {$proto}{$nl}"; - if (!empty($servercn) && ($expformat != "inlineios")) { + $conf .= "$remotes{$nl}"; + if (!empty($servercn)) { $qw = ($quoteservercn) ? "\"" : ""; - $conf .= "tls-remote {$qw}{$servercn}{$qw}{$nl}"; + $conf .= "verify-x509-name {$qw}{$servercn}{$qw} name{$nl}"; } if (!empty($proxy)) { @@ -309,18 +298,28 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese } // add optional settings - if ($settings['compression']) - $conf .= "comp-lzo{$nl}"; + if (!empty($settings['compression'])) { + if ($pfs_version > 2.1) + $conf .= "comp-lzo {$settings['compression']}{$nl}"; + else + $conf .= "comp-lzo{$nl}"; + } + if ($settings['passtos']) $conf .= "passtos{$nl}"; if ($openvpnmanager) { + if (!empty($settings['client_mgmt_port'])) { + $client_mgmt_port = $settings['client_mgmt_port']; + } else { + $client_mgmt_port = 166; + } $conf .= $nl; $conf .= "# dont terminate service process on wrong password, ask again{$nl}"; $conf .= "auth-retry interact{$nl}"; $conf .= "# open management channel{$nl}"; - $conf .= "management 127.0.0.1 166{$nl}"; + $conf .= "management 127.0.0.1 {$client_mgmt_port}{$nl}"; $conf .= "# wait for management to explicitly start connection{$nl}"; $conf .= "management-hold{$nl}"; $conf .= "# query management channel for user/pass{$nl}"; @@ -343,7 +342,7 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese case "zip": // create template directory $tempdir = "{$g['tmp_path']}/{$prefix}"; - mkdir($tempdir, 0700, true); + @mkdir($tempdir, 0700, true); file_put_contents("{$tempdir}/{$prefix}.ovpn", $conf); @@ -368,10 +367,14 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese else openvpn_client_pem_to_pk12($p12file, $outpass, $crtfile, $keyfile, $cafile); } - exec("cd {$tempdir}/.. && /usr/local/bin/zip -r {$g['tmp_path']}/{$prefix}-config.zip {$prefix}"); + $command = "cd " . escapeshellarg("{$tempdir}/..") + . " && /usr/local/bin/zip -r " + . escapeshellarg("{$g['tmp_path']}/{$prefix}-config.zip") + . " " . escapeshellarg($prefix); + exec($command); // Remove temporary directory - exec("rm -rf {$tempdir}"); - return $g['tmp_path'] . "/{$prefix}-config.zip"; + exec("rm -rf " . escapeshellarg($tempdir)); + return "{$g['tmp_path']}/{$prefix}-config.zip"; break; case "inline": case "inlinedroid": @@ -383,6 +386,9 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese $conf .= "<cert>{$nl}" . trim(base64_decode($cert['crt'])) . "{$nl}</cert>{$nl}"; // Inline Key $conf .= "<key>{$nl}" . trim(base64_decode($cert['prv'])) . "{$nl}</key>{$nl}"; + } else { + // Work around OpenVPN Connect assuming you have a client cert even when you don't need one + $conf .= "setenv CLIENT_CERT 0{$nl}"; } // Inline TLS if ($settings['tls']) { @@ -719,6 +725,7 @@ function openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipco $proto = (strtoupper($settings['protocol']) == 'UDP' ? 'udp' : "tcp-client"); $cipher = $settings['crypto']; + $digest = !empty($settings['digest']) ? $settings['digest'] : "SHA1"; // add basic settings $conf = "dev tun\n"; @@ -729,6 +736,7 @@ function openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipco $conf .= "persist-key\n"; $conf .= "proto {$proto}\n"; $conf .= "cipher {$cipher}\n"; + $conf .= "auth {$digest}\n"; $conf .= "pull\n"; $conf .= "resolv-retry infinite\n"; $conf .= "remote {$server_host} {$server_port}\n"; @@ -799,4 +807,111 @@ function openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipco return $conf; } +function openvpn_client_export_build_remote_lines($settings, $useaddr, $interface, $expformat, $nl) { + global $config; + $remotes = array(); + if (($useaddr == "serveraddr") || ($useaddr == "servermagic") || ($useaddr == "servermagichost")) { + $interface = $settings['interface']; + if (!empty($settings['ipaddr']) && is_ipaddr($settings['ipaddr'])) { + $server_host = $settings['ipaddr']; + } else { + if (!$interface || ($interface == "any")) + $interface = "wan"; + $server_host = get_interface_ip($interface); + } + } else if ($useaddr == "serverhostname" || empty($useaddr)) { + $server_host = empty($config['system']['hostname']) ? "" : "{$config['system']['hostname']}."; + $server_host .= "{$config['system']['domain']}"; + } else + $server_host = $useaddr; + + $proto = (strtoupper($settings['protocol']) == 'UDP' ? 'udp' : "tcp"); + if (($expformat == "inlineios") && ($proto == "tcp-client")) + $proto = "tcp"; + + if (($useaddr == "servermagic") || ($useaddr == "servermagichost")) { + $destinations = openvpn_client_export_find_port_forwards($server_host, $settings['local_port'], $proto, true, ($useaddr == "servermagichost")); + foreach ($destinations as $dest) { + $remotes[] = "remote {$dest['host']} {$dest['port']} {$dest['proto']}"; + } + } else { + $remotes[] = "remote {$server_host} {$settings['local_port']} {$proto}"; + } + + return implode($nl, $remotes); +} + +function openvpn_client_export_find_port_forwards($targetip, $targetport, $targetproto, $skipprivate, $findhostname=false) { + global $config, $FilterIflist; + if (empty($FilterIflist)) + filter_generate_optcfg_array(); + $destinations = array(); + + foreach ($config['nat']['rule'] as $natent) { + $dest = array(); + if (!isset($natent['disabled']) + && ($natent['target'] == $targetip) + && ($natent['local-port'] == $targetport) + && ($natent['protocol'] == $targetproto)) { + $dest['proto'] = $natent['protocol']; + + // Could be multiple ports... But we can only use one. + $dports = is_port($natent['destination']['port']) ? array($natent['destination']['port']) : filter_expand_alias_array($natent['destination']['port']); + $dest['port'] = $dports[0]; + + // Could be network or address ... + $natif = (!$natent['interface']) ? "wan" : $natent['interface']; + + if (!isset($FilterIflist[$natif])) + continue; // Skip if there is no interface + + $dstaddr = trim(filter_generate_address($natent, 'destination', true)); + if(!$dstaddr) + $dstaddr = $FilterIflist[$natif]['ip']; + + $dstaddr_port = explode(" ", $dstaddr); + + if(empty($dstaddr_port[0]) || strtolower(trim($dstaddr_port[0])) == "port") + continue; // Skip port forward if no destination address found + + + if (!is_ipaddr($dstaddr_port[0])) + continue; // We can only work with single IPs, not subnets! + + + if ($skipprivate && is_private_ip($dstaddr_port[0])) + continue; // Skipping a private IP destination! + + $dest['host'] = $dstaddr_port[0]; + + if ($findhostname) { + $hostname = openvpn_client_export_find_hostname($natif); + if (!empty($hostname)) + $dest['host'] = $hostname; + } + + $destinations[] = $dest; + } + } + + return $destinations; +} + +function openvpn_client_export_find_hostname($interface) { + global $config; + $hostname = ""; + if (is_array($config['dyndnses']['dyndns'])) { + foreach ($config['dyndnses']['dyndns'] as $ddns) { + if (($ddns['interface'] == $interface) && isset($ddns['enable']) && !empty($ddns['host']) && !is_numeric($ddns['host']) && is_hostname($ddns['host'])) + return $ddns['host']; + } + } + if (is_array($config['dnsupdates']['dnsupdate'])) { + foreach ($config['dnsupdates']['dnsupdate'] as $ddns) { + if (($ddns['interface'] == $interface) && isset($ddns['enable']) && !empty($ddns['host']) && !is_numeric($ddns['host']) && is_hostname($ddns['host'])) + return $ddns['host']; + } + } + +} ?> diff --git a/config/openvpn-client-export/openvpn-client-export.xml b/config/openvpn-client-export/openvpn-client-export.xml index e70139a7..a1c263f1 100755 --- a/config/openvpn-client-export/openvpn-client-export.xml +++ b/config/openvpn-client-export/openvpn-client-export.xml @@ -1,7 +1,7 @@ <?xml version="1.0" encoding="utf-8" ?> <packagegui> <name>OpenVPN Client Export</name> - <version>1.0.6</version> + <version>1.1.3</version> <title>OpenVPN Client Export</title> <include_file>/usr/local/pkg/openvpn-client-export.inc</include_file> <backup_file></backup_file> diff --git a/config/openvpn-client-export/vpn_openvpn_export.php b/config/openvpn-client-export/vpn_openvpn_export.php index 4f7e1caa..ad6c65da 100755 --- a/config/openvpn-client-export/vpn_openvpn_export.php +++ b/config/openvpn-client-export/vpn_openvpn_export.php @@ -597,12 +597,19 @@ function useproxy_changed(obj) { <td> <select name="useaddr" id="useaddr" class="formselect" onchange="useaddr_changed(this)"> <option value="serveraddr" >Interface IP Address</option> + <option value="servermagic" >Automagic Multi-WAN IPs (port forward targets)</option> + <option value="servermagichost" >Automagic Multi-WAN DDNS Hostnames (port forward targets)</option> <option value="serverhostname" >Installation hostname</option> <?php if (is_array($config['dyndnses']['dyndns'])): ?> <?php foreach ($config['dyndnses']['dyndns'] as $ddns): ?> <option value="<?php echo $ddns["host"] ?>">DynDNS: <?php echo $ddns["host"] ?></option> <?php endforeach; ?> <?php endif; ?> + <?php if (is_array($config['dnsupdates']['dnsupdate'])): ?> + <?php foreach ($config['dnsupdates']['dnsupdate'] as $ddns): ?> + <option value="<?php echo $ddns["host"] ?>">DynDNS: <?php echo $ddns["host"] ?></option> + <?php endforeach; ?> + <?php endif; ?> <option value="other">Other</option> </select> <br /> |