From 4b0dc757fd9b3f0d89f95dfd5f4517d61575aebf Mon Sep 17 00:00:00 2001 From: jim-p Date: Mon, 28 Feb 2011 17:11:38 -0500 Subject: Initial work toward exporting shared key clients. --- .../openvpn-client-export.inc | 93 ++++++++++++++++++++++ .../openvpn-client-export/vpn_openvpn_export.php | 73 +++++++++++++++++ 2 files changed, 166 insertions(+) diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc index a9a882b4..3e8038e4 100755 --- a/config/openvpn-client-export/openvpn-client-export.inc +++ b/config/openvpn-client-export/openvpn-client-export.inc @@ -500,4 +500,97 @@ EOF; } +function openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipconf = false) { + global $config, $input_errors, $g; + + // lookup server settings + $settings = $config['openvpn']['openvpn-server'][$srvid]; + if (empty($settings)) { + $input_errors[] = "Could not locate server configuration."; + return false; + } + if ($settings['disable']) { + $input_errors[] = "You cannot export for disabled servers."; + return false; + } + + // determine basic variables + if ($useaddr == "serveraddr") { + $interface = $settings['interface']; + if (!empty($settings['ipaddr']) && is_ipaddr($settings['ipaddr'])) { + $server_host = $settings['ipaddr']; + } else { + if (!$interface) + $interface = "wan"; + $server_host = get_interface_ip($interface); + } + } else if ($useaddr == "serverhostname" || empty($useaddr)) { + $server_host = "{$config['system']['hostname']}.{$config['system']['domain']}"; + } else + $server_host = $useaddr; + + $server_port = $settings['local_port']; + $proto = (strtoupper($settings['protocol']) == 'UDP' ? 'udp' : "tcp-client"); + + $cipher = $settings['crypto']; + + // add basic settings + $conf = "dev tun\n"; + $conf .= "persist-tun\n"; + $conf .= "persist-key\n"; + $conf .= "proto {$proto}\n"; + $conf .= "cipher {$cipher}\n"; + $conf .= "client\n"; + $conf .= "resolv-retry infinite\n"; + $conf .= "remote {$server_host} {$server_port}\n"; + if ($settings['local_network']) { + list($ip, $mask) = explode('/', $settings['local_network']); + $mask = gen_subnet_mask($mask); + $conf .= "route $ip $mask\n"; + } + + if (!empty($proxy)) { + if ($proto == "udp") { + $input_errors[] = "This server uses UDP protocol and cannot communicate with HTTP proxy."; + return; + } + $conf .= "http-proxy {$proxy['ip']} {$proxy['port']} "; + if ($proxy['proxy_authtype'] != "none") { + if (!isset($proxy['passwdfile'])) + $proxy['passwdfile'] = openvpn_client_export_prefix($srvid) . "-proxy"; + $conf .= " {$proxy['passwdfile']} {$proxy['proxy_authtype']}"; + } + $conf .= "\n"; + } + + // add key settings + $prefix = openvpn_client_export_prefix($srvid); + $shkeyfile = "{$prefix}.secret"; + $conf .= "secret {$shkeyfile}\n"; + + // add optional settings + if ($settings['compression']) + $conf .= "comp-lzo\n"; + if ($settings['passtos']) + $conf .= "passtos\n"; + + if ($zipconf == true) { + // create template directory + $tempdir = "{$g['tmp_path']}/{$prefix}"; + mkdir($tempdir, 0700, true); + + file_put_contents("{$tempdir}/{$prefix}.ovpn", $conf); + + $shkeyfile = "{$tempdir}/{$shkeyfile}"; + file_put_contents("{$shkeyfile}", base64_decode($settings['shared_key'])); + + exec("cd {$tempdir}/.. && /usr/local/bin/zip -r {$g['tmp_path']}/{$prefix}-config.zip {$prefix}"); + + // Remove temporary directory + exec("rm -rf {$tempdir}"); + return "{$prefix}-config.zip"; + } else + return $conf; +} + ?> diff --git a/config/openvpn-client-export/vpn_openvpn_export.php b/config/openvpn-client-export/vpn_openvpn_export.php index 73833fbe..c0c2838c 100755 --- a/config/openvpn-client-export/vpn_openvpn_export.php +++ b/config/openvpn-client-export/vpn_openvpn_export.php @@ -327,6 +327,79 @@ if($act == "inst") { } } +if(($act == "skconf") || ($act == "skzipconf")) { + $srvid = $_GET['srvid']; + if (($srvid === false) || ($config['openvpn']['openvpn-server'][$srvid]['mode'] != "p2p_shared_key")) { + pfSenseHeader("vpn_openvpn_export.php"); + exit; + } + + if (empty($_GET['useaddr'])) { + $error = true; + $input_errors[] = "You need to specify an IP or hostname."; + } else + $useaddr = $_GET['useaddr']; + + $proxy = ""; + if (!empty($_GET['proxy_addr']) || !empty($_GET['proxy_port'])) { + $proxy = array(); + if (empty($_GET['proxy_addr'])) { + $error = true; + $input_errors[] = "You need to specify an address for the proxy port."; + } else + $proxy['ip'] = $_GET['proxy_addr']; + if (empty($_GET['proxy_port'])) { + $error = true; + $input_errors[] = "You need to specify a port for the proxy ip."; + } else + $proxy['port'] = $_GET['proxy_port']; + $proxy['proxy_authtype'] = $_GET['proxy_authtype']; + if ($_GET['proxy_authtype'] != "none") { + if (empty($_GET['proxy_user'])) { + $error = true; + $input_errors[] = "You need to specify a username with the proxy config."; + } else + $proxy['user'] = $_GET['proxy_user']; + if (!empty($_GET['proxy_user']) && empty($_GET['proxy_password'])) { + $error = true; + $input_errors[] = "You need to specify a password with the proxy user."; + } else + $proxy['password'] = $_GET['proxy_password']; + } + } + + $exp_name = openvpn_client_export_prefix($srvid); + if ($act == "skzipconf") + $zipconf = true; + $exp_data = openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipconf); + if (!$exp_data) { + $input_errors[] = "Failed to export config files!"; + $error = true; + } + if (!$error) { + if ($zipconf) { + $exp_name = urlencode($exp_data); + $exp_size = filesize("{$g['tmp_path']}/{$exp_data}"); + } else { + $exp_name = urlencode($exp_name."-config.ovpn"); + $exp_size = strlen($exp_data); + } + + header('Pragma: '); + header('Cache-Control: '); + header("Content-Type: application/octet-stream"); + header("Content-Disposition: attachment; filename={$exp_name}"); + header("Content-Length: $exp_size"); + if ($zipconf) + readfile("{$g['tmp_path']}/{$exp_data}"); + else + echo $exp_data; + + @unlink("{$g['tmp_path']}/{$exp_data}"); + exit; + } +} + include("head.inc"); ?> -- cgit v1.2.3