From 7d9e42f0b179417650e9b336fdf925b058863250 Mon Sep 17 00:00:00 2001 From: mfuchs Date: Tue, 19 May 2009 21:30:08 +0200 Subject: add OpenVPN-TLS, etc... enhancements package for 1.2.x --- config/ovpnenhance/openvpn.inc_tls | 668 +++++++++++++++++++++++++++++++++ config/ovpnenhance/openvpn.xml_tls | 329 ++++++++++++++++ config/ovpnenhance/openvpn_cli.xml_tls | 240 ++++++++++++ config/ovpnenhance/openvpn_csc.xml_tls | 169 +++++++++ config/ovpnenhance/ovpnenhance.inc | 13 + config/ovpnenhance/ovpnenhance.xml | 40 ++ 6 files changed, 1459 insertions(+) create mode 100644 config/ovpnenhance/openvpn.inc_tls create mode 100644 config/ovpnenhance/openvpn.xml_tls create mode 100644 config/ovpnenhance/openvpn_cli.xml_tls create mode 100644 config/ovpnenhance/openvpn_csc.xml_tls create mode 100644 config/ovpnenhance/ovpnenhance.inc create mode 100644 config/ovpnenhance/ovpnenhance.xml diff --git a/config/ovpnenhance/openvpn.inc_tls b/config/ovpnenhance/openvpn.inc_tls new file mode 100644 index 00000000..9ea4c7da --- /dev/null +++ b/config/ovpnenhance/openvpn.inc_tls @@ -0,0 +1,668 @@ + + All rights reserved. + + Copyright (C) 2004 Peter Curran (peter@closeconsultants.com). + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notices, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notices, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require_once('config.inc'); +require_once('pfsense-utils.inc'); +require_once('util.inc'); + +// Return the list of ciphers OpenVPN supports +function openvpn_get_ciphers($pkg) { + foreach ($pkg['fields']['field'] as $i => $field) { + if ($field['fieldname'] == 'crypto') break; + } + $option_array = &$pkg['fields']['field'][$i]['options']['option']; + $ciphers_out = shell_exec('openvpn --show-ciphers | grep "default key" | awk \'{print $1, "(" $2 "-" $3 ")";}\''); + $ciphers = explode("\n", trim($ciphers_out)); + sort($ciphers); + foreach ($ciphers as $cipher) { + $value = explode(' ', $cipher); + $value = $value[0]; + $option_array[] = array('value' => $value, 'name' => $cipher); + } +} + + +function openvpn_validate_port($value, $name) { + $value = trim($value); + if (!empty($value) && !(is_numeric($value) && ($value > 0) && ($value < 65535))) + return "The field '$name' must contain a valid port, ranging from 0 to 65535."; + return false; +} + + +function openvpn_validate_cidr($value, $name) { + $value = trim($value); + if (!empty($value)) { + list($ip, $mask) = explode('/', $value); + if (!is_ipaddr($ip) or !is_numeric($mask) or ($mask > 32) or ($mask < 0)) + return "The field '$name' must contain a valid CIDR range."; + } + return false; +} + + +// Do the input validation +function openvpn_validate_input($mode, $post, $input_errors) { + $Mode = ucfirst($mode); + + if ($mode == 'server') { + if ($result = openvpn_validate_port($post['local_port'], 'Local port')) + $input_errors[] = $result; + + if ($result = openvpn_validate_cidr($post['addresspool'], 'Address pool')) + $input_errors[] = $result; + + if ($result = openvpn_validate_cidr($post['local_network'], 'Local network')) + $input_errors[] = $result; + +/* check for port in use - update of existing entries not possible because $_GET['act'] is not passed from pkg_edit.php :-( mfuchs + $portinuse = shell_exec('sockstat | grep '.$post['local_port'].' | grep '.strtolower($post['protocol'])); + if (!empty($portinuse)) + $input_errors[] = 'The port '.$post['local_port'].'/'.strtolower($post['protocol']).' is already in use.'; +*/ + + if (!empty($post['dhcp_dns'])) { + $servers = explode(';', $post['dhcp_dns']); + foreach ($servers as $server) if (!is_ipaddr($server)) + {$input_errors[] = 'The field \'DHCP-Opt.: DNS-Server\' must contain a valid IP address and no whitespaces.'; + break;}} + if (!empty($post['dhcp_wins'])) { + $servers = explode(';', $post['dhcp_wins']); + foreach ($servers as $server) if (!is_ipaddr($server)) + {$input_errors[] = 'The field \'DHCP-Opt.: WINS-Server\' must contain a valid IP address and no whitespaces.'; + break;}} + if (!empty($post['dhcp_nbdd'])) { + $servers = explode(';', $post['dhcp_nbdd']); + foreach ($servers as $server) if (!is_ipaddr($server)) + {$input_errors[] = 'The field \'DHCP-Opt.: NBDD-Server\' must contain a valid IP address and no whitespaces.'; + break;}} + if (!empty($post['dhcp_ntp'])) { + $servers = explode(';', $post['dhcp_ntp']); + foreach ($servers as $server) if (!is_ipaddr($server)) + {$input_errors[] = 'The field \'DHCP-Opt.: NTP-Server\' must contain a valid IP address and no whitespaces.'; + break;}} + if (isset($post['maxclients']) && $post['maxclients'] != "") { + if (!is_numeric($post['maxclients'])) + $input_errors[] = 'The field \'Maximum clients\' must be numeric.'; + } + + } + + else { // Client mode + if ($result = openvpn_validate_port($post['serverport'], 'Server port')) + $input_errors[] = $result; + + $server_addr = trim($post['serveraddr']); + if (!empty($value) && !(is_domain($server_addr) || is_ipaddr($server_addr))) + $input_errors[] = 'The field \'Server address\' must contain a valid IP address or domain name.'; + + if ($result = openvpn_validate_cidr($post['interface_ip'], 'Interface IP')) + $input_errors[] = $result; + + if ($post['auth_method'] == 'shared_key') { + if (empty($post['interface_ip'])) + $input_errors[] = 'The field \'Interface IP\' is required.'; + } + if (isset($post['proxy_hostname']) && $post['proxy_hostname'] != "") { + if (!is_domain($post['proxy_hostname']) || is_ipaddr($post['proxy_hostname'])) + $input_errors[] = 'The field \'Proxy Host\' must contain a valid IP address or domain name.'; + if (!is_port($post['proxy_port'])) + $input_errors[] = 'The field \'Proxy port\' must contain a valid port number.'; + if ($post['protocol'] != "TCP") + $input_errors[] = 'The protocol must be TCP to use a HTTP proxy server.'; + } + if (isset($post['use_shaper']) && $post['use_shaper'] != "") { + if (!is_numeric($post['use_shaper'])) + $input_errors[] = 'The field \'Limit outgoing bandwidth\' must be numeric.'; + } + + } + + if ($result = openvpn_validate_cidr($post['remote_network'], 'Remote network')) + $input_errors[] = $result; + + if ($_POST['auth_method'] == 'shared_key') { + $reqfields[] = 'shared_key'; + $reqfieldsn[] = 'Shared key'; + } + else { + $req = explode(' ', "ca_cert {$mode}_cert {$mode}_key"); + $reqn = array( 'CA certificate', + ucfirst($mode) . ' certificate', + ucfirst($mode) . ' key'); + $reqfields = array_merge($reqfields, $req); + $reqfieldsn = array_merge($reqfieldsn, $reqn); + if ($mode == 'server') { + $reqfields[] = 'dh_params'; + $reqfieldsn[] = 'DH parameters'; + } + } + do_input_validation($post, $reqfields, $reqfieldsn, &$input_errors); + + $value = trim($post['shared_key']); + $items = array(); + + if ($_POST['auth_method'] == 'shared_key') { + $items[] = array( 'field' => 'shared_key', + 'string' => 'OpenVPN Static key V1', + 'name' => 'Shared key'); + } + else { + $items[] = array( 'field' => 'ca_cert', + 'string' => 'CERTIFICATE', + 'name' => 'CA certificate'); + $items[] = array( 'field' => "{$mode}_cert", + 'string' => 'CERTIFICATE', + 'name' => "$Mode certificate"); + $items[] = array( 'field' => "{$mode}_key", + 'string' => 'RSA PRIVATE KEY', + 'name' => "$Mode key"); + $items[] = array( 'field' => 'tls', + 'string' => 'OpenVPN Static key V1', + 'name' => 'TLS'); + if ($mode == 'server') { + $items[] = array( 'field' => 'dh_params', + 'string' => 'DH PARAMETERS', + 'name' => 'DH parameters'); + $items[] = array( 'field' => 'crl', + 'string' => 'X509 CRL', + 'name' => 'CRL'); + } + } + foreach ($items as $item) { + $value = trim($_POST[$item['field']]); + $string = $item['string']; + if ($value && (!strstr($value, "-----BEGIN {$string}-----") || !strstr($value, "-----END {$string}-----"))) + $input_errors[] = "The field '{$item['name']}' does not appear to be valid"; + } +} + + +function openvpn_validate_input_csc($post, $input_errors) { + if ($result = openvpn_validate_cidr($post['ifconfig_push'], 'Interface IP')) + $input_errors[] = $result; + + if ($post['push_reset'] != 'on') { + if (!empty($post['dhcp_domainname'])) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif (!empty($post['dhcp_dns'])) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif (!empty($post['dhcp_wins'])) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif (!empty($post['dhcp_nbdd'])) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif (!empty($post['dhcp_ntp'])) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif ($post['dhcp_nbttype']) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif (!empty($post['dhcp_nbtscope'])) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + elseif ($post['dhcp_nbtdisable']) + $input_errors[] = 'It makes no sense to unselect push reset and configure dhcp-options'; + + } + else { + + if (!empty($post['dhcp_dns'])) { + $servers = explode(';', $post['dhcp_dns']); + foreach ($servers as $server) if (!is_ipaddr($server)) + {$input_errors[] = 'The field \'DHCP-Opt.: DNS-Server\' must contain a valid IP address and no whitespaces.'; + break;}} + if (!empty($post['dhcp_wins'])) { + $servers = explode(';', $post['dhcp_wins']); + foreach ($servers as $server) if (!is_ipaddr($server)) + {$input_errors[] = 'The field \'DHCP-Opt.: WINS-Server\' must contain a valid IP address and no whitespaces.'; + break;}} + if (!empty($post['dhcp_nbdd'])) { + $servers = explode(';', $post['dhcp_nbdd']); + foreach ($servers as $server) if (!is_ipaddr($server)) + {$input_errors[] = 'The field \'DHCP-Opt.: NBDD-Server\' must contain a valid IP address and no whitespaces.'; + break;}} + if (!empty($post['dhcp_ntp'])) { + $servers = explode(';', $post['dhcp_ntp']); + foreach ($servers as $server) if (!is_ipaddr($server)) + {$input_errors[] = 'The field \'DHCP-Opt.: NTP-Server\' must contain a valid IP address and no whitespaces.'; + break;}} + +}} + +// Rewrite the settings +function openvpn_reconfigure($mode, $id) { + global $g, $config; + + $settings = $config['installedpackages']["openvpn$mode"]['config'][$id]; + if ($settings['disable']) return; + + $lport = 1194 + $id; + + // Set the keys up + // Note that the keys' extension is also the directive that goes to the config file + $base_file = $g['varetc_path'] . "/openvpn_{$mode}{$id}."; + $keys = array(); + if ($settings['auth_method'] == 'shared_key') + $keys[] = array('field' => 'shared_key', 'ext' => 'secret', 'directive' => 'secret'); + else { + $keys[] = array('field' => 'ca_cert', 'ext' => 'ca', 'directive' => 'ca'); + $keys[] = array('field' => "{$mode}_cert", 'ext' => 'cert', 'directive' => 'cert'); + $keys[] = array('field' => "{$mode}_key", 'ext' => 'key', 'directive' => 'key'); + if ($mode == 'server') + $keys[] = array('field' => 'dh_params', 'ext' => 'dh', 'directive' => 'dh'); + if ($settings['crl']) + $keys[] = array('field' => 'crl', 'ext' => 'crl', 'directive' => 'crl-verify'); + if ($settings['tls']) + $keys[] = array('field' => 'tls', 'ext' => 'tls', 'directive' => 'tls-auth'); + + } + foreach($keys as $key) { + $filename = $base_file . $key['ext']; + file_put_contents($filename, base64_decode($settings[$key['field']])); + chown($filename, 'nobody'); + chgrp($filename, 'nobody'); + } + + $pidfile = $g['varrun_path'] . "/openvpn_{$mode}{$id}.pid"; + $proto = ($settings['protocol'] == 'UDP' ? 'udp' : "tcp-{$mode}"); + $cipher = $settings['crypto']; + $openvpn_conf = << $settings) + openvpn_resync($mode, $id); + } + } + + openvpn_create_cscdir(); + if (is_array($config['installedpackages']['openvpncsc']['config'])) { + foreach ($config['installedpackages']['openvpncsc']['config'] as $id => $csc) + openvpn_resync_csc($id); + } + + /* give speedy machines time to settle */ + sleep(5); + + /* reload the filter policy */ + filter_configure(); + +} + +function openvpn_print_javascript($mode) { + $javascript = << + + + +EOD; + print($javascript); +} + + +function openvpn_print_javascript2() { + $javascript = << + + + +EOD; + print($javascript); +} +?> diff --git a/config/ovpnenhance/openvpn.xml_tls b/config/ovpnenhance/openvpn.xml_tls new file mode 100644 index 00000000..e7932e38 --- /dev/null +++ b/config/ovpnenhance/openvpn.xml_tls @@ -0,0 +1,329 @@ + + openvpnserver + OpenVPN: Server + openvpn.inc + An OpenVPN server has been deleted. + An OpenVPN server has been created/modified. + + + Server + /pkg.php?xml=openvpn.xml + + + + Client + /pkg.php?xml=openvpn_cli.xml + + + Client-specific configuration + /pkg.php?xml=openvpn_csc.xml + + + + + disable + Disabled + checkbox + + + protocol + Protocol + + + addresspool + Address pool + + + description + Description + + + + + disable + Disable this tunnel + This allows you to disable this tunnel without removing it from the list. + + checkbox + + + protocol + Protocol + The protocol to be used for the VPN. + + select + + + + + UDP + + + dynamic_ip + Dynamic IP + Assume dynamic IPs, so that DHCP clients can connect. + checkbox + + + local_port + Local port + The port OpenVPN will listen on. You generally want 1194 here. + + input + 1194 + 5 + + + addresspool + Address pool + This is the address pool to be assigned to the clients. Expressed as a CIDR range (eg. 10.0.8.0/24). If the 'Use static IPs' field isn't set, clients will be assigned addresses from this pool. Otherwise, this will be used to set the local interface's IP. + + input + + + nopool + Use static IPs + If this option is set, IPs won't be assigned to clients. Instead, the server will use static IPs on its side, and the clients are expected to use this same value in the 'Address pool' field. + + checkbox + + + local_network + Local network + This is the network that will be accessable from the remote endpoint. Expressed as a CIDR range. You may leave this blank you don't want to add a route to your network through this tunnel in the remote machine. This is generally set to your LAN network. + input + + + remote_network + Remote network + This is a network that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a CIDR range. If this is a site-to-site VPN, enter here the remote LAN here. You may leave this blank if you don't want a site-to-site VPN. + input + + + client2client + Client-to-client VPN + If this option is set, clients will be able to talk to each other. Otherwise, they will only be able to talk to the server. + + checkbox + + + crypto + Cryptography + Here you can choose the cryptography algorithm to be used. + + select + BF-CBC + + + auth_method + Authentication method + The authentication method to be used. + + select + + + + + onAuthMethodChanged() + + + shared_key + Shared key + Paste your shared key here. + textarea + base64 + 8 + 40 + + + ca_cert + CA certificate + Paste your CA certificate in X.509 format here. + textarea + base64 + 8 + 40 + + + server_cert + Server certificate + Paste your server certificate in X.509 format here. + textarea + base64 + 8 + 40 + + + server_key + Server key + Paste your server key in RSA format here. + textarea + base64 + 8 + 40 + + + dh_params + DH parameters + Paste your Diffie Hellman parameters in PEM format here. + textarea + base64 + 8 + 40 + + + crl + CRL + Paste your certificate revocation list (CRL) in PEM format here (optional). + textarea + base64 + 8 + 40 + + + tls + TLS + Paste your HMAC signature (TLS) here (optional). + textarea + base64 + 8 + 40 + + + dhcp_domainname + DHCP-Opt.: DNS-Domainname + Set connection-specific DNS Suffix. + input + + + dhcp_dns + DHCP-Opt.: DNS-Server + Set domain name server addresses, separated by semi-colons (;). + input + + + dhcp_wins + DHCP-Opt.: WINS-Server + Set WINS server addresses (NetBIOS over TCP/IP Name Server), separated by semi-colons (;). + input + + + dhcp_nbdd + DHCP-Opt.: NBDD-Server + Set NBDD server addresses (NetBIOS over TCP/IP Datagram Distribution Server), separated by semi-colons (;). + input + + + dhcp_ntp + DHCP-Opt.: NTP-Server + Set NTP server addresses (Network Time Protocol), separated by semi-colons (;). + input + + + dhcp_nbttype + DHCP-Opt.: NetBIOS node type + Set NetBIOS over TCP/IP Node type. Possible options: b-node (broadcasts), p-node (point-to-point name queries to a WINS server), m-node (broadcast then query name server), and h-node (query name server, then broadcast). + select + + + + + + + + 0 + + + dhcp_nbtscope + DHCP-Opt.: NetBIOS Scope + Set NetBIOS over TCP/IP Scope. A NetBIOS Scope ID provides an extended naming service for NetBIOS over TCP/IP. The NetBIOS scope ID isolates NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID. + input + + + dhcp_nbtdisable + DHCP-Opt.: Disable NetBIOS + If this option is set, Netbios-over-TCP/IP will be disabled. + checkbox + + + use_lzo + LZO compression + Checking this will compress the packets using the LZO algorithm before sending them. + checkbox + + + maxclients + Maximum clients + The maximum number of concurrently connected clients we want to allow. + input + + + passtos + Pass Type-Of-Service + Checking this will set the TOS field of the tunnel packet to what the payload's TOS is. + checkbox + + + gwredir + Redirect Gateway + Redirect ALL traffic through the OpenVPN server. + checkbox + + + custom_options + Custom options + You can put your own custom options here, separated by semi-colons (;). They'll be added to the server configuration. + textarea + 65 + 5 + + + description + Description + You may enter a description here. This is optional and is not parsed. + input + + + + openvpn_get_ciphers(&$pkg); + + + openvpn_print_javascript('server'); + + + openvpn_print_javascript2(); + + + openvpn_validate_input('server', $_POST, &$input_errors); + + + openvpn_resync('server', $id); + + diff --git a/config/ovpnenhance/openvpn_cli.xml_tls b/config/ovpnenhance/openvpn_cli.xml_tls new file mode 100644 index 00000000..b9b85cf6 --- /dev/null +++ b/config/ovpnenhance/openvpn_cli.xml_tls @@ -0,0 +1,240 @@ + + openvpnclient + OpenVPN: Client + openvpn.inc + An OpenVPN client has been deleted. + An OpenVPN client has been created/modified. + + + Server + /pkg.php?xml=openvpn.xml + + + Client + /pkg.php?xml=openvpn_cli.xml + + + + Client-specific configuration + /pkg.php?xml=openvpn_csc.xml + + + + + disable + Disabled + checkbox + + + serveraddr + Server + + + protocol + Protocol + + + description + Description + + + + + disable + Disable this tunnel + This allows you to disable this tunnel without removing it from the list. + + checkbox + + + protocol + Protocol + The protocol to be used for the VPN. + + select + + + + + UDP + + + serveraddr + Server address + This is the address OpenVPN will try to connect to in order to establish the tunnel. Set it to the remote endpoint's address. + + input + + + serverport + Server port + The port OpenVPN will use to connect to the server. Most people would want to use 1194 here. + + input + 1194 + 5 + + + interface_ip + Interface IP + This specifies the IPs to be assigned to the local interface. Expressed as a CIDR range. The first address in the range will be set to the remote endpoint of the interface, and the second will be assigned to the local endpoint. For TLS VPNs, the interface IPs are assigned by the server pool. + input + + + remote_network + Remote network + This is the network that will be accessable from your endpoint. Expressed as a CIDR range. You may leave this blank if all you want is to access the VPN clients. You normally want this set to the remote endpoint's LAN network. + input + + + proxy_hostname + Proxy Host + Proxy server hostname. + input + + + proxy_port + Proxy port + The port OpenVPN will use on the proxy server. + input + 3128 + 5 + + + crypto + Cryptography + Here you can choose the cryptography algorithm to be used. + + select + BF-CBC + + + auth_method + Authentication method + The authentication method to be used. + + select + + + + + onAuthMethodChanged() + + + shared_key + Shared key + Paste your shared key here. + textarea + base64 + 8 + 40 + + + ca_cert + CA certificate + Paste the server's CA certificate in X.509 format here. + textarea + base64 + 8 + 40 + + + client_cert + Client certificate + Paste your client certificate in X.509 format here. + textarea + base64 + 8 + 40 + + + client_key + Client key + Paste your client key in RSA format here. + textarea + base64 + 8 + 40 + + + tls + TLS + Paste your HMAC signature (TLS) here (optional). + textarea + base64 + 8 + 40 + + + use_lzo + LZO compression + Checking this will compress the packets using the LZO algorithm before sending them. + checkbox + + + use_shaper + Limit outgoing bandwidth + Maximum outgoing bandwidth for this tunnel. Leave empty for no limit. The input value has to be something between 100 bytes/sec and 100 Mbytes/sec (entered as bytes per second). + input + + + use_dynamicport + Dynamic sourceport + Checking this will let the openvpn client choose a dynamic sourceport for this connection. + checkbox + + + passtos + Pass Type-Of-Service + Checking this will set the TOS field of the tunnel packet to what the payload's TOS is. + checkbox + + + infiniteresolvretry + Infinitely resolve server + Infinitely retry to resolve the host name of the OpenVPN server. Useful for not permanently internet-connected machines. + checkbox + + + custom_options + Custom options + You can put your own custom options here, separated by semi-colons (;). They'll be added to the client configuration. + textarea + 65 + 5 + + + description + Description + You may enter a description here. This is optional and is not parsed. + input + + + + openvpn_get_ciphers(&$pkg); + + + openvpn_print_javascript('client'); + + + openvpn_print_javascript2(); + + + openvpn_validate_input('client', $_POST, &$input_errors); + + + openvpn_resync('client', $id); + + diff --git a/config/ovpnenhance/openvpn_csc.xml_tls b/config/ovpnenhance/openvpn_csc.xml_tls new file mode 100644 index 00000000..1025ad09 --- /dev/null +++ b/config/ovpnenhance/openvpn_csc.xml_tls @@ -0,0 +1,169 @@ + + openvpncsc + OpenVPN: Client-specific configuration + openvpn.inc + An OpenVPN client-specific configuration has been deleted. + An OpenVPN client-specific configuration has been created/modified. + + + Server + /pkg.php?xml=openvpn.xml + + + Client + /pkg.php?xml=openvpn_cli.xml + + + Client-specific configuration + /pkg.php?xml=openvpn_csc.xml + + + + + + disable + Disabled + checkbox + + + commonname + Common name + + + description + Description + + + + + disable + Disabled + Set this option to disable this client-specific configuration without removing it from the list. + + checkbox + + + commonname + Common name + Enter the client's X.509 common name here. + + input + + + block + Blocked + Check this to block (disable) this client, based on its common name. Don't use this option to disable a client due to key or password compromise. Use a CRL (certificate revocation list) instead. + checkbox + + + push_reset + Push reset + Setting this option will make this client not inherit the global push options. + checkbox + + + ifconfig_push + Interface IP + Set this option to push an IP to the client's interface. Expressed as a CIDR range (e.g. 10.5.0.0/16). The first IP in the range will be used as the remote IP of the interface, and the second IP will be used as the local IP of the interface. + input + + + + dhcp_domainname + DHCP-Opt.: DNS-Domainname + Set connection-specific DNS Suffix. + input + + + dhcp_dns + DHCP-Opt.: DNS-Server + Set domain name server addresses, separated by semi-colons (;). + input + + + dhcp_wins + DHCP-Opt.: WINS-Server + Set WINS server addresses (NetBIOS over TCP/IP Name Server), separated by semi-colons (;). + input + + + dhcp_nbdd + DHCP-Opt.: NBDD-Server + Set NBDD server addresses (NetBIOS over TCP/IP Datagram Distribution Server), separated by semi-colons (;). + input + + + dhcp_ntp + DHCP-Opt.: NTP-Server + Set NTP server addresses (Network Time Protocol), separated by semi-colons (;). + input + + + dhcp_nbttype + DHCP-Opt.: NetBIOS node type + Set NetBIOS over TCP/IP Node type. Possible options: b-node (broadcasts), p-node (point-to-point name queries to a WINS server), m-node (broadcast then query name server), and h-node (query name server, then broadcast). + select + + + + + + + + 0 + + + dhcp_nbtscope + DHCP-Opt.: NetBIOS Scope + Set NetBIOS over TCP/IP Scope. A NetBIOS Scope ID provides an extended naming service for NetBIOS over TCP/IP. The NetBIOS scope ID isolates NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID. + input + + + dhcp_nbtdisable + DHCP-Opt.: Disable NetBIOS + If this option is set, Netbios-over-TCP/IP will be disabled. + checkbox + + + gwredir + Redirect Gateway + Redirect ALL traffic through the OpenVPN server. + checkbox + + + custom_options + Custom options + You can put your own custom options here, separated by semi-colons (;). They'll be added to the client-specific configuration. + textarea + 65 + 5 + + + description + Description + You may enter a description here for your reference (not parsed). + input + + + + openvpn_validate_input_csc($_POST, &$input_errors); + + + openvpn_resync_csc($id); + + diff --git a/config/ovpnenhance/ovpnenhance.inc b/config/ovpnenhance/ovpnenhance.inc new file mode 100644 index 00000000..4c2a82db --- /dev/null +++ b/config/ovpnenhance/ovpnenhance.inc @@ -0,0 +1,13 @@ + \ No newline at end of file diff --git a/config/ovpnenhance/ovpnenhance.xml b/config/ovpnenhance/ovpnenhance.xml new file mode 100644 index 00000000..a45f4a58 --- /dev/null +++ b/config/ovpnenhance/ovpnenhance.xml @@ -0,0 +1,40 @@ + + + + + Enhance OpenVPN with TLS-auth and client/server-options + pfSense 1.2.x + Enhances OpenVPN with TLS-auth and client/server-options. + ovpnenhance + 0.1 + ovpnenhance + /usr/local/pkg/ovpnenhance.inc + + /usr/local/pkg/ + 077 + http://www.pfsense.com/packages/config/ovpnenhance/ovpnenhance.inc + + + /usr/local/pkg/ + 077 + http://www.pfsense.com/packages/config/ovpnenhance/openvpn.inc_tls + + + /usr/local/pkg/ + 077 + http://www.pfsense.com/packages/config/ovpnenhance/openvpn.xml_tls + + + /usr/local/pkg/ + 077 + http://www.pfsense.com/packages/config/ovpnenhance/openvpn_cli.xml_tls + + + /usr/local/pkg/ + 077 + http://www.pfsense.com/packages/config/ovpnenhance/openvpn_csc.xml_tls + + + ovpnenhance_install(); + + -- cgit v1.2.3