From dafa29e37fad8307c77d17808dae28d3eefa9da9 Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Fri, 11 Nov 2011 10:56:01 -0500
Subject: Add a package to fix OpenVPN tap bridging on 2.0/2.0.1 (needs
 testing)

---
 config/openvpn_tapfix_20x/openvpn_tapfix_20x.inc   |  18 ++
 config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch | 289 +++++++++++++++++++++
 config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml   |  65 +++++
 3 files changed, 372 insertions(+)
 create mode 100644 config/openvpn_tapfix_20x/openvpn_tapfix_20x.inc
 create mode 100644 config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch
 create mode 100644 config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml

(limited to 'config')

diff --git a/config/openvpn_tapfix_20x/openvpn_tapfix_20x.inc b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.inc
new file mode 100644
index 00000000..197a5e25
--- /dev/null
+++ b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.inc
@@ -0,0 +1,18 @@
+<?php
+
+function openvpn_tapfix_20x_install() {
+	global $g, $config;
+	
+	// Test to make sure the patch is not already applied. 
+	$out = `patch -fslC --reverse -p1 -b .before_openvpn_tapfix_20x -d / -i /usr/local/pkg/openvpn_tapfix_20x.patch |& grep -ci reject`;
+	if ($out == 0) {
+		// If the patch has not already been applied, test to see if it will apply cleanly.
+		$out = `patch -fsNlC -p1 -b .before_openvpn_tapfix_20x -d / -i /usr/local/pkg/openvpn_tapfix_20x.patch |& grep -ci reject`;
+		if ($out == 0) {
+			// The patch should apply cleanly, let 'er rip.
+			mwexec("patch -fsNl -p1 -b .before_openvpn_tapfix_20x -d / -i /usr/local/pkg/openvpn_tapfix_20x.patch ");
+		}
+	}
+}
+
+?>
\ No newline at end of file
diff --git a/config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch
new file mode 100644
index 00000000..d23d9290
--- /dev/null
+++ b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch
@@ -0,0 +1,289 @@
+diff --git /etc/inc/openvpn.inc.orig /etc/inc/openvpn.inc
+index 777b395..701a032 100644
+--- a/etc/inc/openvpn.inc
++++ b/etc/inc/openvpn.inc
+@@ -394,21 +394,39 @@ function openvpn_reconfigure($mode, $settings) {
+ 				// If the CIDR is less than a /30, OpenVPN will complain if you try to
+ 				//  use the server directive. It works for a single client without it.
+ 				//  See ticket #1417
+-				if ($cidr < 30) {
++				if (!empty($ip) && !empty($mask) && ($cidr < 30)) {
+ 					$conf .= "server {$ip} {$mask}\n";
+ 					$conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n";
+ 				}
+ 			case 'p2p_shared_key':
+-				$baselong = ip2long32($ip) & ip2long($mask);
+-				$ip1 = long2ip32($baselong + 1);
+-				$ip2 = long2ip32($baselong + 2);
+-				$conf .= "ifconfig $ip1 $ip2\n";
++				if (!empty($ip) && !empty($mask)) {
++					$baselong = ip2long32($ip) & ip2long($mask);
++					$ip1 = long2ip32($baselong + 1);
++					$ip2 = long2ip32($baselong + 2);
++					$conf .= "ifconfig $ip1 $ip2\n";
++				}
+ 				break;
+ 			case 'server_tls':
+ 			case 'server_user':
+ 			case 'server_tls_user':
+-				$conf .= "server {$ip} {$mask}\n";
+-				$conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n";
++				if (!empty($ip) && !empty($mask)) {
++					$conf .= "server {$ip} {$mask}\n";
++					$conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n";
++				} else {
++					if ($settings['serverbridge_dhcp']) {
++						if ((!empty($settings['serverbridge_interface'])) && (strcmp($settings['serverbridge_interface'], "none"))) {
++							$biface_ip=get_interface_ip($settings['serverbridge_interface']);
++							$biface_sm=gen_subnet_mask(get_interface_subnet($settings['serverbridge_interface']));
++							if (is_ipaddr($biface_ip) && is_ipaddr($settings['serverbridge_dhcp_start']) && is_ipaddr($settings['serverbridge_dhcp_end'])) {
++								$conf .= "server-bridge {$biface_ip} {$biface_sm} {$settings['serverbridge_dhcp_start']} {$settings['serverbridge_dhcp_end']}\n";
++							} else {
++								$conf .= "mode server\n";
++							}
++						} else {
++							$conf .= "mode server\n";
++						}
++					}
++				}
+ 				break;
+ 		}
+ 
+@@ -1021,4 +1039,4 @@ function openvpn_refresh_crls() {
+ 	}
+ }
+ 
+-?>
+\ No newline at end of file
++?>
+diff --git /usr/local/www/vpn_openvpn_server.php.orig /usr/local/www/vpn_openvpn_server.php
+index 0ef67a7..bd9f527 100644
+--- a/usr/local/www/vpn_openvpn_server.php
++++ b/usr/local/www/vpn_openvpn_server.php
+@@ -147,6 +147,11 @@ if($_GET['act']=="edit"){
+ 		$pconfig['dynamic_ip'] = $a_server[$id]['dynamic_ip'];
+ 		$pconfig['pool_enable'] = $a_server[$id]['pool_enable'];
+ 
++		$pconfig['serverbridge_dhcp'] = $a_server[$id]['serverbridge_dhcp'];
++		$pconfig['serverbridge_interface'] = $a_server[$id]['serverbridge_interface'];
++		$pconfig['serverbridge_dhcp_start'] = $a_server[$id]['serverbridge_dhcp_start'];
++		$pconfig['serverbridge_dhcp_end'] = $a_server[$id]['serverbridge_dhcp_end'];
++
+ 		$pconfig['dns_domain'] = $a_server[$id]['dns_domain'];
+ 		if ($pconfig['dns_domain'])
+ 			$pconfig['dns_domain_enable'] = true;
+@@ -188,7 +193,6 @@ if($_GET['act']=="edit"){
+ 		$pconfig['duplicate_cn'] = isset($a_server[$id]['duplicate_cn']);
+ 	}
+ }
+-
+ if ($_POST) {
+ 
+ 	unset($input_errors);
+@@ -284,9 +288,22 @@ if ($_POST) {
+ 		$reqdfieldsn = array(gettext('Shared key'));
+ 	}
+ 
+-	$reqdfields[] = 'tunnel_network';
+-	$reqdfieldsn[] = gettext('Tunnel network');
+-
++	if ($pconfig['dev_mode'] != "tap") {
++		$reqdfields[] = 'tunnel_network';
++		$reqdfieldsn[] = gettext('Tunnel network');
++	} else {
++		if ($pconfig['serverbridge_dhcp'] && $pconfig['tunnel_network'])
++			$input_errors[] = gettext("Using a tunnel network and server bridge settings together is not allowed.");
++		if (($pconfig['serverbridge_dhcp_start'] && !$pconfig['serverbridge_dhcp_end']) 
++		|| (!$pconfig['serverbridge_dhcp_start'] && $pconfig['serverbridge_dhcp_end']))
++			$input_errors[] = gettext("Server Bridge DHCP Start and End must both be empty, or defined.");
++		if (($pconfig['serverbridge_dhcp_start'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_start'])))
++			$input_errors[] = gettext("Server Bridge DHCP Start must be an IPv4 address.");
++		if (($pconfig['serverbridge_dhcp_end'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_end'])))
++			$input_errors[] = gettext("Server Bridge DHCP End must be an IPv4 address.");
++		if (ip2ulong($pconfig['serverbridge_dhcp_start']) > ip2ulong($pconfig['serverbridge_dhcp_end']))
++			$input_errors[] = gettext("The Server Bridge DHCP range is invalid (start higher than end).");
++	}
+ 	do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
+ 	
+ 	if (!$input_errors) {
+@@ -341,6 +358,11 @@ if ($_POST) {
+ 		$server['dynamic_ip'] = $pconfig['dynamic_ip'];
+ 		$server['pool_enable'] = $pconfig['pool_enable'];
+ 
++		$server['serverbridge_dhcp'] = $pconfig['serverbridge_dhcp'];
++		$server['serverbridge_interface'] = $pconfig['serverbridge_interface'];
++		$server['serverbridge_dhcp_start'] = $pconfig['serverbridge_dhcp_start'];
++		$server['serverbridge_dhcp_end'] = $pconfig['serverbridge_dhcp_end'];
++
+ 		if ($pconfig['dns_domain_enable'])
+ 			$server['dns_domain'] = $pconfig['dns_domain'];
+ 
+@@ -559,6 +581,56 @@ function netbios_change() {
+ 	}
+ }
+ 
++function tuntap_change() {
++
++	mindex = document.iform.mode.selectedIndex;
++	mvalue = document.iform.mode.options[mindex].value;
++
++	switch(mvalue) {
++		case "p2p_tls":
++		case "p2p_shared_key":
++			p2p = true;
++			break;
++		default:
++			p2p = false;
++			break;
++	}
++
++	index = document.iform.dev_mode.selectedIndex;
++	value = document.iform.dev_mode.options[index].value;
++	switch(value) {
++		case "tun":
++			document.getElementById("ipv4_tunnel_network").className="vncellreq";
++			document.getElementById("serverbridge_dhcp").style.display="none";
++			document.getElementById("serverbridge_interface").style.display="none";
++			document.getElementById("serverbridge_dhcp_start").style.display="none";
++			document.getElementById("serverbridge_dhcp_end").style.display="none";
++			break;
++		case "tap":
++			document.getElementById("ipv4_tunnel_network").className="vncell";
++			if (!p2p) {
++				document.getElementById("serverbridge_dhcp").style.display="";
++				document.getElementById("serverbridge_interface").style.display="";
++				document.getElementById("serverbridge_dhcp_start").style.display="";
++				document.getElementById("serverbridge_dhcp_end").style.display="";
++				if (document.iform.serverbridge_dhcp.checked) {
++					document.iform.serverbridge_interface.disabled = false;
++					document.iform.serverbridge_dhcp_start.disabled = false;
++					document.iform.serverbridge_dhcp_end.disabled = false;
++				} else {
++					document.iform.serverbridge_interface.disabled = true;
++					document.iform.serverbridge_dhcp_start.disabled = true;
++					document.iform.serverbridge_dhcp_end.disabled = true;
++				}
++			} else {
++				document.iform.serverbridge_dhcp.disabled = true;
++				document.iform.serverbridge_interface.disabled = true;
++				document.iform.serverbridge_dhcp_start.disabled = true;
++				document.iform.serverbridge_dhcp_end.disabled = true;
++			}
++			break;
++	}
++}
+ //-->
+ </script>
+ <?php
+@@ -619,7 +691,7 @@ if ($savemsg)
+ 					<tr>
+ 						<td width="22%" valign="top" class="vncellreq"><?=gettext("Server Mode");?></td>
+ 							<td width="78%" class="vtable">
+-							<select name='mode' id='mode' class="formselect" onchange='mode_change()'>
++							<select name='mode' id='mode' class="formselect" onchange='mode_change(); tuntap_change()'>
+ 							<?php
+ 								foreach ($openvpn_server_modes as $name => $desc):
+ 									$selected = "";
+@@ -666,7 +738,7 @@ if ($savemsg)
+ 					<tr>
+ 						<td width="22%" valign="top" class="vncellreq"><?=gettext("Device Mode"); ?></td>
+ 						<td width="78%" class="vtable">
+-							<select name="dev_mode" class="formselect">
++							<select name="dev_mode" class="formselect" onchange='tuntap_change()'>
+                                                         <?php
+                                                                 foreach ($openvpn_dev_mode as $device):
+                                                                        $selected = "";
+@@ -976,7 +1048,7 @@ if ($savemsg)
+ 						<td colspan="2" valign="top" class="listtopic"><?=gettext("Tunnel Settings"); ?></td>
+ 					</tr>
+ 					<tr>
+-						<td width="22%" valign="top" class="vncellreq"><?=gettext("Tunnel Network"); ?></td>
++						<td width="22%" valign="top" class="vncellreq" id="ipv4_tunnel_network"><?=gettext("IPv4 Tunnel Network"); ?></td>
+ 						<td width="78%" class="vtable">
+ 							<input name="tunnel_network" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['tunnel_network']);?>">
+ 							<br>
+@@ -989,6 +1061,76 @@ if ($savemsg)
+ 							"to connecting clients. (see Address Pool)"); ?>
+ 						</td>
+ 					</tr>
++					<tr id="serverbridge_dhcp">
++						<td width="22%" valign="top" class="vncell"><?=gettext("Bridge DHCP"); ?></td>
++						<td width="78%" class="vtable">
++							<table border="0" cellpadding="2" cellspacing="0">
++								<tr>
++									<td>
++										<?php set_checked($pconfig['serverbridge_dhcp'],$chk); ?>
++										<input name="serverbridge_dhcp" type="checkbox" value="yes" <?=$chk;?> onchange='tuntap_change()' />
++									</td>
++									<td>
++										<span class="vexpl">
++											<?=gettext("Allow clients on the bridge to obtain DHCP."); ?><br>
++										</span>
++									</td>
++								</tr>
++							</table>
++						</td>
++					</tr>
++					<tr id="serverbridge_interface">
++						<td width="22%" valign="top" class="vncell"><?=gettext("Bridge Interface"); ?></td>
++						<td width="78%" class="vtable">
++							<select name="serverbridge_interface" class="formselect">
++								<?php
++									$serverbridge_interface['none'] = "none";
++									$serverbridge_interface = array_merge($serverbridge_interface, get_configured_interface_with_descr());
++									$carplist = get_configured_carp_interface_list();
++									foreach ($carplist as $cif => $carpip)
++										$serverbridge_interface[$cif.'|'.$carpip] = $carpip." (".get_vip_descr($carpip).")";
++									$aliaslist = get_configured_ip_aliases_list();
++									foreach ($aliaslist as $aliasip => $aliasif)
++										$serverbridge_interface[$aliasif.'|'.$aliasip] = $aliasip." (".get_vip_descr($aliasip).")";
++									foreach ($serverbridge_interface as $iface => $ifacename):
++										$selected = "";
++										if ($iface == $pconfig['serverbridge_interface'])
++											$selected = "selected";
++								?>
++									<option value="<?=$iface;?>" <?=$selected;?>>
++										<?=htmlspecialchars($ifacename);?>
++									</option>
++								<?php endforeach; ?>
++							</select> <br>
++							<?=gettext("The interface to which this tap instance will be, " .
++							"bridged. This is not done automatically. You must assign this " .
++							"interface and create the bridge separately. " .
++							"This setting controls which existing IP address and subnet " .
++							"mask are used by OpenVPN for the bridge. Setting this to " .
++							"'none' will cause the Server Bridge DHCP settings below to be ignored."); ?>
++						</td>
++					</tr>
++					<tr id="serverbridge_dhcp_start">
++						<td width="22%" valign="top" class="vncell"><?=gettext("Server Bridge DHCP Start"); ?></td>
++						<td width="78%" class="vtable">
++							<input name="serverbridge_dhcp_start" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['serverbridge_dhcp_start']);?>">
++							<br>
++							<?=gettext("When using tap mode as multi-point server, " .
++							"you may optionally supply a DHCP range to use on the " .
++							"interface to which this tap instance is bridged. " .
++							"If these settings are left blank, DHCP will be passed " .
++							"through to the LAN, and the interface setting above " .
++							"will be ignored."); ?>
++						</td>
++					</tr>
++					<tr id="serverbridge_dhcp_end">
++						<td width="22%" valign="top" class="vncell"><?=gettext("Server Bridge DHCP Start"); ?></td>
++						<td width="78%" class="vtable">
++							<input name="serverbridge_dhcp_end" type="text" class="formfld unknown" size="20" value="<?=htmlspecialchars($pconfig['serverbridge_dhcp_end']);?>">
++							<br>
++							<?=gettext(""); ?>
++						</td>
++					</tr>
+ 					<tr id="gwredir_opts">
+ 						<td width="22%" valign="top" class="vncell"><?=gettext("Redirect Gateway"); ?></td>
+ 						<td width="78%" class="vtable">
+@@ -1486,6 +1628,7 @@ dns_server_change();
+ wins_server_change();
+ ntp_server_change();
+ netbios_change();
++tuntap_change();
+ //-->
+ </script>
+ </body>
diff --git a/config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml
new file mode 100644
index 00000000..17a59947
--- /dev/null
+++ b/config/openvpn_tapfix_20x/openvpn_tapfix_20x.xml
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+        <copyright>
+        <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+    openvpn_tapfix_20x.xml
+    part of pfSense (http://www.pfSense.com)
+    Copyright (C) 2011 to whom it may belong
+    All rights reserved.
+
+    Based on m0n0wall (http://m0n0.ch/wall)
+    Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+    All rights reserved.
+                                                                              */
+/* ========================================================================== */
+/*
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+     1. Redistributions of source code must retain the above copyright notice,
+        this list of conditions and the following disclaimer.
+
+     2. Redistributions in binary form must reproduce the above copyright
+        notice, this list of conditions and the following disclaimer in the
+        documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+                                                                              */
+/* ========================================================================== */
+        ]]>
+        </copyright>
+    <description>OpenVPN tap Bridging Fix</description>
+    <requirements>pfSense 2.0.x</requirements>
+    <faq>None</faq>
+	<name>OpenVPN tap Bridging Fix</name>
+	<version>0.1</version>
+	<title>OpenVPN tap Bridging Fix</title>
+	<include_file>/usr/local/pkg/openvpn_tapfix_20x.inc</include_file>
+	<additional_files_needed>
+		<prefix>/usr/local/pkg/</prefix>
+		<chmod>077</chmod>
+		<item>http://www.pfsense.com/packages/config/openvpn_tapfix_20x/openvpn_tapfix_20x.inc</item>
+	</additional_files_needed>
+	<additional_files_needed>
+		<prefix>/usr/local/pkg/</prefix>
+		<chmod>077</chmod>
+		<item>http://www.pfsense.com/packages/config/openvpn_tapfix_20x/openvpn_tapfix_20x.patch</item>
+	</additional_files_needed>
+	<custom_php_install_command>
+		openvpn_tapfix_20x_install();
+	</custom_php_install_command>
+</packagegui>
-- 
cgit v1.2.3