$server) { if (isset($server['disable'])) continue; $ras_user = array(); $ras_certs = array(); if (stripos($server['mode'], "server") === false) continue; if (($server['mode'] == "server_tls_user") && ($server['authmode'] == "Local Database")) { foreach($a_user as $uindex => $user) { if (!is_array($user['cert'])) continue; foreach($user['cert'] as $cindex => $cert) { // If $cert is not an array, it's a certref not a cert. if (!is_array($cert)) $cert = lookup_cert($cert); if ($cert['caref'] != $server['caref']) continue; $ras_userent = array(); $ras_userent['uindex'] = $uindex; $ras_userent['cindex'] = $cindex; $ras_userent['name'] = $user['name']; $ras_userent['certname'] = $cert['descr']; $ras_user[] = $ras_userent; } } } elseif (($server['mode'] == "server_tls") || (($server['mode'] == "server_tls_user") && ($server['authmode'] != "Local Database"))) { foreach($a_cert as $cindex => $cert) { if (($cert['caref'] != $server['caref']) || ($cert['refid'] == $server['certref'])) continue; $ras_cert_entry['cindex'] = $cindex; $ras_cert_entry['certname'] = $cert['descr']; $ras_cert_entry['certref'] = $cert['refid']; $ras_certs[] = $ras_cert_entry; } } $ras_serverent = array(); $prot = $server['protocol']; $port = $server['local_port']; if ($server['description']) $name = "{$server['description']} {$prot}:{$port}"; else $name = "Server {$prot}:{$port}"; $ras_serverent['index'] = $sindex; $ras_serverent['name'] = $name; $ras_serverent['users'] = $ras_user; $ras_serverent['certs'] = $ras_certs; $ras_serverent['mode'] = $server['mode']; $ras_server[] = $ras_serverent; } $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; $act = $_GET['act']; if (isset($_POST['act'])) $act = $_POST['act']; if (!empty($act)) { $srvid = $_GET['srvid']; $usrid = $_GET['usrid']; $crtid = $_GET['crtid']; if ($srvid === false) { pfSenseHeader("vpn_openvpn_export.php"); exit; } else if (($config['openvpn']['openvpn-server'][$srvid]['mode'] != "server_user") && (($usrid === false) || ($crtid === false))) { pfSenseHeader("vpn_openvpn_export.php"); exit; } if ($config['openvpn']['openvpn-server'][$srvid]['mode'] == "server_user") $nokeys = true; else $nokeys = false; $useaddr = ''; if (isset($_GET['useaddr']) && !empty($_GET['useaddr'])) $useaddr = trim($_GET['useaddr']); if (!(is_ipaddr($useaddr) || is_hostname($useaddr) || in_array($useaddr, array("serveraddr", "servermagic", "servermagichost", "serverhostname")))) $input_errors[] = "You need to specify an IP or hostname."; $advancedoptions = $_GET['advancedoptions']; $openvpnmanager = $_GET['openvpnmanager']; $verifyservercn = $_GET['verifyservercn']; $randomlocalport = $_GET['randomlocalport']; $usetoken = $_GET['usetoken']; if ($usetoken && (substr($act, 0, 10) == "confinline")) $input_errors[] = "You cannot use Microsoft Certificate Storage with an Inline configuration."; if ($usetoken && (($act == "conf_yealink_t28") || ($act == "conf_yealink_t38g") || ($act == "conf_yealink_t38g2") || ($act == "conf_snom"))) $input_errors[] = "You cannot use Microsoft Certificate Storage with a Yealink or SNOM configuration."; $password = ""; if ($_GET['password']) $password = $_GET['password']; $proxy = ""; if (!empty($_GET['proxy_addr']) || !empty($_GET['proxy_port'])) { $proxy = array(); if (empty($_GET['proxy_addr'])) { $input_errors[] = "You need to specify an address for the proxy port."; } else $proxy['ip'] = $_GET['proxy_addr']; if (empty($_GET['proxy_port'])) { $input_errors[] = "You need to specify a port for the proxy ip."; } else $proxy['port'] = $_GET['proxy_port']; $proxy['proxy_type'] = $_GET['proxy_type']; $proxy['proxy_authtype'] = $_GET['proxy_authtype']; if ($_GET['proxy_authtype'] != "none") { if (empty($_GET['proxy_user'])) { $input_errors[] = "You need to specify a username with the proxy config."; } else $proxy['user'] = $_GET['proxy_user']; if (!empty($_GET['proxy_user']) && empty($_GET['proxy_password'])) { $input_errors[] = "You need to specify a password with the proxy user."; } else $proxy['password'] = $_GET['proxy_password']; } } $exp_name = openvpn_client_export_prefix($srvid, $usrid, $crtid); if(substr($act, 0, 4) == "conf") { switch ($act) { case "confzip": $exp_name = urlencode($exp_name."-config.zip"); $expformat = "zip"; break; case "conf_yealink_t28": $exp_name = urlencode("client.tar"); $expformat = "yealink_t28"; break; case "conf_yealink_t38g": $exp_name = urlencode("client.tar"); $expformat = "yealink_t38g"; break; case "conf_yealink_t38g2": $exp_name = urlencode("client.tar"); $expformat = "yealink_t38g2"; break; case "conf_snom": $exp_name = urlencode("vpnclient.tar"); $expformat = "snom"; break; case "confinline": $exp_name = urlencode($exp_name."-config.ovpn"); $expformat = "inline"; break; case "confinlinedroid": $exp_name = urlencode($exp_name."-android-config.ovpn"); $expformat = "inlinedroid"; break; case "confinlineios": $exp_name = urlencode($exp_name."-ios-config.ovpn"); $expformat = "inlineios"; break; default: $exp_name = urlencode($exp_name."-config.ovpn"); $expformat = "baseconf"; } $exp_path = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $randomlocalport, $usetoken, $nokeys, $proxy, $expformat, $password, false, false, $openvpnmanager, $advancedoptions); } if($act == "visc") { $exp_name = urlencode($exp_name."-Viscosity.visc.zip"); $exp_path = viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $randomlocalport, $usetoken, $password, $proxy, $openvpnmanager, $advancedoptions); } if(substr($act, 0, 4) == "inst") { $exp_name = urlencode($exp_name."-install.exe"); $exp_path = openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $randomlocalport, $usetoken, $password, $proxy, $openvpnmanager, $advancedoptions, substr($act, 5)); } if (!$exp_path) { $input_errors[] = "Failed to export config files!"; } if (empty($input_errors)) { if (($act == "conf") || (substr($act, 0, 10) == "confinline")) { $exp_size = strlen($exp_path); } else { $exp_size = filesize($exp_path); } header('Pragma: '); header('Cache-Control: '); header("Content-Type: application/octet-stream"); header("Content-Disposition: attachment; filename={$exp_name}"); header("Content-Length: $exp_size"); if (($act == "conf") || (substr($act, 0, 10) == "confinline")) { echo $exp_path; } else { readfile($exp_path); @unlink($exp_path); } exit; } } include("head.inc"); ?>
Remote Access Server
Host Name Resolution

Verify Server CN

Optionally verify the server certificate Common Name (CN) when the client connects. Current clients, including the most recent versions of Windows, Viscosity, Tunnelblick, OpenVPN on iOS and Android and so on should all work at the default automatic setting.

Only use tls-remote if you must use an older client that you cannot control. The option has been deprecated by OpenVPN and will be removed in the next major version.

With tls-remote the server CN may optionally be enclosed in quotes. This can help if the server CN contains spaces and certain clients cannot parse the server CN. Some clients have problems parsing the CN with quotes. Use only as needed.
Use Random Local Port
Use a random local source port (lport) for traffic from the client. Without this set, two clients may not run concurrently.

NOTE: Not supported on older clients. Automatically disabled for Yealink and Snom configurations.
Certificate Export Options
Use Microsoft Certificate Storage instead of local files.
Use a password to protect the pkcs12 file contents or key in Viscosity bundle.
Use Proxy
Use proxy to communicate with the server.
Management Interface
OpenVPNManager
This will change the generated .ovpn configuration to allow for usage of the management interface. And include the OpenVPNManager program in the "Windows Installers". With this OpenVPN can be used also by non-administrator users. This is also useful for Windows Vista/7/8 systems where elevated permissions are needed to add routes to the system.

NOTE: This is not currently compatible with the 64-bit OpenVPN installer. It will work with the 32-bit installer on a 64-bit system.
 
Additional configuration options

;
Client Install Packages

  -
-
-
: or -
-
-