Project

General

Profile

Feature #12522 » vpn_openvpn_csc-v1.3.1-fixed.patch

Phil Wardt, 04/09/2022 06:53 AM

View differences:

src/usr/local/www/vpn_openvpn_csc.php
34 34
require_once("pfsense-utils.inc");
35 35
require_once("pkg-utils.inc");
36 36

  
37
global $openvpn_tls_server_modes;
37
global $openvpn_topologies, $openvpn_tls_server_modes;
38 38

  
39 39
init_config_arr(array('openvpn', 'openvpn-csc'));
40 40
$a_csc = &$config['openvpn']['openvpn-csc'];
......
86 86

  
87 87
		$pconfig['tunnel_network'] = $a_csc[$id]['tunnel_network'];
88 88
		$pconfig['tunnel_networkv6'] = $a_csc[$id]['tunnel_networkv6'];
89

  
90
		$pconfig['push_reset'] = $a_csc[$id]['push_reset'];
91
		$pconfig['topology_override'] = $a_csc[$id]['topology_override'];
92
		$pconfig['topology'] = $a_csc[$id]['topology'];
93
		$pconfig['remove_route'] = $a_csc[$id]['remove_route'];
94
		$pconfig['remove_iroute'] = $a_csc[$id]['remove_iroute'];
95
		$pconfig['remove_dnsdomain'] = $a_csc[$id]['remove_dnsdomain'];
96
		$pconfig['remove_dnsservers'] = $a_csc[$id]['remove_dnsservers'];
97
		$pconfig['remove_ntpservers'] = $a_csc[$id]['remove_ntpservers'];
98
		$pconfig['remove_netbios_ntype'] = $a_csc[$id]['remove_netbios_ntype'];
99
		$pconfig['remove_netbios_scope'] = $a_csc[$id]['remove_netbios_scope'];
100
		$pconfig['remove_wins'] = $a_csc[$id]['remove_wins'];
101

  
102
		if ($pconfig['push_reset'] ||
103
				$pconfig['topology_override'] ||
104
				$pconfig['remove_route'] ||
105
				$pconfig['remove_iroute'] ||
106
				$pconfig['remove_dnsdomain'] ||
107
				$pconfig['remove_dnsservers'] ||
108
				$pconfig['remove_ntpservers'] ||
109
				$pconfig['remove_netbios_ntype'] ||
110
				$pconfig['remove_netbios_scope'] ||
111
				$pconfig['remove_wins']) {
112
			$pconfig['server_overrides_enabled'] = true;
113
		}
114

  
115
		$pconfig['gwredir'] = $a_csc[$id]['gwredir'];
116
		$pconfig['gwredir6'] = $a_csc[$id]['gwredir6'];
89 117
		$pconfig['local_network'] = $a_csc[$id]['local_network'];
90 118
		$pconfig['local_networkv6'] = $a_csc[$id]['local_networkv6'];
119
		$pconfig['gateway'] = $a_csc[$id]['gateway'];
120
		$pconfig['gateway6'] = $a_csc[$id]['gateway6'];
121

  
91 122
		$pconfig['remote_network'] = $a_csc[$id]['remote_network'];
92 123
		$pconfig['remote_networkv6'] = $a_csc[$id]['remote_networkv6'];
93
		$pconfig['gwredir'] = $a_csc[$id]['gwredir'];
94 124

  
95
		$pconfig['push_reset'] = $a_csc[$id]['push_reset'];
96
		$pconfig['remove_route'] = $a_csc[$id]['remove_route'];
97

  
98 125
		$pconfig['dns_domain'] = $a_csc[$id]['dns_domain'];
99 126
		if ($pconfig['dns_domain']) {
100 127
			$pconfig['dns_domain_enable'] = true;
......
179 206
		$input_errors[] = gettext("The field 'IPv6 Tunnel Network' must contain a valid IPv6 prefix or an alias with a single IPv6 prefix.");
180 207
	}
181 208

  
182
	if ($result = openvpn_validate_cidr($pconfig['local_network'], 'IPv4 Local Network', true, "ipv4", true)) {
209
	if ($pconfig['server_overrides_enabled'] && $pconfig['topology_override'] && !array_key_exists($pconfig['topology'], $openvpn_topologies)) {
210
		$input_errors[] = gettext("The field 'Topology' contains an invalid selection");
211
	}
212

  
213
	if (!$pconfig['gwredir'] && ($result = openvpn_validate_cidr($pconfig['local_network'], 'IPv4 Local Network', true, "ipv4", true))) {
183 214
		$input_errors[] = $result;
184 215
	}
185 216

  
186
	if ($result = openvpn_validate_cidr($pconfig['local_networkv6'], 'IPv6 Local Network', true, "ipv6", true)) {
217
	if (!$pconfig['gwredir6'] && ($result = openvpn_validate_cidr($pconfig['local_networkv6'], 'IPv6 Local Network', true, "ipv6", true))) {
187 218
		$input_errors[] = $result;
188 219
	}
189 220

  
221
	if ($pconfig['gateway'] !== "" && !is_ipaddrv4($pconfig['gateway'])) {
222
		$input_errors[] = gettext("A valid IPv4 address must be specified for the gateway.");
223
	}
224

  
225
	if ($pconfig['gateway6'] !== "" && !is_ipaddrv6($pconfig['gateway6'])) {
226
		$input_errors[] = gettext("A valid IPv6 address must be specified for the gateway.");
227
	}
228

  
190 229
	if ($result = openvpn_validate_cidr($pconfig['remote_network'], 'IPv4 Remote Network', true, "ipv4", true)) {
191 230
		$input_errors[] = $result;
192 231
	}
......
266 305
		$csc['common_name'] = $pconfig['common_name'];
267 306
		$csc['block'] = $pconfig['block'];
268 307
		$csc['description'] = $pconfig['description'];
269
		$csc['tunnel_network'] = $pconfig['tunnel_network'];
270
		$csc['tunnel_networkv6'] = $pconfig['tunnel_networkv6'];
308

  
309
		if ($pconfig['server_overrides_enabled']) {
310
			$csc['push_reset'] = $pconfig['push_reset'];
311
			if (!$pconfig['push_reset']) {
312
				$csc['remove_route'] = $pconfig['remove_route'];
313
				$csc['remove_iroute'] = $pconfig['remove_iroute'];
314
				$csc['remove_dnsdomain'] = $pconfig['remove_dnsdomain'];
315
				$csc['remove_dnsservers'] = $pconfig['remove_dnsservers'];
316
				$csc['remove_ntpservers'] = $pconfig['remove_ntpservers'];
317
				$csc['remove_netbios_ntype'] = $pconfig['remove_netbios_ntype'];
318
				$csc['remove_netbios_scope'] = $pconfig['remove_netbios_scope'];
319
				$csc['remove_wins'] = $pconfig['remove_wins'];
320
			}
321

  
322
			$csc['topology_override'] = $pconfig['topology_override'];
323
			if ($pconfig['topology_override']) {
324
				$csc['topology'] = $pconfig['topology'];
325
			}
326
		}
327

  
328
		$csc['gwredir'] = $pconfig['gwredir'];
329
		if (!$pconfig['gwredir']) {
271 330
			$csc['local_network'] = $pconfig['local_network'];
331
		}
332

  
333
		$csc['gwredir6'] = $pconfig['gwredir6'];
334
		if (!$pconfig['gwredir6']) {
272 335
			$csc['local_networkv6'] = $pconfig['local_networkv6'];
336
		}
337

  
338
		$csc['gateway'] = $pconfig['gateway'];
339
		$csc['gateway6'] = $pconfig['gateway6'];
340

  
273 341
		$csc['remote_network'] = $pconfig['remote_network'];
274 342
		$csc['remote_networkv6'] = $pconfig['remote_networkv6'];
275
		$csc['gwredir'] = $pconfig['gwredir'];
276
		$csc['push_reset'] = $pconfig['push_reset'];
277
		$csc['remove_route'] = $pconfig['remove_route'];
278 343

  
279 344
		if ($pconfig['dns_domain_enable']) {
280 345
			$csc['dns_domain'] = $pconfig['dns_domain'];
......
399 464
		true
400 465
		))->setHelp('Select the servers that will utilize this override. When no servers are selected, the override will apply to all servers.');
401 466

  
467
	// Override server client options
468
	$section->addInput(new Form_Checkbox(
469
		'server_overrides_enabled',
470
		'Select Server Overrides',
471
		'Select server options to remove.',
472
		$pconfig['server_overrides_enabled']
473
	))->setHelp('If unchecked, any client options specified in below form or Advanced section will be added to server options.%1$s' .
474
			'If checked, you can select the server options you want to remove. Any specified client option in below form or Advanced section will thus override the corresponding server-defined options.',
475
			'<br />');
476

  
477
	$section->addInput(new Form_Checkbox(
478
		'push_reset',
479
		null,
480
		'Remove All Server Options',
481
		$pconfig['push_reset']
482
	))->setHelp('Prevent this client from receiving any server-defined client settings.%1$s' .
483
			'This option will send a push-reset to the client. It will thus remove any server-defined routes, the gateway and topology.%1$s' .
484
			'For the client to properly connect, you will need to enter at least the gateway and topology in the below form or in Advanced section.',
485
			'<br />');
486

  
487
	$section->addInput(new Form_Checkbox(
488
		'topology_override',
489
		null,
490
		'Override Server Topology',
491
		$pconfig['topology_override']
492
	));
493

  
494
	$section->addInput(new Form_Select(
495
		'topology',
496
		null,
497
		$pconfig['topology'],
498
		$openvpn_topologies
499
	))->setHelp('This will push the selected topology to the client. It should only be set when option "Remove All Server Options" is checked. It must match the actual topology specified in server.%1$s' .
500
			'NOTE: This will perform a "push topology [selection]" without a previous "push-remove topology". Alternetively you can push the topology in Advanced section.',
501
			'<br />');
502

  
503
	/* as "push-reset" can break subnet topology, 
504
	 * "push-remove route" removes only IPv4/IPv6 routes, see #9702 */
505
	$section->addInput(new Form_Checkbox(
506
		'remove_route',
507
		null,
508
		'Remove Server Local Routes',
509
		$pconfig['remove_route']
510
	))->setHelp('Prevent this client from receiving any server-defined local routes.%1$s' .
511
			'This option will send a "push-remove route" to the client, removing any server-defined ipv4 or ipv6 local routes, including the gateway.%1$s' .
512
			'NOTE: Remember to either enter the proper gateway and any additional local routes in the below form or in Advanced section.',
513
			'<br />');
514

  
515
	$section->addInput(new Form_Checkbox(
516
		'remove_iroute',
517
		null,
518
		'Remove Server Remote Routes',
519
		$pconfig['remove_iroute']
520
	))->setHelp('Prevent this client from receiving any server-defined remote routes.%1$s' .
521
			'This option will send a "push-remove iroute" to the client, removing any server-defined ipv4 or ipv6 remote routes%1$s' .
522
			'NOTE: You can set new client specific remote routes in below form or in Advanced section.',
523
			'<br />');
524

  
525
	$section->addInput(new Form_Checkbox(
526
		'remove_dnsdomain',
527
		null,
528
		'Remove Server DNS Domains',
529
		$pconfig['remove_dnsdomain']
530
	))->setHelp('Prevent this client from receiving any server-defined remote DNS domains.%1$s' .
531
			'This option will send a "push-remove dhcp-option DOMAIN" to the client, removing any server-defined DNS domains.%1$s' .
532
			'NOTE: You can set new client specific DNS domain in below form or in Advanced section.',
533
			'<br />');
534

  
535
	$section->addInput(new Form_Checkbox(
536
		'remove_dnsservers',
537
		null,
538
		'Remove Server DNS Servers',
539
		$pconfig['remove_dnsservers']
540
	))->setHelp('Prevent this client from receiving any server-defined DNS Servers.%1$s' .
541
			'This option will send a "push-remove dhcp-option DNS" to the client, removing any server-defined ipv4 or ipv6 DNS servers.%1$s' .
542
			'NOTE: You can set new client specific DNS servers in below form or in Advanced section.',
543
			'<br />');
544

  
545
	$section->addInput(new Form_Checkbox(
546
		'remove_ntpservers',
547
		null,
548
		'Remove Server NTP Options.',
549
		$pconfig['remove_ntpservers']
550
	))->setHelp('Prevent this client from receiving any server-defined NTP Servers.%1$s' .
551
			'This option will send a "push-remove dhcp-option NTP" to the client, removing any server-defined NTP servers.%1$s' .
552
			'NOTE: You can set new client specific NTP servers in below form or in Advanced section.',
553
			'<br />');
554

  
555
	$section->addInput(new Form_Checkbox(
556
		'remove_netbios_ntype',
557
		null,
558
		'Remove Server Netbios Type',
559
		$pconfig['remove_netbios_ntype']
560
	))->setHelp('Prevent this client from receiving any server-defined Netbios Node Type.%1$s' .
561
			'This option will send a "push-remove dhcp-option NBT" to the client, removing any server-defined Netbios Node Type.%1$s' .
562
			'NOTE: You can set new client specific Netbios options in below form or in Advanced section.',
563
			'<br />');
564

  
565
	$section->addInput(new Form_Checkbox(
566
		'remove_netbios_scope',
567
		null,
568
		'Remove Server Netbios Scope',
569
		$pconfig['remove_netbios_scope']
570
	))->setHelp('Prevent this client from receiving any server-defined Netbios Scope.%1$s' .
571
			'This option will send a "push-remove dhcp-option NBS" to the client, removing any server-defined Netbios Scope.%1$s' .
572
			'NOTE: You can set new client specific Netbios Scope in below form or in Advanced section.',
573
			'<br />');
574

  
575
	$section->addInput(new Form_Checkbox(
576
		'remove_wins',
577
		null,
578
		'Remove Server WINS Options',
579
		$pconfig['remove_wins']
580
	))->setHelp('Prevent this client from receiving any server-defined WINS servers.%1$s' .
581
			'This option will send a "push-remove dhcp-option WINS" to the client, removing any server-defined WINS servers.%1$s' .
582
			'NOTE: You can set new client specific WINS servers in below form or in Advanced section.',
583
			'<br />');
584

  
402 585
	$form->add($section);
403 586

  
404 587
	$section = new Form_Section('Tunnel Settings');
......
422 605
			'Enter the client IPv6 address and prefix. The prefix must match the IPv6 Tunnel Network prefix on the server. ',
423 606
			'<br />');
424 607

  
608
	$form->add($section);
609

  
610
	$section = new Form_Section('Local Routes Settings');
611

  
612
	$section->addInput(new Form_Checkbox(
613
		'gwredir',
614
		'Redirect IPv4 Gateway',
615
		'Force all client generated traffic through the tunnel.',
616
		$pconfig['gwredir']
617
	));
618

  
619
	$section->addInput(new Form_Checkbox(
620
		'gwredir6',
621
		'Redirect IPv6 Gateway',
622
		'Force all client-generated IPv6 traffic through the tunnel.',
623
		$pconfig['gwredir6']
624
	));
625

  
425 626
	$section->addInput(new Form_Input(
426 627
		'local_network',
427 628
		'IPv4 Local Network/s',
......
441 642
			'<br />');
442 643

  
443 644
	$section->addInput(new Form_Input(
645
		'gateway',
646
		'IPv4 Gateway',
647
		'text',
648
		$pconfig['gateway']
649
	))->setHelp('This is the IPv4 Gateway to push to the client. Normally it is left blank and configured on the server. ' .
650
			'The gateway IP should be entered if any of the options "Remove Server Local Routes" or "Remove All Server Options" is checked, ' .
651
			'as these 2 options will remove the gateway defined on the server and connection from the client will likely fail.%1$s' .
652
			'NOTE: Remember that, unless configured specifically, the gateway should match the IPv4 Tunnel gateway configured on the selected OpenVPN servers settings.',
653
			'<br />');
654

  
655
	$section->addInput(new Form_Input(
656
		'gateway6',
657
		'IPv6 Gateway',
658
		'text',
659
		$pconfig['gateway6']
660
	))->setHelp('This is the IPv6 Gateway to push to the client. Normally it is left blank and configured on the server. ' .
661
			'The gateway IP should be entered if any of the options "Remove Server Local Routes" or "Remove All Server Options" is checked, ' .
662
			'as these 2 options will remove the gateway defined on the server and connection from the client will likely fail.%1$s' .
663
			'NOTE: Remember that, unless configured specifically, the gateway should match the IPv4 Tunnel gateway configured on the selected OpenVPN servers settings.',
664
			'<br />');
665

  
666
	$form->add($section);
667

  
668
	$section = new Form_Section('Remote Routes Settings');
669

  
670
	$section->addInput(new Form_Input(
444 671
		'remote_network',
445 672
		'IPv4 Remote Network/s',
446 673
		'text',
......
460 687
		    'NOTE: Remember to add these subnets to the IPv6 Remote Networks list on the corresponding OpenVPN server settings.',
461 688
			'<br />');
462 689

  
463
	$section->addInput(new Form_Checkbox(
464
		'gwredir',
465
		'Redirect Gateway',
466
		'Force all client generated traffic through the tunnel.',
467
		$pconfig['gwredir']
468
	));
469

  
470 690
	$form->add($section);
471 691

  
472
	$section = new Form_Section('Client Settings');
692
	$section = new Form_Section('Other Client Settings');
473 693

  
474 694
	$section->addInput(new Form_Checkbox(
475
		'push_reset',
476
		'Server Definitions',
477
		'Prevent this client from receiving any server-defined client settings. ',
478
		$pconfig['push_reset']
479
	));
480

  
481
	/* as "push-reset" can break subnet topology, 
482
	 * "push-remove route" removes only IPv4/IPv6 routes, see #9702 */
483
	$section->addInput(new Form_Checkbox(
484
		'remove_route',
485
		'Remove Server Routes',
486
		'Prevent this client from receiving any server-defined routes without removing any other options. ',
487
		$pconfig['remove_route']
488
	));
489

  
490
	$section->addInput(new Form_Checkbox(
491 695
		'dns_domain_enable',
492 696
		'DNS Default Domain',
493 697
		'Provide a default domain name to clients',
494 698
		$pconfig['dns_domain_enable']
495
	))->toggles('.dnsdomain');
699
	));
496 700

  
497 701
	$group = new Form_Group('DNS Domain');
498 702
	$group->addClass('dnsdomain');
......
512 716
		'DNS Servers',
513 717
		'Provide a DNS server list to clients',
514 718
		$pconfig['dns_server_enable']
515
	))->toggles('.dnsservers');
719
	));
516 720

  
517 721
	$group = new Form_Group(null);
518 722
	$group->addClass('dnsservers');
......
553 757
		'NTP Servers',
554 758
		'Provide an NTP server list to clients',
555 759
		$pconfig['ntp_server_enable']
556
	))->toggles('.ntpservers');
760
	));
557 761

  
558 762
	$group = new Form_Group(null);
559 763
	$group->addClass('ntpservers');
......
574 778

  
575 779
	$section->add($group);
576 780

  
577
	// NTP servers - For this section we need to use Javascript hiding since there
781
	// Netbios - For this section we need to use Javascript hiding since there
578 782
	// are nested toggles
579 783
	$section->addInput(new Form_Checkbox(
580 784
		'netbios_enable',
......
663 867
<script type="text/javascript">
664 868
//<![CDATA[
665 869
events.push(function() {
870
	// when option server_overrides_enabled is checked, show override server options
871
	function serveroverrides_change() {
872
		if ($('#server_overrides_enabled').prop('checked')) {
873
			hideCheckbox('push_reset', false);
874
			hideCheckbox('topology_override', false);
875
			topology_change();
876
			push_reset_change();
877
		} else {
878
			hideCheckbox('push_reset', true);
879
			hideCheckbox('topology_override', true);
880
			hideSelect('topology', true);
881
			hideCheckbox('remove_route', true);
882
			hideCheckbox('remove_iroute', true);
883
			hideCheckbox('remove_dnsdomain', true);
884
			hideCheckbox('remove_dnsservers', true);
885
			hideCheckbox('remove_ntpservers', true);
886
			hideCheckbox('remove_netbios_ntype', true);
887
			hideCheckbox('remove_netbios_scope', true);
888
			hideCheckbox('remove_wins', true);
889
		}
890
	}
666 891

  
892
	// when push_reset option is selected, hide push_remove options, but not topology
893
	function push_reset_change() {
894
		var hide = $('#push_reset').prop('checked');
895

  
896
		hideCheckbox('remove_route', hide);
897
		hideCheckbox('remove_iroute', hide);
898
		hideCheckbox('remove_dnsdomain', hide);
899
		hideCheckbox('remove_dnsservers', hide);
900
		hideCheckbox('remove_ntpservers', hide);
901
		hideCheckbox('remove_netbios_ntype', hide);
902
		hideCheckbox('remove_netbios_scope', hide);
903
		hideCheckbox('remove_wins', hide);
904
	}
905

  
906
	function topology_change() {
907
		if ($('#topology_override').prop('checked')) {
908
			hideSelect('topology', false);
909
		} else {
910
			hideSelect('topology', true);
911
		}
912
	}
913

  
914
	function gwredir_change() {
915
		var hide = $('#gwredir').prop('checked');
916

  
917
		hideInput('local_network', hide);
918
//		hideInput('remote_network', hide);
919
	}
920

  
921
	function gwredir6_change() {
922
		var hide = $('#gwredir6').prop('checked');
923

  
924
		hideInput('local_networkv6', hide);
925
//		hideInput('remote_networkv6', hide);
926
	}
927

  
928
	function dnsdomain_change() {
929
		if ($('#dns_domain_enable').prop('checked')) {
930
			hideClass('dnsdomain', false);
931
		} else {
932
			hideClass('dnsdomain', true);
933
		}
934
	}
935

  
936
	function dnsservers_change() {
937
		if ($('#dns_server_enable').prop('checked')) {
938
			hideClass('dnsservers', false);
939
		} else {
940
			hideClass('dnsservers', true);
941
		}
942
	}
943

  
944
	function ntpservers_change() {
945
		if ($('#ntp_server_enable').prop('checked')) {
946
			hideClass('ntpservers', false);
947
		} else {
948
			hideClass('ntpservers', true);
949
		}
950
	}
951

  
667 952
	// Hide/show that section, but have to also respect the wins_server_enable checkbox
668 953
	function setNetbios() {
669 954
		if ($('#netbios_enable').prop('checked')) {
......
685 970

  
686 971
	// ---------- Click checkbox handlers ---------------------------------------------------------
687 972

  
973
	 // On clicking Select Server Overrides Options
974
	$('#server_overrides_enabled').click(function () {
975
		serveroverrides_change();
976
	});
977

  
978
	 // On clicking Remove All Server Options
979
	$('#push_reset').click(function () {
980
		push_reset_change();
981
	});
982

  
983
	 // On clicking Override Server Topology
984
	$('#topology_override').click(function () {
985
		topology_change();
986
	});
987

  
988
	 // On clicking Gateway redirect
989
	$('#gwredir').click(function () {
990
		gwredir_change();
991
	});
992

  
993
	 // On clicking Gateway redirect IPv6
994
	$('#gwredir6').click(function () {
995
		gwredir6_change();
996
	});
997

  
998
	 // On clicking DNS Default Domain
999
	$('#dns_domain_enable').click(function () {
1000
		dnsdomain_change();
1001
	});
1002

  
1003
	 // On clicking DNS Servers
1004
	$('#dns_server_enable').click(function () {
1005
		dnsservers_change();
1006
	});
1007

  
1008
	 // On clicking NTP Servers
1009
	$('#ntp_server_enable').click(function () {
1010
		ntpservers_change();
1011
	});
1012

  
688 1013
	// On clicking the netbios_enable checkbox
689 1014
	$('#netbios_enable').click(function () {
690 1015
		setNetbios();
......
697 1022

  
698 1023
	// ---------- On initial page load ------------------------------------------------------------
699 1024

  
1025
	// first the options depending on push_reset, and on server_overrides_enabled
1026
	// and finally the global server_overrides_enabled toggle
1027
	push_reset_change();
1028
	topology_change();
1029
	serveroverrides_change();
1030

  
1031
	gwredir_change();
1032
	gwredir6_change();
1033

  
700 1034
	setNetbios();
1035
	dnsdomain_change();
1036
	dnsservers_change();
1037
	ntpservers_change();
1038

  
701 1039
});
702 1040
//]]>
703 1041
</script>
(2-2/14)