pfSense

global $openvpn_topologies;

global $openvpn_ping_action, $openvpn_default_keepalive_interval, $openvpn_default_keepalive_timeout;

// check if submitted form field is not empty

function empty_field($str) {

	$has_text = !is_bool($str) && strlen($str) > 0;

	return !$has_text;

}

	if (!$user_can_edit_advanced && !empty_field($a_csc[$id]['custom_options'])) {

		$pconfig['push_reset'] = $a_csc[$id]['push_reset'];

		$pconfig['topology_override'] = $a_csc[$id]['topology_override'];

		$pconfig['topology'] = $a_csc[$id]['topology'];

		$pconfig['remove_route'] = $a_csc[$id]['remove_route'];

		$pconfig['remove_iroute'] = $a_csc[$id]['remove_iroute'];

		$pconfig['remove_dnsdomain'] = $a_csc[$id]['remove_dnsdomain'];

		$pconfig['remove_dnsservers'] = $a_csc[$id]['remove_dnsservers'];

		$pconfig['remove_ntpservers'] = $a_csc[$id]['remove_ntpservers'];

		$pconfig['remove_netbios_ntype'] = $a_csc[$id]['remove_netbios_ntype'];

		$pconfig['remove_netbios_scope'] = $a_csc[$id]['remove_netbios_scope'];

		$pconfig['remove_wins'] = $a_csc[$id]['remove_wins'];

		if ($pconfig['push_reset'] ||

				$pconfig['topology_override'] ||

				$pconfig['remove_route'] ||

				$pconfig['remove_iroute'] ||

				$pconfig['remove_dnsdomain'] ||

				$pconfig['remove_dnsservers'] ||

				$pconfig['remove_ntpservers'] ||

				$pconfig['remove_netbios_ntype'] ||

				$pconfig['remove_netbios_scope'] ||

				$pconfig['remove_wins']) {

			$pconfig['server_overrides_enabled'] = true;

		}

		$pconfig['gwredir'] = $a_csc[$id]['gwredir'];

		$pconfig['gwredir6'] = $a_csc[$id]['gwredir6'];

		$pconfig['gateway'] = $a_csc[$id]['gateway'];

		//$pconfig['gateway6'] = $a_csc[$id]['gateway6'];

		$pconfig['ping_push'] = $a_csc[$id]['ping_push'];

		$pconfig['ping_seconds'] = $a_csc[$id]['ping_seconds'];

		$pconfig['ping_action_push'] = $a_csc[$id]['ping_action_push'];

		$pconfig['ping_action'] = $a_csc[$id]['ping_action'];

		$pconfig['ping_action_seconds'] = $a_csc[$id]['ping_action_seconds'];

		if (!empty_field($pconfig['dns_domain'])) {

		if (!empty_field($pconfig['dns_server1']) ||

				!empty_field($pconfig['dns_server2']) ||

				!empty_field($pconfig['dns_server3']) ||

				!empty_field($pconfig['dns_server4'])) {

		$pconfig['push_blockoutsidedns'] = $a_csc[$id]['push_blockoutsidedns'];

		$pconfig['push_register_dns'] = $a_csc[$id]['push_register_dns'];

		if (!empty_field($pconfig['ntp_server1']) ||

				!empty_field($pconfig['ntp_server2'])) {

		if (!empty_field($pconfig['wins_server1']) ||

				!empty_field($pconfig['wins_server2'])) {

		if (!empty_field($pconfig['nbdd_server1'])) {

	if (!$user_can_edit_advanced && !empty_field($a_csc[$id]['custom_options'])) {

		// restore custom options field to its original value

	if (!empty_field($pconfig['tunnel_network']) && !openvpn_validate_tunnel_network($pconfig['tunnel_network'], 'ipv4')) {

	if (!empty_field($pconfig['tunnel_networkv6']) && !openvpn_validate_tunnel_network($pconfig['tunnel_networkv6'], 'ipv6')) {

	if ($pconfig['server_overrides_enabled'] && $pconfig['topology_override'] && !array_key_exists($pconfig['topology'], $openvpn_topologies)) {

		$input_errors[] = gettext("The field 'Topology' contains an invalid selection");

	}

	if (!$pconfig['gwredir'] && ($result = openvpn_validate_cidr($pconfig['local_network'], 'IPv4 Local Network', true, "ipv4", true))) {

	if (!$pconfig['gwredir6'] && ($result = openvpn_validate_cidr($pconfig['local_networkv6'], 'IPv6 Local Network', true, "ipv6", true))) {

	if (!empty_field($pconfig['gateway']) && !is_ipaddrv4($pconfig['gateway'])) {

		$input_errors[] = gettext("A valid IPv4 address must be specified for the gateway.");

	}

	/*

	if (!empty_field($pconfig['gateway6']) && !is_ipaddrv6($pconfig['gateway6'])) {

		$input_errors[] = gettext("A valid IPv6 address must be specified for the gateway.");

	}

	*/

	if ($pconfig['ping_push'] && !is_numericint($pconfig['ping_seconds'])) {

		$input_errors[] = gettext("The supplied Ping Seconds value is invalid.");

	}

	if ($pconfig['ping_action_push'] && !array_key_exists($pconfig['ping_action'], $openvpn_ping_action)) {

		$input_errors[] = gettext("The field 'Ping Action' contains an invalid selection");

	}

	if ($pconfig['ping_action_push'] && !is_numericint($pconfig['ping_action_seconds'])) {

		$input_errors[] = gettext("The supplied Ping Restart or Exit Seconds value is invalid.");

	}

		if (!empty_field($pconfig['dns_server1']) && !is_ipaddr(trim($pconfig['dns_server1']))) {

		if (!empty_field($pconfig['dns_server2']) && !is_ipaddr(trim($pconfig['dns_server2']))) {

		if (!empty_field($pconfig['dns_server3']) && !is_ipaddr(trim($pconfig['dns_server3']))) {

		if (!empty_field($pconfig['dns_server4']) && !is_ipaddr(trim($pconfig['dns_server4']))) {

		if (!empty_field($pconfig['ntp_server1']) && !is_ipaddr(trim($pconfig['ntp_server1']))) {

		if (!empty_field($pconfig['ntp_server2']) && !is_ipaddr(trim($pconfig['ntp_server2']))) {

		if (!empty_field($pconfig['ntp_server3']) && !is_ipaddr(trim($pconfig['ntp_server3']))) {

		if (!empty_field($pconfig['ntp_server4']) && !is_ipaddr(trim($pconfig['ntp_server4']))) {

			if (!empty_field($pconfig['wins_server1']) && !is_ipaddr(trim($pconfig['wins_server1']))) {

			if (!empty_field($pconfig['wins_server2']) && !is_ipaddr(trim($pconfig['wins_server2']))) {

			if (!empty_field($pconfig['nbdd_server1']) && !is_ipaddr(trim($pconfig['nbdd_server1']))) {

		if ($pconfig['server_overrides_enabled']) {

			$csc['push_reset'] = $pconfig['push_reset'];

			if (!$pconfig['push_reset']) {

				$csc['remove_route'] = $pconfig['remove_route'];

				$csc['remove_iroute'] = $pconfig['remove_iroute'];

				$csc['remove_dnsdomain'] = $pconfig['remove_dnsdomain'];

				$csc['remove_dnsservers'] = $pconfig['remove_dnsservers'];

				$csc['remove_ntpservers'] = $pconfig['remove_ntpservers'];

				$csc['remove_netbios_ntype'] = $pconfig['remove_netbios_ntype'];

				$csc['remove_netbios_scope'] = $pconfig['remove_netbios_scope'];

				$csc['remove_wins'] = $pconfig['remove_wins'];

			}

			$csc['topology_override'] = $pconfig['topology_override'];

			if ($pconfig['topology_override']) {

				$csc['topology'] = $pconfig['topology'];

			}

		}

		$csc['gwredir'] = $pconfig['gwredir'];

		if (!$pconfig['gwredir']) {

		}

		$csc['gwredir6'] = $pconfig['gwredir6'];

		if (!$pconfig['gwredir6']) {

		}

		$csc['gateway'] = $pconfig['gateway'];

		//$csc['gateway6'] = $pconfig['gateway6'];

		$csc['ping_push'] = $pconfig['ping_push'];

		if ($pconfig['ping_push']) {

			$csc['ping_seconds'] = $pconfig['ping_seconds'];

		}

		$csc['ping_action_push'] = $pconfig['ping_action_push'];

		if ($pconfig['ping_action_push']) {

			$csc['ping_action'] = $pconfig['ping_action'];

			$csc['ping_action_seconds'] = $pconfig['ping_action_seconds'];

		}

		$csc['push_blockoutsidedns'] = $pconfig['push_blockoutsidedns'];

		$csc['push_register_dns'] = $pconfig['push_register_dns'];

		if (!empty_field($old_csc['common_name'])) {

	// Override server client options

	$section->addInput(new Form_Checkbox(

		'server_overrides_enabled',

		'Select Server Overrides',

		'Select server options to remove.',

		$pconfig['server_overrides_enabled']

	))->setHelp('If unchecked, any client options specified in below form or Advanced section will be pushed to the client after the server options.%1$s' .

			'If checked, you can select the server options you want to remove. Any specified client option in below form or Advanced section will thus override the corresponding server-defined options.',

			'<br />');

	$section->addInput(new Form_Checkbox(

		'push_reset',

		null,

		'Remove All Server Options',

		$pconfig['push_reset']

	))->setHelp('Prevent this client from receiving any server-defined client settings.%1$s' .

			'This option will send a push-reset to the client. It will thus remove any server-defined routes, the gateway and topology.%1$s' .

			'For the client to properly connect, you will need to enter at least the gateway and topology in the below form or in Advanced section.',

			'<br />');

	$section->addInput(new Form_Checkbox(

		'topology_override',

		null,

		'Override Server Topology',

		$pconfig['topology_override']

	));

	$section->addInput(new Form_Select(

		'topology',

		null,

		$pconfig['topology'],

		$openvpn_topologies

	))->setHelp('This will push the selected topology to the client. It should only be set when option "Remove All Server Options" is checked. It must match the actual topology specified in server.%1$s' .

			'NOTE: This will perform a "push topology [selection]" without a previous "push-remove topology". Alternetively you can push the topology in Advanced section.',

			'<br />');

	/* as "push-reset" can break subnet topology, 

	 * "push-remove route" removes only IPv4/IPv6 routes, see #9702 */

	$section->addInput(new Form_Checkbox(

		'remove_route',

		null,

		'Remove Server Local Routes',

		$pconfig['remove_route']

	))->setHelp('Prevent this client from receiving any server-defined local routes.%1$s' .

			'This option will send a "push-remove route" to the client, removing any server-defined ipv4 or ipv6 local routes, including the gateway.%1$s' .

			'NOTE: Remember to either enter the proper gateway and any additional local routes in the below form or in Advanced section.',

			'<br />');

	$section->addInput(new Form_Checkbox(

		'remove_iroute',

		null,

		'Remove Server Remote Routes',

		$pconfig['remove_iroute']

	))->setHelp('Prevent this client from receiving any server-defined remote routes.%1$s' .

			'This option will send a "push-remove iroute" to the client, removing any server-defined ipv4 or ipv6 remote routes%1$s' .

			'NOTE: You can set new client specific remote routes in below form or in Advanced section.',

			'<br />');

	$section->addInput(new Form_Checkbox(

		'remove_dnsdomain',

		null,

		'Remove Server DNS Domains',

		$pconfig['remove_dnsdomain']

	))->setHelp('Prevent this client from receiving any server-defined remote DNS domains.%1$s' .

			'This option will send a "push-remove dhcp-option DOMAIN" to the client, removing any server-defined DNS domains.%1$s' .

			'NOTE: You can set new client specific DNS domain in below form or in Advanced section.',

			'<br />');

	$section->addInput(new Form_Checkbox(

		'remove_dnsservers',

		null,

		'Remove Server DNS Servers',

		$pconfig['remove_dnsservers']

	))->setHelp('Prevent this client from receiving any server-defined DNS Servers.%1$s' .

			'This option will send a "push-remove dhcp-option DNS" to the client, removing any server-defined ipv4 or ipv6 DNS servers.%1$s' .

			'NOTE: You can set new client specific DNS servers in below form or in Advanced section.',

			'<br />');

	$section->addInput(new Form_Checkbox(

		'remove_ntpservers',

		null,

		'Remove Server NTP Options.',

		$pconfig['remove_ntpservers']

	))->setHelp('Prevent this client from receiving any server-defined NTP Servers.%1$s' .

			'This option will send a "push-remove dhcp-option NTP" to the client, removing any server-defined NTP servers.%1$s' .

			'NOTE: You can set new client specific NTP servers in below form or in Advanced section.',

			'<br />');

	$section->addInput(new Form_Checkbox(

		'remove_netbios_ntype',

		null,

		'Remove Server Netbios Type',

		$pconfig['remove_netbios_ntype']

	))->setHelp('Prevent this client from receiving any server-defined Netbios Node Type.%1$s' .

			'This option will send a "push-remove dhcp-option NBT" to the client, removing any server-defined Netbios Node Type.%1$s' .

			'NOTE: You can set new client specific Netbios options in below form or in Advanced section.',

			'<br />');

	$section->addInput(new Form_Checkbox(

		'remove_netbios_scope',

		null,

		'Remove Server Netbios Scope',

		$pconfig['remove_netbios_scope']

	))->setHelp('Prevent this client from receiving any server-defined Netbios Scope.%1$s' .

			'This option will send a "push-remove dhcp-option NBS" to the client, removing any server-defined Netbios Scope.%1$s' .

			'NOTE: You can set new client specific Netbios Scope in below form or in Advanced section.',

			'<br />');

	$section->addInput(new Form_Checkbox(

		'remove_wins',

		null,

		'Remove Server WINS Options',

		$pconfig['remove_wins']

	))->setHelp('Prevent this client from receiving any server-defined WINS servers.%1$s' .

			'This option will send a "push-remove dhcp-option WINS" to the client, removing any server-defined WINS servers.%1$s' .

			'NOTE: You can set new client specific WINS servers in below form or in Advanced section.',

			'<br />');

	$form->add($section);

	$section = new Form_Section('Local Routes Settings');

	$section->addInput(new Form_Checkbox(

		'gwredir',

		'Redirect IPv4 Gateway',

		'Force all client generated traffic through the tunnel.',

		$pconfig['gwredir']

	));

	$section->addInput(new Form_Checkbox(

		'gwredir6',

		'Redirect IPv6 Gateway',

		'Force all client-generated IPv6 traffic through the tunnel.',

		$pconfig['gwredir6']

	));

		'gateway',

		'IPv4 Gateway',

		'text',

		$pconfig['gateway']

	))->setHelp('This is the IPv4 Gateway to push to the client. Normally it is left blank and configured on the server. ' .

			'The gateway IP should be entered if any of the options "Remove Server Local Routes" or "Remove All Server Options" is checked, ' .

			'as these 2 options will remove the gateway defined on the server and connection from the client will likely fail.%1$s' .

			'NOTE: Remember that, unless configured specifically, the gateway should match the IPv4 Tunnel gateway configured on the selected OpenVPN servers settings.',

			'<br />');

	/*

	$section->addInput(new Form_Input(

		'gateway6',

		'IPv6 Gateway',

		'text',

		$pconfig['gateway6']

	))->setHelp('This is the IPv6 Gateway to push to the client. Normally it is left blank and configured on the server. ' .

			'The gateway IP should be entered if any of the options "Remove Server Local Routes" or "Remove All Server Options" is checked, ' .

			'as these 2 options will remove the gateway defined on the server and connection from the client will likely fail.%1$s' .

			'NOTE: Remember that, unless configured specifically, the gateway should match the IPv4 Tunnel gateway configured on the selected OpenVPN servers settings.',

			'<br />');

	*/

	$form->add($section);

	$section = new Form_Section('Remote Routes Settings');

	$section->addInput(new Form_Input(

	$section = new Form_Section('Other Client Settings');

		'ping_push',

		'Ping Interval',

		'Push ping to VPN client',

		$pconfig['ping_push']

	))->setHelp('Override server ping interval.%1$s',

				'<br />');

	$section->addInput(new Form_Input(

		'ping_seconds',

		'Ping Seconds',

		'number',

		$pconfig['ping_seconds'] ?: $openvpn_default_keepalive_interval,

		['min' => '0']

	))->setHelp('Ping remote over the TCP/UDP control channel if no ' .

	    'packets have been sent for at least n seconds.%1$s',

	    '<br />');

		'ping_action_push',

		'Ping Action',

		'Push ping-restart/ping-exit to VPN client',

		$pconfig['ping_action_push']

	))->setHelp('Override server ping restart/exit.%1$s',

				'<br />');

	$section->addInput(new Form_Select(

		'ping_action',

		'Ping restart or exit',

		$pconfig['ping_action'],

		$openvpn_ping_action

	))->setHelp('Exit or restart OpenVPN after timeout from remote.%1$s',

				'<br />');

	$section->addInput(new Form_Input(

		'ping_action_seconds',

		'Ping restart or exit seconds',

		'number',

		$pconfig['ping_action_seconds']

		    ?: $openvpn_default_keepalive_timeout,

		['min' => '0']

	));

	));

	$section->addInput(new Form_Checkbox(

		'push_blockoutsidedns',

		'Block Outside DNS',

		'Make Windows 10 Clients Block access to DNS servers except across OpenVPN while connected, forcing clients to use only VPN DNS servers.',

		$pconfig['push_blockoutsidedns']

	))->setHelp('Requires Windows 10 and OpenVPN 2.3.9 or later. Only Windows 10 is prone to DNS leakage in this way, other clients will ignore the option as they are not affected.');

	$section->addInput(new Form_Checkbox(

		'push_register_dns',

		'Force DNS cache update',

		'Run "net stop dnscache", "net start dnscache", "ipconfig /flushdns" and "ipconfig /registerdns" on connection initiation.',

		$pconfig['push_register_dns']

	))->setHelp('This is known to kick Windows into recognizing pushed DNS servers.');

	));

	// Netbios - For this section we need to use Javascript hiding since there

	$section->addInput($custops)->setHelp('Enter any additional options to add for this client specific override, separated by a semicolon.%1$s' .

				'The options will be pushed to the client after all above custom options.%1$s' .

	// when option server_overrides_enabled is checked, show override server options

	function serveroverrides_change() {

		if ($('#server_overrides_enabled').prop('checked')) {

			hideCheckbox('push_reset', false);

			hideCheckbox('topology_override', false);

			topology_change();

			push_reset_change();

		} else {

			hideCheckbox('push_reset', true);

			hideCheckbox('topology_override', true);

			hideSelect('topology', true);

			hideCheckbox('remove_route', true);

			hideCheckbox('remove_iroute', true);

			hideCheckbox('remove_dnsdomain', true);

			hideCheckbox('remove_dnsservers', true);

			hideCheckbox('remove_ntpservers', true);

			hideCheckbox('remove_netbios_ntype', true);

			hideCheckbox('remove_netbios_scope', true);

			hideCheckbox('remove_wins', true);

		}

	}

	// when push_reset option is selected, hide push_remove options, but not topology

	function push_reset_change() {

		var hide = $('#push_reset').prop('checked');

		hideCheckbox('remove_route', hide);

		hideCheckbox('remove_iroute', hide);

		hideCheckbox('remove_dnsdomain', hide);

		hideCheckbox('remove_dnsservers', hide);

		hideCheckbox('remove_ntpservers', hide);

		hideCheckbox('remove_netbios_ntype', hide);

		hideCheckbox('remove_netbios_scope', hide);

		hideCheckbox('remove_wins', hide);

	}

	function topology_change() {

		if ($('#topology_override').prop('checked')) {

			hideSelect('topology', false);

		} else {

			hideSelect('topology', true);

		}

	}

	function gwredir_change() {

		var hide = $('#gwredir').prop('checked');

		hideInput('local_network', hide);

//		hideInput('remote_network', hide);

	}

	function gwredir6_change() {

		var hide = $('#gwredir6').prop('checked');

		hideInput('local_networkv6', hide);

//		hideInput('remote_networkv6', hide);

	}

	function ping_seconds_change() {

		if ($('#ping_push').prop('checked')) {

			hideInput('ping_seconds', false);

		} else {

			hideInput('ping_seconds', true);

		}

	}

	function ping_action_change() {

		if ($('#ping_action_push').prop('checked')) {

			hideSelect('ping_action', false);

			hideInput('ping_action_seconds', false);

		} else {

			hideSelect('ping_action', true);

			hideInput('ping_action_seconds', true);

		}

	}

	function dnsdomain_change() {

		if ($('#dns_domain_enable').prop('checked')) {

			hideClass('dnsdomain', false);

		} else {

			hideClass('dnsdomain', true);

		}

	}

	function dnsservers_change() {

		if ($('#dns_server_enable').prop('checked')) {

			hideClass('dnsservers', false);

		} else {

			hideClass('dnsservers', true);

		}

	}

	function ntpservers_change() {

		if ($('#ntp_server_enable').prop('checked')) {

			hideClass('ntpservers', false);

		} else {

			hideClass('ntpservers', true);

		}

	}

	 // On clicking Select Server Overrides Options

	$('#server_overrides_enabled').click(function () {

		serveroverrides_change();

	});

	 // On clicking Remove All Server Options

	$('#push_reset').click(function () {

		push_reset_change();

	});

	 // On clicking Override Server Topology

	$('#topology_override').click(function () {

		topology_change();

	});

	 // On clicking Gateway redirect

	$('#gwredir').click(function () {

		gwredir_change();

	});

	 // On clicking Gateway redirect IPv6

	$('#gwredir6').click(function () {

		gwredir6_change();

	});

	 // On clicking Ping Interval

	$('#ping_push').click(function () {

		ping_seconds_change();

	});

	 // On clicking Ping Action

	$('#ping_action_push').click(function () {

		ping_action_change();

	});

	 // On clicking DNS Default Domain

	$('#dns_domain_enable').click(function () {

		dnsdomain_change();

	});

	 // On clicking DNS Servers

	$('#dns_server_enable').click(function () {

		dnsservers_change();

	});

	 // On clicking NTP Servers

	$('#ntp_server_enable').click(function () {

		ntpservers_change();

	});

	// first the options depending on push_reset, and on server_overrides_enabled

	// and finally the global server_overrides_enabled toggle

	push_reset_change();

	topology_change();

	serveroverrides_change();

	gwredir_change();

	gwredir6_change();

	ping_seconds_change();

	ping_action_change();

	dnsdomain_change();

	dnsservers_change();

	ntpservers_change();

++ b/src/etc/inc/openvpn.inc

		if (!empty($settings['netbios_ntype']) && ($settings['netbios_ntype'] != 0)) {

			$conf .= "push \"dhcp-option NBT {$settings['netbios_ntype']}\"\n";

		if (!empty($settings['netbios_scope'])) {

			$conf .= "push \"dhcp-option NBS {$settings['netbios_scope']}\"\n";

// set client specific overrides

	if ($settings['push_reset']) {

		$conf .= "push-reset\n";

	}

	if ($settings['topology_override']) {

		$conf .= "push \"topology {$settings['topology']}\"\n";

	}

	if ($settings['remove_iroute']) {

		$conf .= "push-remove iroute\n";

	}

	if ($settings['remove_dnsdomain']) {

		$conf .= "push-remove \"dhcp-option DOMAIN\"\n";

	}

	if ($settings['remove_dnsservers']) {

		$conf .= "push-remove \"dhcp-option DNS\"\n";

	}

	if ($settings['remove_ntpservers']) {

		$conf .= "push-remove \"dhcp-option NTP\"\n";

	}

	if ($settings['remove_netbios_ntype']) {

		$conf .= "push-remove \"dhcp-option NBT\"\n";

	}

	if ($settings['remove_netbios_scope']) {

		$conf .= "push-remove \"dhcp-option NBS\"\n";

	}

	if ($settings['remove_wins']) {

		$conf .= "push-remove \"dhcp-option WINS\"\n";

	}

	// push the ipv4 gateway if specified

	if (!empty($settings['gateway']) && is_ipaddrv4($settings['gateway'])) {

		$conf .= "push \"route-gateway {$settings['gateway']}\"\n";

	}

	/* Currently route-ipv6-gateway is not supported by openvpn

	if (!empty($settings['gateway']) && is_ipaddrv4($settings['gateway'])) {

		$conf .= "push \"route-ipv6-gateway {$settings['gateway']}\"\n";

	}

	*/

	// Ping override options

	if ($settings['ping_push']) {

		$conf .= "push \"ping {$settings['ping_seconds']}\"\n";

	}

	if ($settings['ping_action_push']) {

		$action = str_replace("_", "-", $settings['ping_action']);

		$conf .= "push \"{$action} " .

			"{$settings['ping_action_seconds']}\"\n";

	}

	// create client specific dhcp options and gateway redirection

	// custom options are added after all client overrides, and before the tunnel options