757 |
757 |
|
758 |
758 |
if ($settings['netbios_enable']) {
|
759 |
759 |
|
760 |
|
if (!empty($settings['dhcp_nbttype']) && ($settings['dhcp_nbttype'] != 0)) {
|
761 |
|
$conf .= "push \"dhcp-option NBT {$settings['dhcp_nbttype']}\"\n";
|
|
760 |
if (!empty($settings['netbios_ntype']) && ($settings['netbios_ntype'] != 0)) {
|
|
761 |
$conf .= "push \"dhcp-option NBT {$settings['netbios_ntype']}\"\n";
|
762 |
762 |
}
|
763 |
|
if (!empty($settings['dhcp_nbtscope'])) {
|
764 |
|
$conf .= "push \"dhcp-option NBS {$settings['dhcp_nbtscope']}\"\n";
|
|
763 |
if (!empty($settings['netbios_scope'])) {
|
|
764 |
$conf .= "push \"dhcp-option NBS {$settings['netbios_scope']}\"\n";
|
765 |
765 |
}
|
766 |
766 |
|
767 |
767 |
if (!empty($settings['wins_server1'])) {
|
... | ... | |
774 |
774 |
if (!empty($settings['nbdd_server1'])) {
|
775 |
775 |
$conf .= "push \"dhcp-option NBDD {$settings['nbdd_server1']}\"\n";
|
776 |
776 |
}
|
|
777 |
if (!empty($settings['nbdd_server2'])) {
|
|
778 |
$conf .= "push \"dhcp-option NBDD {$settings['nbdd_server2']}\"\n";
|
777 |
779 |
}
|
|
780 |
}
|
778 |
781 |
|
779 |
782 |
if ($settings['gwredir']) {
|
780 |
783 |
$conf .= "push \"redirect-gateway def1\"\n";
|
... | ... | |
1695 |
1698 |
}
|
1696 |
1699 |
openvpn_create_dirs();
|
1697 |
1700 |
|
|
1701 |
/* Some options remove the gateway or topology which are required;
|
|
1702 |
* in such cases, these can be automatically determined. */
|
|
1703 |
$auto_config_gateway4 = false;
|
|
1704 |
$auto_config_gateway6 = false;
|
|
1705 |
$auto_config_topology = false;
|
|
1706 |
|
1698 |
1707 |
if (empty($settings['server_list'])) {
|
1699 |
1708 |
$csc_server_list = array();
|
1700 |
1709 |
} else {
|
... | ... | |
1706 |
1715 |
$conf .= "disable\n";
|
1707 |
1716 |
}
|
1708 |
1717 |
|
|
1718 |
// Reset options
|
1709 |
1719 |
if ($settings['push_reset']) {
|
|
1720 |
if ($settings['keep_minimal']) {
|
|
1721 |
$auto_config_gateway4 = true;
|
|
1722 |
$auto_config_gateway6 = true;
|
|
1723 |
$auto_config_topology = true;
|
|
1724 |
}
|
1710 |
1725 |
$conf .= "push-reset\n";
|
|
1726 |
} elseif (!empty($settings['remove_options'])) {
|
|
1727 |
foreach (explode(',', $settings['remove_options']) as $option) {
|
|
1728 |
if ($settings['keep_minimal'] && ($option == 'remove_route')) {
|
|
1729 |
$auto_config_gateway4 = true;
|
|
1730 |
$auto_config_gateway6 = true;
|
1711 |
1731 |
}
|
1712 |
|
|
1713 |
|
if ($settings['remove_route']) {
|
1714 |
|
$conf .= "push-remove route\n";
|
|
1732 |
$options = match ($option) {
|
|
1733 |
'remove_route' => 'route',
|
|
1734 |
'remove_iroute' => 'iroute',
|
|
1735 |
'remove_redirect_gateway' => 'redirect-gateway',
|
|
1736 |
'remove_inactive' => 'inactive',
|
|
1737 |
'remove_ping' => 'ping',
|
|
1738 |
'remove_ping_action' => ['ping-restart', 'ping-exit'],
|
|
1739 |
'remove_blockoutsidedns' => 'block-outside-dns',
|
|
1740 |
'remove_dnsdomain' => '"dhcp-option DOMAIN"',
|
|
1741 |
'remove_dnsservers' => '"dhcp-option DNS"',
|
|
1742 |
'remove_ntpservers' => '"dhcp-option NTP"',
|
|
1743 |
'remove_netbios_ntype' => '"dhcp-option NBT"',
|
|
1744 |
'remove_netbios_scope' => '"dhcp-option NBS"',
|
|
1745 |
'remove_wins' => '"dhcp-option WINS"'
|
|
1746 |
};
|
|
1747 |
if (is_array($options)) {
|
|
1748 |
foreach ($options as $option_name) {
|
|
1749 |
$conf .= "push-remove {$option_name}\n";
|
1715 |
1750 |
}
|
|
1751 |
} else {
|
|
1752 |
$conf .= "push-remove {$options}\n";
|
|
1753 |
}
|
|
1754 |
}
|
|
1755 |
}
|
1716 |
1756 |
|
|
1757 |
// Local network route options
|
1717 |
1758 |
if ($settings['local_network']) {
|
1718 |
1759 |
$conf .= openvpn_gen_routes($settings['local_network'], "ipv4", true);
|
1719 |
1760 |
}
|
... | ... | |
1721 |
1762 |
$conf .= openvpn_gen_routes($settings['local_networkv6'], "ipv6", true);
|
1722 |
1763 |
}
|
1723 |
1764 |
|
1724 |
|
// Add a remote network iroute if set
|
|
1765 |
// Remote network iroute options
|
1725 |
1766 |
if (openvpn_validate_cidr($settings['remote_network'], "", true, "ipv4", true) === FALSE) {
|
1726 |
1767 |
$conf .= openvpn_gen_routes($settings['remote_network'], "ipv4", false, true);
|
1727 |
1768 |
}
|
1728 |
|
// Add a remote network iroute if set
|
1729 |
1769 |
if (openvpn_validate_cidr($settings['remote_networkv6'], "", true, "ipv6", true) === FALSE) {
|
1730 |
1770 |
$conf .= openvpn_gen_routes($settings['remote_networkv6'], "ipv6", false, true);
|
1731 |
1771 |
}
|
1732 |
1772 |
|
|
1773 |
// Gatewy override options
|
|
1774 |
if (!empty($settings['gateway'])) {
|
|
1775 |
$auto_config_gateway4 = false;
|
|
1776 |
$conf .= "push \"route-gateway {$settings['gateway']}\"\n";
|
|
1777 |
}
|
|
1778 |
if (!empty($settings['gateway6'])) {
|
|
1779 |
$auto_config_gateway6 = false;
|
|
1780 |
$conf .= "push \"route-ipv6-gateway {$settings['gateway6']}\"\n";
|
|
1781 |
}
|
|
1782 |
|
|
1783 |
// Inactivity override options
|
|
1784 |
if (isset($settings['inactive_seconds'])) {
|
|
1785 |
$conf .= "push \"inactive {$settings['inactive_seconds']}\"\n";
|
|
1786 |
}
|
|
1787 |
|
|
1788 |
// Ping override options
|
|
1789 |
if (isset($settings['ping_seconds'])) {
|
|
1790 |
$conf .= "push \"ping {$settings['ping_seconds']}\"\n";
|
|
1791 |
}
|
|
1792 |
if (isset($settings['ping_action'])) {
|
|
1793 |
$action = str_replace("_", "-", $settings['ping_action']);
|
|
1794 |
$conf .= "push \"{$action} {$settings['ping_action_seconds']}\"\n";
|
|
1795 |
}
|
|
1796 |
|
|
1797 |
// DHCP and gateway redirect options
|
1733 |
1798 |
openvpn_add_dhcpopts($settings, $conf);
|
1734 |
1799 |
|
|
1800 |
// Custom options
|
1735 |
1801 |
openvpn_add_custom($settings, $conf);
|
|
1802 |
|
1736 |
1803 |
/* Loop through servers, find which ones can use this CSC */
|
1737 |
1804 |
foreach (config_get_path('openvpn/openvpn-server', []) as $serversettings) {
|
1738 |
1805 |
if (isset($serversettings['disable'])) {
|
... | ... | |
1742 |
1809 |
if ($serversettings['vpnid'] && (empty($csc_server_list) || in_array($serversettings['vpnid'], $csc_server_list))) {
|
1743 |
1810 |
$csc_path = "{$g['openvpn_base']}/server{$serversettings['vpnid']}/csc/" . basename($settings['common_name']);
|
1744 |
1811 |
$csc_conf = $conf;
|
|
1812 |
|
|
1813 |
/* Topology is depends on the server configuration.
|
|
1814 |
* TAP mode always uses a subnet topology */
|
|
1815 |
$topology = ($serversettings['dev_mode'] == 'tap') ? 'subnet' : $serversettings['topology'];
|
|
1816 |
if ($auto_config_topology) {
|
|
1817 |
$csc_conf .= "push \"topology {$topology}\"\n";
|
|
1818 |
}
|
|
1819 |
|
|
1820 |
/* The gateway is the first usable address in the tunnel network.
|
|
1821 |
* If the tunnel network is not set, the gateway must be manually
|
|
1822 |
* defined. This can happen when using a net30 topology and
|
|
1823 |
* resetting options. */
|
|
1824 |
if ($auto_config_gateway6) {
|
|
1825 |
// IPv6 always uses a subnet topology
|
|
1826 |
$tunnel_network = null;
|
|
1827 |
if (!empty($settings['tunnel_networkv6'])) {
|
|
1828 |
$tunnel_network = $settings['tunnel_networkv6'];
|
|
1829 |
} elseif (!empty($serversettings['tunnel_networkv6'])) {
|
|
1830 |
$tunnel_network = $serversettings['tunnel_networkv6'];
|
|
1831 |
}
|
|
1832 |
if (!empty($tunnel_network)) {
|
|
1833 |
$tunnel_network_parts = openvpn_gen_tunnel_network($tunnel_network);
|
|
1834 |
$gateway = ip6_after(gen_subnetv6($tunnel_network_parts[0], $tunnel_network_parts[1]));
|
|
1835 |
$csc_conf .= "push \"route-ipv6-gateway {$gateway}\"\n";
|
|
1836 |
}
|
|
1837 |
}
|
|
1838 |
if ($auto_config_gateway4) {
|
|
1839 |
$tunnel_network = null;
|
|
1840 |
if ($topology == "subnet") {
|
|
1841 |
// The client tunnel network is assumed to be the same as the server's
|
|
1842 |
$tunnel_network = $serversettings['tunnel_network'];
|
|
1843 |
} elseif (!empty($settings['tunnel_network'])) {
|
|
1844 |
$tunnel_network = $settings['tunnel_network'];
|
|
1845 |
}
|
|
1846 |
if (!empty($tunnel_network)) {
|
|
1847 |
$tunnel_network_parts = openvpn_gen_tunnel_network($tunnel_network);
|
|
1848 |
$gateway = ip_after(gen_subnetv4($tunnel_network_parts[0], $tunnel_network_parts[1]), 1);
|
|
1849 |
$csc_conf .= "push \"route-gateway {$gateway}\"\n";
|
|
1850 |
}
|
|
1851 |
}
|
1745 |
1852 |
|
1746 |
1853 |
if (!empty($serversettings['tunnel_network']) && !empty($settings['tunnel_network'])) {
|
1747 |
1854 |
list($ip, $mask) = openvpn_gen_tunnel_network($settings['tunnel_network']);
|
1748 |
|
-- a/src/usr/local/www/vpn_openvpn_csc.php
|
|
1855 |
++ b/src/usr/local/www/vpn_openvpn_csc.php
|
... | ... | |
34 |
34 |
require_once("pfsense-utils.inc");
|
35 |
35 |
require_once("pkg-utils.inc");
|
36 |
36 |
|
37 |
|
global $openvpn_tls_server_modes;
|
|
37 |
global $openvpn_tls_server_modes, $openvpn_ping_action;
|
38 |
38 |
|
39 |
39 |
init_config_arr(array('openvpn', 'openvpn-csc'));
|
40 |
40 |
$a_csc = &$config['openvpn']['openvpn-csc'];
|
... | ... | |
78 |
78 |
|
79 |
79 |
if (($act == "edit") || ($act == "dup")) {
|
80 |
80 |
if (isset($id) && $a_csc[$id]) {
|
|
81 |
$pconfig['keep_minimal'] = isset($a_csc[$id]['keep_minimal']);
|
|
82 |
// Handle the "Reset Options" list
|
|
83 |
if (!empty($a_csc[$id]['remove_options'])) {
|
|
84 |
$pconfig['override_options'] = 'remove_specified';
|
|
85 |
$pconfig['remove_options'] = explode(',', $a_csc[$id]['remove_options']);
|
|
86 |
} elseif (isset($a_csc[$id]['push_reset'])) {
|
|
87 |
$pconfig['override_options'] = 'push_reset';
|
|
88 |
}
|
|
89 |
|
81 |
90 |
$pconfig['server_list'] = explode(",", $a_csc[$id]['server_list']);
|
82 |
91 |
$pconfig['custom_options'] = $a_csc[$id]['custom_options'];
|
83 |
92 |
$pconfig['disable'] = isset($a_csc[$id]['disable']);
|
... | ... | |
89 |
98 |
$pconfig['tunnel_networkv6'] = $a_csc[$id]['tunnel_networkv6'];
|
90 |
99 |
$pconfig['local_network'] = $a_csc[$id]['local_network'];
|
91 |
100 |
$pconfig['local_networkv6'] = $a_csc[$id]['local_networkv6'];
|
|
101 |
$pconfig['gateway'] = $a_csc[$id]['gateway'];
|
|
102 |
$pconfig['gateway6'] = $a_csc[$id]['gateway6'];
|
92 |
103 |
$pconfig['remote_network'] = $a_csc[$id]['remote_network'];
|
93 |
104 |
$pconfig['remote_networkv6'] = $a_csc[$id]['remote_networkv6'];
|
94 |
105 |
$pconfig['gwredir'] = $a_csc[$id]['gwredir'];
|
|
106 |
$pconfig['gwredir6'] = $a_csc[$id]['gwredir6'];
|
95 |
107 |
|
96 |
|
$pconfig['push_reset'] = $a_csc[$id]['push_reset'];
|
97 |
|
$pconfig['remove_route'] = $a_csc[$id]['remove_route'];
|
|
108 |
$pconfig['inactive_seconds'] = $a_csc[$id]['inactive_seconds'];
|
|
109 |
$pconfig['ping_seconds'] = $a_csc[$id]['ping_seconds'];
|
|
110 |
$pconfig['ping_action'] = $a_csc[$id]['ping_action'];
|
|
111 |
$pconfig['ping_action_seconds'] = $a_csc[$id]['ping_action_seconds'];
|
98 |
112 |
|
99 |
113 |
$pconfig['dns_domain'] = $a_csc[$id]['dns_domain'];
|
100 |
114 |
if ($pconfig['dns_domain']) {
|
... | ... | |
113 |
127 |
$pconfig['dns_server_enable'] = true;
|
114 |
128 |
}
|
115 |
129 |
|
|
130 |
$pconfig['push_blockoutsidedns'] = $a_csc[$id]['push_blockoutsidedns'];
|
|
131 |
$pconfig['push_register_dns'] = $a_csc[$id]['push_register_dns'];
|
|
132 |
|
116 |
133 |
$pconfig['ntp_server1'] = $a_csc[$id]['ntp_server1'];
|
117 |
134 |
$pconfig['ntp_server2'] = $a_csc[$id]['ntp_server2'];
|
118 |
135 |
|
... | ... | |
134 |
151 |
}
|
135 |
152 |
|
136 |
153 |
$pconfig['nbdd_server1'] = $a_csc[$id]['nbdd_server1'];
|
137 |
|
if ($pconfig['nbdd_server1']) {
|
|
154 |
$pconfig['nbdd_server2'] = $a_csc[$id]['nbdd_server2'];
|
|
155 |
|
|
156 |
if ($pconfig['nbdd_server1'] || $pconfig['nbdd_server2']) {
|
138 |
157 |
$pconfig['nbdd_server_enable'] = true;
|
139 |
158 |
}
|
140 |
159 |
}
|
... | ... | |
157 |
176 |
$input_errors[] = gettext("This user does not have sufficient privileges to edit Advanced options on this instance.");
|
158 |
177 |
}
|
159 |
178 |
if (!$user_can_edit_advanced && !empty($a_csc[$id]['custom_options'])) {
|
|
179 |
// Restore the "custom options" field
|
160 |
180 |
$pconfig['custom_options'] = $a_csc[$id]['custom_options'];
|
161 |
181 |
}
|
162 |
182 |
|
... | ... | |
180 |
200 |
$input_errors[] = gettext("The field 'IPv6 Tunnel Network' must contain a valid IPv6 prefix or an alias with a single IPv6 prefix.");
|
181 |
201 |
}
|
182 |
202 |
|
183 |
|
if ($result = openvpn_validate_cidr($pconfig['local_network'], 'IPv4 Local Network', true, "ipv4", true)) {
|
|
203 |
if (empty($pconfig['gwredir']) && ($result = openvpn_validate_cidr($pconfig['local_network'], 'IPv4 Local Network', true, "ipv4", true))) {
|
184 |
204 |
$input_errors[] = $result;
|
185 |
205 |
}
|
186 |
206 |
|
187 |
|
if ($result = openvpn_validate_cidr($pconfig['local_networkv6'], 'IPv6 Local Network', true, "ipv6", true)) {
|
|
207 |
if (empty($pconfig['gwredir6']) && ($result = openvpn_validate_cidr($pconfig['local_networkv6'], 'IPv6 Local Network', true, "ipv6", true))) {
|
188 |
208 |
$input_errors[] = $result;
|
189 |
209 |
}
|
190 |
210 |
|
|
211 |
if (!empty($pconfig['gateway']) && !is_ipaddrv4($pconfig['gateway'])) {
|
|
212 |
$input_errors[] = gettext("The specified IPv4 gateway address is invalid.");
|
|
213 |
}
|
|
214 |
|
|
215 |
if (!empty($pconfig['gateway6']) && !is_ipaddrv6($pconfig['gateway6'])) {
|
|
216 |
$input_errors[] = gettext("The specified IPv6 gateway address is invalid.");
|
|
217 |
}
|
|
218 |
|
191 |
219 |
if ($result = openvpn_validate_cidr($pconfig['remote_network'], 'IPv4 Remote Network', true, "ipv4", true)) {
|
192 |
220 |
$input_errors[] = $result;
|
193 |
221 |
}
|
... | ... | |
196 |
224 |
$input_errors[] = $result;
|
197 |
225 |
}
|
198 |
226 |
|
|
227 |
if (!empty($pconfig['inactive_seconds']) && !is_numericint($pconfig['inactive_seconds'])) {
|
|
228 |
$input_errors[] = gettext('The supplied "Inactivity Timeout" value is invalid.');
|
|
229 |
}
|
|
230 |
|
|
231 |
if (!empty($pconfig['ping_seconds']) && !is_numericint($pconfig['ping_seconds'])) {
|
|
232 |
$input_errors[] = gettext('The supplied "Ping Interval" value is invalid.');
|
|
233 |
}
|
|
234 |
if (!empty($pconfig['ping_action']) && ($pconfig['ping_action'] != 'default')) {
|
|
235 |
if (!isset($openvpn_ping_action[$pconfig['ping_action']])) {
|
|
236 |
$input_errors[] = gettext('The field "Ping Action" contains an invalid selection.');
|
|
237 |
}
|
|
238 |
if (!is_numericint($pconfig['ping_action_seconds'])) {
|
|
239 |
$input_errors[] = gettext('The supplied "Ping Action" timeout value is invalid.');
|
|
240 |
}
|
|
241 |
}
|
|
242 |
|
199 |
243 |
if ($pconfig['dns_server_enable']) {
|
200 |
244 |
if (!empty($pconfig['dns_server1']) && !is_ipaddr(trim($pconfig['dns_server1']))) {
|
201 |
245 |
$input_errors[] = gettext("The field 'DNS Server #1' must contain a valid IP address");
|
... | ... | |
239 |
283 |
if (!empty($pconfig['nbdd_server1']) && !is_ipaddr(trim($pconfig['nbdd_server1']))) {
|
240 |
284 |
$input_errors[] = gettext("The field 'NetBIOS Data Distribution Server #1' must contain a valid IP address");
|
241 |
285 |
}
|
|
286 |
if (!empty($pconfig['nbdd_server2']) && !is_ipaddr(trim($pconfig['nbdd_server2']))) {
|
|
287 |
$input_errors[] = gettext("The field 'NetBIOS Data Distribution Server #2' must contain a valid IP address");
|
242 |
288 |
}
|
|
289 |
}
|
243 |
290 |
|
244 |
291 |
if (!empty($pconfig['netbios_ntype']) &&
|
245 |
292 |
!array_key_exists($pconfig['netbios_ntype'], $netbios_nodetypes)) {
|
... | ... | |
255 |
302 |
if (!$input_errors) {
|
256 |
303 |
$csc = array();
|
257 |
304 |
|
|
305 |
// Handle "Reset Server Options" and "Reset Options"
|
|
306 |
if ($pconfig['override_options'] == 'remove_specified') {
|
|
307 |
// If no options are specified, keep the default behavior.
|
|
308 |
if (!empty($pconfig['remove_options'])) {
|
|
309 |
$csc['remove_options'] = implode(',', $pconfig['remove_options']);
|
|
310 |
if ($pconfig['keep_minimal']) {
|
|
311 |
$csc['keep_minimal'] = true;
|
|
312 |
}
|
|
313 |
}
|
|
314 |
} elseif ($pconfig['override_options'] == 'push_reset') {
|
|
315 |
$csc['push_reset'] = true;
|
|
316 |
if ($pconfig['keep_minimal']) {
|
|
317 |
$csc['keep_minimal'] = true;
|
|
318 |
}
|
|
319 |
}
|
|
320 |
|
258 |
321 |
if (is_array($pconfig['server_list'])) {
|
259 |
322 |
$csc['server_list'] = implode(",", $pconfig['server_list']);
|
260 |
323 |
} else {
|
... | ... | |
269 |
332 |
$csc['description'] = $pconfig['description'];
|
270 |
333 |
$csc['tunnel_network'] = $pconfig['tunnel_network'];
|
271 |
334 |
$csc['tunnel_networkv6'] = $pconfig['tunnel_networkv6'];
|
|
335 |
|
|
336 |
$csc['gateway'] = $pconfig['gateway'];
|
|
337 |
$csc['gateway6'] = $pconfig['gateway6'];
|
|
338 |
// Don't push routes if redirecting all traffic.
|
|
339 |
if (!empty($pconfig['gwredir'])) {
|
|
340 |
$csc['gwredir'] = $pconfig['gwredir'];
|
|
341 |
} else {
|
272 |
342 |
$csc['local_network'] = $pconfig['local_network'];
|
|
343 |
}
|
|
344 |
if (!empty($pconfig['gwredir6'])) {
|
|
345 |
$csc['gwredir6'] = $pconfig['gwredir6'];
|
|
346 |
} else {
|
273 |
347 |
$csc['local_networkv6'] = $pconfig['local_networkv6'];
|
|
348 |
}
|
|
349 |
|
274 |
350 |
$csc['remote_network'] = $pconfig['remote_network'];
|
275 |
351 |
$csc['remote_networkv6'] = $pconfig['remote_networkv6'];
|
276 |
|
$csc['gwredir'] = $pconfig['gwredir'];
|
277 |
|
$csc['push_reset'] = $pconfig['push_reset'];
|
278 |
|
$csc['remove_route'] = $pconfig['remove_route'];
|
279 |
352 |
|
|
353 |
if (is_numericint($pconfig['inactive_seconds'])) {
|
|
354 |
$csc['inactive_seconds'] = $pconfig['inactive_seconds'];
|
|
355 |
}
|
|
356 |
if (is_numericint($pconfig['ping_seconds'])) {
|
|
357 |
$csc['ping_seconds'] = $pconfig['ping_seconds'];
|
|
358 |
}
|
|
359 |
if (!empty($pconfig['ping_action']) && ($pconfig['ping_action'] != 'default')) {
|
|
360 |
$csc['ping_action'] = $pconfig['ping_action'];
|
|
361 |
$csc['ping_action_seconds'] = $pconfig['ping_action_seconds'];
|
|
362 |
}
|
|
363 |
|
280 |
364 |
if ($pconfig['dns_domain_enable']) {
|
281 |
365 |
$csc['dns_domain'] = $pconfig['dns_domain'];
|
282 |
366 |
}
|
... | ... | |
288 |
372 |
$csc['dns_server4'] = $pconfig['dns_server4'];
|
289 |
373 |
}
|
290 |
374 |
|
|
375 |
$csc['push_blockoutsidedns'] = $pconfig['push_blockoutsidedns'];
|
|
376 |
$csc['push_register_dns'] = $pconfig['push_register_dns'];
|
|
377 |
|
291 |
378 |
if ($pconfig['ntp_server_enable']) {
|
292 |
379 |
$csc['ntp_server1'] = $pconfig['ntp_server1'];
|
293 |
380 |
$csc['ntp_server2'] = $pconfig['ntp_server2'];
|
294 |
381 |
}
|
295 |
382 |
|
296 |
383 |
$csc['netbios_enable'] = $pconfig['netbios_enable'];
|
|
384 |
|
|
385 |
if ($pconfig['netbios_enable']) {
|
297 |
386 |
$csc['netbios_ntype'] = $pconfig['netbios_ntype'];
|
298 |
387 |
$csc['netbios_scope'] = $pconfig['netbios_scope'];
|
299 |
388 |
|
300 |
|
if ($pconfig['netbios_enable']) {
|
301 |
389 |
if ($pconfig['wins_server_enable']) {
|
302 |
390 |
$csc['wins_server1'] = $pconfig['wins_server1'];
|
303 |
391 |
$csc['wins_server2'] = $pconfig['wins_server2'];
|
304 |
392 |
}
|
305 |
393 |
|
306 |
|
if ($pconfig['dns_server_enable']) {
|
|
394 |
if ($pconfig['nbdd_server_enable']) {
|
307 |
395 |
$csc['nbdd_server1'] = $pconfig['nbdd_server1'];
|
|
396 |
$csc['nbdd_server2'] = $pconfig['nbdd_server2'];
|
308 |
397 |
}
|
309 |
398 |
}
|
310 |
399 |
|
... | ... | |
407 |
496 |
true
|
408 |
497 |
))->setHelp('Select the servers that will utilize this override. When no servers are selected, the override will apply to all servers.');
|
409 |
498 |
|
|
499 |
|
|
500 |
$section->addInput(new Form_Select(
|
|
501 |
'override_options',
|
|
502 |
'Reset Server Options',
|
|
503 |
($pconfig['override_options'] ?? 'default'),
|
|
504 |
[
|
|
505 |
'default' => 'Keep all server options (default)',
|
|
506 |
'push_reset' => 'Reset all options',
|
|
507 |
'remove_specified' => 'Remove specified options'
|
|
508 |
]
|
|
509 |
))->setHelp('Prevent this client from receiving server-defined client settings. Other client-specific options on this page will supersede these options.');
|
|
510 |
|
|
511 |
$group = new Form_Group('Remove Options');
|
|
512 |
$group->addClass('remove_options');
|
|
513 |
$group->add(new Form_Select(
|
|
514 |
'remove_options',
|
|
515 |
null,
|
|
516 |
$pconfig['remove_options'],
|
|
517 |
[
|
|
518 |
'remove_route' => 'Local Routes & Gateways',
|
|
519 |
'remove_iroute' => 'Remote Routes',
|
|
520 |
'remove_redirect_gateway' => 'Redirect Gateways',
|
|
521 |
'remove_inactive' => 'Inactivity Timeout',
|
|
522 |
'remove_ping' => 'Client Ping',
|
|
523 |
'remove_ping_action' => 'Ping Action',
|
|
524 |
'remove_dnsdomain' => 'DNS Domains',
|
|
525 |
'remove_dnsservers' => 'DNS Servers',
|
|
526 |
'remove_blockoutsidedns' => 'Block Outside DNS',
|
|
527 |
'remove_ntpservers' => 'NTP Options',
|
|
528 |
'remove_netbios_ntype' => 'NetBIOS Type',
|
|
529 |
'remove_netbios_scope' => 'NetBIOS Scope',
|
|
530 |
'remove_wins' => 'WINS Options'
|
|
531 |
],
|
|
532 |
true
|
|
533 |
))->setHelp('A "push-remove" option will be sent to the client for the selected options, removing the respective server-defined option.');
|
|
534 |
$section->add($group);
|
|
535 |
|
|
536 |
$section->addInput(new Form_Checkbox(
|
|
537 |
'keep_minimal',
|
|
538 |
'Keep minimal options',
|
|
539 |
'Automatically determine the client topology and gateway',
|
|
540 |
$pconfig['keep_minimal']
|
|
541 |
))->setHelp('If checked, generate the required client configuration when server options are reset or removed.');
|
|
542 |
|
410 |
543 |
$form->add($section);
|
411 |
544 |
|
412 |
545 |
$section = new Form_Section('Tunnel Settings');
|
... | ... | |
431 |
564 |
'<br />');
|
432 |
565 |
|
433 |
566 |
$section->addInput(new Form_Input(
|
|
567 |
'gateway',
|
|
568 |
'IPv4 Gateway',
|
|
569 |
'text',
|
|
570 |
$pconfig['gateway']
|
|
571 |
))->setHelp('This is the IPv4 Gateway to push to the client. Normally it is left blank and determined automatically.');
|
|
572 |
|
|
573 |
$section->addInput(new Form_Input(
|
|
574 |
'gateway6',
|
|
575 |
'IPv6 Gateway',
|
|
576 |
'text',
|
|
577 |
$pconfig['gateway6']
|
|
578 |
))->setHelp('This is the IPv6 Gateway to push to the client. Normally it is left blank and determined automatically.');
|
|
579 |
|
|
580 |
$section->addInput(new Form_Checkbox(
|
|
581 |
'gwredir',
|
|
582 |
'Redirect IPv4 Gateway',
|
|
583 |
'Force all client generated IPv4 traffic through the tunnel.',
|
|
584 |
$pconfig['gwredir']
|
|
585 |
));
|
|
586 |
|
|
587 |
$section->addInput(new Form_Checkbox(
|
|
588 |
'gwredir6',
|
|
589 |
'Redirect IPv6 Gateway',
|
|
590 |
'Force all client-generated IPv6 traffic through the tunnel.',
|
|
591 |
$pconfig['gwredir6']
|
|
592 |
));
|
|
593 |
|
|
594 |
$section->addInput(new Form_Input(
|
434 |
595 |
'local_network',
|
435 |
596 |
'IPv4 Local Network/s',
|
436 |
597 |
'text',
|
... | ... | |
468 |
629 |
'NOTE: Remember to add these subnets to the IPv6 Remote Networks list on the corresponding OpenVPN server settings.',
|
469 |
630 |
'<br />');
|
470 |
631 |
|
471 |
|
$section->addInput(new Form_Checkbox(
|
472 |
|
'gwredir',
|
473 |
|
'Redirect Gateway',
|
474 |
|
'Force all client generated traffic through the tunnel.',
|
475 |
|
$pconfig['gwredir']
|
476 |
|
));
|
477 |
|
|
478 |
632 |
$form->add($section);
|
479 |
633 |
|
480 |
|
$section = new Form_Section('Client Settings');
|
|
634 |
$section = new Form_Section('Other Client Settings');
|
481 |
635 |
|
482 |
|
$section->addInput(new Form_Checkbox(
|
483 |
|
'push_reset',
|
484 |
|
'Server Definitions',
|
485 |
|
'Prevent this client from receiving any server-defined client settings. ',
|
486 |
|
$pconfig['push_reset']
|
487 |
|
));
|
|
636 |
$section->addInput(new Form_Input(
|
|
637 |
'inactive_seconds',
|
|
638 |
'Inactivity Timeout',
|
|
639 |
'number',
|
|
640 |
$pconfig['inactive_seconds'],
|
|
641 |
['min' => '0']
|
|
642 |
))->setHelp('Set connection inactivity timeout')->setWidth(3);
|
488 |
643 |
|
489 |
|
/* as "push-reset" can break subnet topology,
|
490 |
|
* "push-remove route" removes only IPv4/IPv6 routes, see #9702 */
|
491 |
|
$section->addInput(new Form_Checkbox(
|
492 |
|
'remove_route',
|
493 |
|
'Remove Server Routes',
|
494 |
|
'Prevent this client from receiving any server-defined routes without removing any other options. ',
|
495 |
|
$pconfig['remove_route']
|
496 |
|
));
|
|
644 |
$section->addInput(new Form_Input(
|
|
645 |
'ping_seconds',
|
|
646 |
'Ping Interval',
|
|
647 |
'number',
|
|
648 |
$pconfig['ping_seconds'],
|
|
649 |
['min' => '0']
|
|
650 |
))->setHelp('Set peer ping interval')->setWidth(3);
|
497 |
651 |
|
|
652 |
$group = new Form_Group('Ping Action');
|
|
653 |
$group->add(new Form_Select(
|
|
654 |
'ping_action',
|
|
655 |
null,
|
|
656 |
$pconfig['ping_action'] ?? 'default',
|
|
657 |
array_merge([
|
|
658 |
'default' => 'Don\'t override option (default)'
|
|
659 |
], $openvpn_ping_action)
|
|
660 |
))->setHelp('Exit or restart OpenVPN client after server timeout')->setWidth(4);
|
|
661 |
$group->add(new Form_Input(
|
|
662 |
'ping_action_seconds',
|
|
663 |
'timeout seconds',
|
|
664 |
'number',
|
|
665 |
$pconfig['ping_action_seconds'],
|
|
666 |
['min' => '0']
|
|
667 |
))->setWidth(2)->addClass('ping_action_seconds');
|
|
668 |
$section->add($group);
|
|
669 |
|
498 |
670 |
$section->addInput(new Form_Checkbox(
|
499 |
671 |
'dns_domain_enable',
|
500 |
672 |
'DNS Default Domain',
|
... | ... | |
555 |
727 |
|
556 |
728 |
$section->add($group);
|
557 |
729 |
|
|
730 |
$section->addInput(new Form_Checkbox(
|
|
731 |
'push_blockoutsidedns',
|
|
732 |
'Block Outside DNS',
|
|
733 |
'Make Windows 10 Clients Block access to DNS servers except across OpenVPN while connected, forcing clients to use only VPN DNS servers.',
|
|
734 |
$pconfig['push_blockoutsidedns']
|
|
735 |
))->setHelp('Requires Windows 10 and OpenVPN 2.3.9 or later. Only Windows 10 is prone to DNS leakage in this way, other clients will ignore the option as they are not affected.');
|
|
736 |
|
|
737 |
$section->addInput(new Form_Checkbox(
|
|
738 |
'push_register_dns',
|
|
739 |
'Force DNS cache update',
|
|
740 |
'Run "net stop dnscache", "net start dnscache", "ipconfig /flushdns" and "ipconfig /registerdns" on connection initiation.',
|
|
741 |
$pconfig['push_register_dns']
|
|
742 |
))->setHelp('This is known to kick Windows into recognizing pushed DNS servers.');
|
|
743 |
|
558 |
744 |
// NTP servers
|
559 |
745 |
$section->addInput(new Form_Checkbox(
|
560 |
746 |
'ntp_server_enable',
|
... | ... | |
634 |
820 |
|
635 |
821 |
$section->add($group);
|
636 |
822 |
|
|
823 |
$section->addInput(new Form_Checkbox(
|
|
824 |
'nbdd_server_enable',
|
|
825 |
'NBDD servers',
|
|
826 |
'Provide a NetBIOS over TCP/IP Datagram Distribution Servers list to clients',
|
|
827 |
$pconfig['nbdd_server_enable']
|
|
828 |
));
|
|
829 |
|
|
830 |
$group = new Form_Group(null);
|
|
831 |
|
|
832 |
$group->add(new Form_Input(
|
|
833 |
'nbdd_server1',
|
|
834 |
null,
|
|
835 |
'text',
|
|
836 |
$pconfig['nbdd_server1']
|
|
837 |
))->setHelp('Server 1');
|
|
838 |
|
|
839 |
$group->add(new Form_Input(
|
|
840 |
'nbdd_server2',
|
|
841 |
null,
|
|
842 |
'text',
|
|
843 |
$pconfig['nbdd_server2']
|
|
844 |
))->setHelp('Server 2');
|
|
845 |
|
|
846 |
$group->addClass('nbddservers');
|
|
847 |
|
|
848 |
$section->add($group);
|
|
849 |
|
637 |
850 |
$custops = new Form_Textarea(
|
638 |
851 |
'custom_options',
|
639 |
852 |
'Advanced',
|
... | ... | |
671 |
884 |
<script type="text/javascript">
|
672 |
885 |
//<![CDATA[
|
673 |
886 |
events.push(function() {
|
|
887 |
function gwredir_change() {
|
|
888 |
hideInput('local_network', ($('#gwredir').prop('checked')));
|
|
889 |
}
|
|
890 |
|
|
891 |
function gwredir6_change() {
|
|
892 |
hideInput('local_networkv6', ($('#gwredir6').prop('checked')));
|
|
893 |
}
|
|
894 |
|
|
895 |
function ping_action_change() {
|
|
896 |
hideClass('ping_action_seconds', ($('#ping_action').find('option:selected').val() == 'default'));
|
|
897 |
}
|
|
898 |
|
674 |
899 |
function dnsdomain_change() {
|
675 |
900 |
if ($('#dns_domain_enable').prop('checked')) {
|
676 |
901 |
hideClass('dnsdomain', false);
|
... | ... | |
702 |
927 |
hideInput('netbios_scope', false);
|
703 |
928 |
hideCheckbox('wins_server_enable', false);
|
704 |
929 |
setWins();
|
|
930 |
hideCheckbox('nbdd_server_enable', false);
|
|
931 |
setNbdds();
|
705 |
932 |
} else {
|
706 |
933 |
hideInput('netbios_ntype', true);
|
707 |
934 |
hideInput('netbios_scope', true);
|
708 |
935 |
hideCheckbox('wins_server_enable', true);
|
709 |
936 |
hideClass('winsservers', true);
|
|
937 |
hideCheckbox('nbdd_server_enable', true);
|
|
938 |
hideClass('nbddservers', true);
|
710 |
939 |
}
|
711 |
940 |
}
|
712 |
941 |
|
... | ... | |
714 |
943 |
hideClass('winsservers', ! $('#wins_server_enable').prop('checked'));
|
715 |
944 |
}
|
716 |
945 |
|
|
946 |
function setNbdds() {
|
|
947 |
hideClass('nbddservers', ! $('#nbdd_server_enable').prop('checked'));
|
|
948 |
}
|
|
949 |
|
|
950 |
function remove_options_change() {
|
|
951 |
hideCheckbox('keep_minimal', ($('#override_options').find('option:selected').val() == 'default'));
|
|
952 |
hideClass('remove_options', ($('#override_options').find('option:selected').val() != 'remove_specified'));
|
|
953 |
}
|
|
954 |
|
717 |
955 |
// ---------- Click checkbox handlers ---------------------------------------------------------
|
718 |
956 |
|
|
957 |
// On clicking Gateway redirect
|
|
958 |
$('#gwredir').click(function () {
|
|
959 |
gwredir_change();
|
|
960 |
});
|
|
961 |
|
|
962 |
// On clicking Gateway redirect IPv6
|
|
963 |
$('#gwredir6').click(function () {
|
|
964 |
gwredir6_change();
|
|
965 |
});
|
|
966 |
|
|
967 |
// On clicking Ping Action
|
|
968 |
$('#ping_action').click(function () {
|
|
969 |
ping_action_change();
|
|
970 |
});
|
|
971 |
|
719 |
972 |
// On clicking DNS Default Domain
|
720 |
973 |
$('#dns_domain_enable').click(function () {
|
721 |
974 |
dnsdomain_change();
|
... | ... | |
741 |
994 |
setWins();
|
742 |
995 |
});
|
743 |
996 |
|
|
997 |
// On clicking the nbdd_server_enable checkbox
|
|
998 |
$('#nbdd_server_enable').click(function () {
|
|
999 |
setNbdds();
|
|
1000 |
});
|
|
1001 |
|
|
1002 |
$('#override_options').on('change', function() {
|
|
1003 |
remove_options_change();
|
|
1004 |
});
|
744 |
1005 |
// ---------- On initial page load ------------------------------------------------------------
|
745 |
1006 |
|
|
1007 |
remove_options_change();
|
|
1008 |
gwredir_change();
|
|
1009 |
gwredir6_change();
|
|
1010 |
ping_action_change();
|
746 |
1011 |
setNetbios();
|
747 |
1012 |
dnsdomain_change();
|
748 |
1013 |
dnsservers_change();
|
749 |
|
-- a/src/etc/inc/upgrade_config.inc
|
|
1014 |
++ b/src/etc/inc/upgrade_config.inc
|
... | ... | |
7026 |
7026 |
}
|
7027 |
7027 |
}
|
7028 |
7028 |
|
|
7029 |
/* OpenVPN Client-Specific Override options have changed.
|
|
7030 |
* https://redmine.pfsense.org/issues/12522 */
|
|
7031 |
function upgrade_233_to_234() {
|
|
7032 |
$openvpn_csc_config = config_get_path('openvpn/openvpn-csc', []);
|
|
7033 |
if (empty($openvpn_csc_config)) {
|
|
7034 |
return;
|
|
7035 |
}
|
|
7036 |
foreach ($openvpn_csc_config as &$settings) {
|
|
7037 |
if (!is_array($settings)) {
|
|
7038 |
continue;
|
|
7039 |
}
|
|
7040 |
|
|
7041 |
// Migrate "remove_route"
|
|
7042 |
if (isset($settings['remove_route'])) {
|
|
7043 |
$settings['remove_options'] = 'remove_route';
|
|
7044 |
unset($settings['remove_route']);
|
|
7045 |
}
|
|
7046 |
}
|
|
7047 |
config_set_path('openvpn/openvpn-csc', $openvpn_csc_config);
|
|
7048 |
}
|
|
7049 |
|
7029 |
7050 |
/*
|
7030 |
7051 |
* Special function that is called independent of current config version. It's
|
7031 |
7052 |
* a workaround to have config_upgrade running on older versions after next
|
7032 |
|
-- a/src/etc/inc/util.inc
|
|
7053 |
++ b/src/etc/inc/util.inc
|
... | ... | |
533 |
533 |
return long2ip32(ip2long($ip) + $offset);
|
534 |
534 |
}
|
535 |
535 |
|
|
536 |
/**
|
|
537 |
* Return the next IPv6 address after the given address
|
|
538 |
*
|
|
539 |
* @param string $ip IPv6 address
|
|
540 |
*
|
|
541 |
* @return string|false IPv6 address; false if it cannot be incremented
|
|
542 |
*/
|
|
543 |
function ip6_after(string $ip): string|false {
|
|
544 |
/* Convert the IPv6 string to its in_addr representation,
|
|
545 |
* increment it by one, then convert it back to a string. */
|
|
546 |
return inet_ntop(str_pad(gmp_export(
|
|
547 |
str_increment((string) gmp_import(inet_pton($ip)))
|
|
548 |
), 16, "\0", STR_PAD_LEFT));
|
|
549 |
}
|
|
550 |
|
536 |
551 |
/* Return true if the first IP is 'before' the second */
|
537 |
552 |
function ip_less_than($ip1, $ip2) {
|
538 |
553 |
// Compare as unsigned long because otherwise it wouldn't work when
|