Project

General

Profile

Feature #12522 » openvpn_csc_patch_v1.7-pfsense-v2.7.2.patch

Phil Wardt, 07/20/2024 08:26 AM

View differences:

src/etc/inc/openvpn.inc
757 757

  
758 758
	if ($settings['netbios_enable']) {
759 759

  
760
		if (!empty($settings['dhcp_nbttype']) && ($settings['dhcp_nbttype'] != 0)) {
761
			$conf .= "push \"dhcp-option NBT {$settings['dhcp_nbttype']}\"\n";
760
		if (!empty($settings['netbios_ntype']) && ($settings['netbios_ntype'] != 0)) {
761
			$conf .= "push \"dhcp-option NBT {$settings['netbios_ntype']}\"\n";
762 762
		}
763
		if (!empty($settings['dhcp_nbtscope'])) {
764
			$conf .= "push \"dhcp-option NBS {$settings['dhcp_nbtscope']}\"\n";
763
		if (!empty($settings['netbios_scope'])) {
764
			$conf .= "push \"dhcp-option NBS {$settings['netbios_scope']}\"\n";
765 765
		}
766 766

  
767 767
		if (!empty($settings['wins_server1'])) {
......
774 774
		if (!empty($settings['nbdd_server1'])) {
775 775
			$conf .= "push \"dhcp-option NBDD {$settings['nbdd_server1']}\"\n";
776 776
		}
777
		if (!empty($settings['nbdd_server2'])) {
778
			$conf .= "push \"dhcp-option NBDD {$settings['nbdd_server2']}\"\n";
777 779
		}
780
	}
778 781

  
779 782
	if ($settings['gwredir']) {
780 783
		$conf .= "push \"redirect-gateway def1\"\n";
......
1695 1698
	}
1696 1699
	openvpn_create_dirs();
1697 1700

  
1701
	/* Some options remove the gateway or topology which are required;
1702
	 * in such cases, these can be automatically determined. */
1703
	$auto_config_gateway4 = false;
1704
	$auto_config_gateway6 = false;
1705
	$auto_config_topology = false;
1706

  
1698 1707
	if (empty($settings['server_list'])) {
1699 1708
		$csc_server_list = array();
1700 1709
	} else {
......
1706 1715
		$conf .= "disable\n";
1707 1716
	}
1708 1717

  
1718
	// Reset options
1709 1719
	if ($settings['push_reset']) {
1720
		if ($settings['keep_minimal']) {
1721
			$auto_config_gateway4 = true;
1722
			$auto_config_gateway6 = true;
1723
			$auto_config_topology = true;
1724
		}
1710 1725
		$conf .= "push-reset\n";
1726
	} elseif (!empty($settings['remove_options'])) {
1727
		foreach (explode(',', $settings['remove_options']) as $option) {
1728
			if ($settings['keep_minimal'] && ($option == 'remove_route')) {
1729
				$auto_config_gateway4 = true;
1730
				$auto_config_gateway6 = true;
1711 1731
	}
1712

  
1713
	if ($settings['remove_route']) {
1714
		$conf .= "push-remove route\n";
1732
			$options = match ($option) {
1733
				'remove_route' => 'route',
1734
				'remove_iroute' => 'iroute',
1735
				'remove_redirect_gateway' => 'redirect-gateway',
1736
				'remove_inactive' => 'inactive',
1737
				'remove_ping' => 'ping',
1738
				'remove_ping_action' => ['ping-restart', 'ping-exit'],
1739
				'remove_blockoutsidedns' => 'block-outside-dns',
1740
				'remove_dnsdomain' => '"dhcp-option DOMAIN"',
1741
				'remove_dnsservers' => '"dhcp-option DNS"',
1742
				'remove_ntpservers' => '"dhcp-option NTP"',
1743
				'remove_netbios_ntype' => '"dhcp-option NBT"',
1744
				'remove_netbios_scope' => '"dhcp-option NBS"',
1745
				'remove_wins' => '"dhcp-option WINS"'
1746
			};
1747
			if (is_array($options)) {
1748
				foreach ($options as $option_name) {
1749
					$conf .= "push-remove {$option_name}\n";
1715 1750
				}
1751
			} else {
1752
				$conf .= "push-remove {$options}\n";
1753
			}
1754
		}
1755
	}
1716 1756

  
1757
	// Local network route options
1717 1758
	if ($settings['local_network']) {
1718 1759
		$conf .= openvpn_gen_routes($settings['local_network'], "ipv4", true);
1719 1760
	}
......
1721 1762
		$conf .= openvpn_gen_routes($settings['local_networkv6'], "ipv6", true);
1722 1763
	}
1723 1764

  
1724
	// Add a remote network iroute if set
1765
	// Remote network iroute options
1725 1766
	if (openvpn_validate_cidr($settings['remote_network'], "", true, "ipv4", true) === FALSE) {
1726 1767
		$conf .= openvpn_gen_routes($settings['remote_network'], "ipv4", false, true);
1727 1768
	}
1728
	// Add a remote network iroute if set
1729 1769
	if (openvpn_validate_cidr($settings['remote_networkv6'], "", true, "ipv6", true) === FALSE) {
1730 1770
		$conf .= openvpn_gen_routes($settings['remote_networkv6'], "ipv6", false, true);
1731 1771
	}
1732 1772

  
1773
	// Gatewy override options
1774
	if (!empty($settings['gateway'])) {
1775
		$auto_config_gateway4 = false;
1776
		$conf .= "push \"route-gateway {$settings['gateway']}\"\n";
1777
	}
1778
	if (!empty($settings['gateway6'])) {
1779
		$auto_config_gateway6 = false;
1780
		$conf .= "push \"route-ipv6-gateway {$settings['gateway6']}\"\n";
1781
	}
1782

  
1783
	// Inactivity override options
1784
	if (isset($settings['inactive_seconds'])) {
1785
		$conf .= "push \"inactive {$settings['inactive_seconds']}\"\n";
1786
	}
1787

  
1788
	// Ping override options
1789
	if (isset($settings['ping_seconds'])) {
1790
		$conf .= "push \"ping {$settings['ping_seconds']}\"\n";
1791
	}
1792
	if (isset($settings['ping_action'])) {
1793
		$action = str_replace("_", "-", $settings['ping_action']);
1794
		$conf .= "push \"{$action} {$settings['ping_action_seconds']}\"\n";
1795
	}
1796

  
1797
	// DHCP and gateway redirect options
1733 1798
	openvpn_add_dhcpopts($settings, $conf);
1734 1799

  
1800
	// Custom options
1735 1801
	openvpn_add_custom($settings, $conf);
1802

  
1736 1803
	/* Loop through servers, find which ones can use this CSC */
1737 1804
	foreach (config_get_path('openvpn/openvpn-server', []) as $serversettings) {
1738 1805
		if (isset($serversettings['disable'])) {
......
1742 1809
			if ($serversettings['vpnid'] && (empty($csc_server_list) || in_array($serversettings['vpnid'], $csc_server_list))) {
1743 1810
				$csc_path = "{$g['openvpn_base']}/server{$serversettings['vpnid']}/csc/" . basename($settings['common_name']);
1744 1811
				$csc_conf = $conf;
1812

  
1813
				/* Topology is depends on the server configuration.
1814
				 * TAP mode always uses a subnet topology */
1815
				$topology = ($serversettings['dev_mode'] == 'tap') ? 'subnet' : $serversettings['topology'];
1816
				if ($auto_config_topology) {
1817
					$csc_conf .= "push \"topology {$topology}\"\n";
1818
				}
1819

  
1820
				/* The gateway is the first usable address in the tunnel network.
1821
				 * If the tunnel network is not set, the gateway must be manually
1822
				 * defined. This can happen when using a net30 topology and
1823
				 * resetting options. */
1824
				if ($auto_config_gateway6) {
1825
					// IPv6 always uses a subnet topology
1826
					$tunnel_network = null;
1827
					if (!empty($settings['tunnel_networkv6'])) {
1828
						$tunnel_network = $settings['tunnel_networkv6'];
1829
					} elseif (!empty($serversettings['tunnel_networkv6'])) {
1830
						$tunnel_network = $serversettings['tunnel_networkv6'];
1831
					}
1832
					if (!empty($tunnel_network)) {
1833
						$tunnel_network_parts = openvpn_gen_tunnel_network($tunnel_network);
1834
						$gateway = ip6_after(gen_subnetv6($tunnel_network_parts[0], $tunnel_network_parts[1]));
1835
						$csc_conf .= "push \"route-ipv6-gateway {$gateway}\"\n";
1836
					}
1837
				}
1838
				if ($auto_config_gateway4) {
1839
					$tunnel_network = null;
1840
					if ($topology == "subnet") {
1841
						// The client tunnel network is assumed to be the same as the server's
1842
						$tunnel_network = $serversettings['tunnel_network'];
1843
					} elseif (!empty($settings['tunnel_network'])) {
1844
						$tunnel_network = $settings['tunnel_network'];
1845
					}
1846
					if (!empty($tunnel_network)) {
1847
						$tunnel_network_parts = openvpn_gen_tunnel_network($tunnel_network);
1848
						$gateway = ip_after(gen_subnetv4($tunnel_network_parts[0], $tunnel_network_parts[1]), 1);
1849
						$csc_conf .= "push \"route-gateway {$gateway}\"\n";
1850
					}
1851
				}
1745 1852

  
1746 1853
				if (!empty($serversettings['tunnel_network']) && !empty($settings['tunnel_network'])) {
1747 1854
					list($ip, $mask) = openvpn_gen_tunnel_network($settings['tunnel_network']);
1748
-- a/src/usr/local/www/vpn_openvpn_csc.php
1855
++ b/src/usr/local/www/vpn_openvpn_csc.php
......
34 34
require_once("pfsense-utils.inc");
35 35
require_once("pkg-utils.inc");
36 36

  
37
global $openvpn_tls_server_modes;
37
global $openvpn_tls_server_modes, $openvpn_ping_action;
38 38

  
39 39
init_config_arr(array('openvpn', 'openvpn-csc'));
40 40
$a_csc = &$config['openvpn']['openvpn-csc'];
......
78 78

  
79 79
if (($act == "edit") || ($act == "dup")) {
80 80
	if (isset($id) && $a_csc[$id]) {
81
		$pconfig['keep_minimal'] = isset($a_csc[$id]['keep_minimal']);
82
		// Handle the "Reset Options" list
83
		if (!empty($a_csc[$id]['remove_options'])) {
84
			$pconfig['override_options'] = 'remove_specified';
85
			$pconfig['remove_options'] = explode(',', $a_csc[$id]['remove_options']);
86
		} elseif (isset($a_csc[$id]['push_reset'])) {
87
			$pconfig['override_options'] = 'push_reset';
88
		}
89

  
81 90
		$pconfig['server_list'] = explode(",", $a_csc[$id]['server_list']);
82 91
		$pconfig['custom_options'] = $a_csc[$id]['custom_options'];
83 92
		$pconfig['disable'] = isset($a_csc[$id]['disable']);
......
89 98
		$pconfig['tunnel_networkv6'] = $a_csc[$id]['tunnel_networkv6'];
90 99
		$pconfig['local_network'] = $a_csc[$id]['local_network'];
91 100
		$pconfig['local_networkv6'] = $a_csc[$id]['local_networkv6'];
101
		$pconfig['gateway'] = $a_csc[$id]['gateway'];
102
		$pconfig['gateway6'] = $a_csc[$id]['gateway6'];
92 103
		$pconfig['remote_network'] = $a_csc[$id]['remote_network'];
93 104
		$pconfig['remote_networkv6'] = $a_csc[$id]['remote_networkv6'];
94 105
		$pconfig['gwredir'] = $a_csc[$id]['gwredir'];
106
		$pconfig['gwredir6'] = $a_csc[$id]['gwredir6'];
95 107

  
96
		$pconfig['push_reset'] = $a_csc[$id]['push_reset'];
97
		$pconfig['remove_route'] = $a_csc[$id]['remove_route'];
108
		$pconfig['inactive_seconds'] = $a_csc[$id]['inactive_seconds'];
109
		$pconfig['ping_seconds'] = $a_csc[$id]['ping_seconds'];
110
		$pconfig['ping_action'] = $a_csc[$id]['ping_action'];
111
		$pconfig['ping_action_seconds'] = $a_csc[$id]['ping_action_seconds'];
98 112

  
99 113
		$pconfig['dns_domain'] = $a_csc[$id]['dns_domain'];
100 114
		if ($pconfig['dns_domain']) {
......
113 127
			$pconfig['dns_server_enable'] = true;
114 128
		}
115 129

  
130
		$pconfig['push_blockoutsidedns'] = $a_csc[$id]['push_blockoutsidedns'];
131
		$pconfig['push_register_dns'] = $a_csc[$id]['push_register_dns'];
132

  
116 133
		$pconfig['ntp_server1'] = $a_csc[$id]['ntp_server1'];
117 134
		$pconfig['ntp_server2'] = $a_csc[$id]['ntp_server2'];
118 135

  
......
134 151
		}
135 152

  
136 153
		$pconfig['nbdd_server1'] = $a_csc[$id]['nbdd_server1'];
137
		if ($pconfig['nbdd_server1']) {
154
		$pconfig['nbdd_server2'] = $a_csc[$id]['nbdd_server2'];
155

  
156
		if ($pconfig['nbdd_server1'] || $pconfig['nbdd_server2']) {
138 157
			$pconfig['nbdd_server_enable'] = true;
139 158
		}
140 159
	}
......
157 176
		$input_errors[] = gettext("This user does not have sufficient privileges to edit Advanced options on this instance.");
158 177
	}
159 178
	if (!$user_can_edit_advanced && !empty($a_csc[$id]['custom_options'])) {
179
		// Restore the "custom options" field
160 180
		$pconfig['custom_options'] = $a_csc[$id]['custom_options'];
161 181
	}
162 182

  
......
180 200
		$input_errors[] = gettext("The field 'IPv6 Tunnel Network' must contain a valid IPv6 prefix or an alias with a single IPv6 prefix.");
181 201
	}
182 202

  
183
	if ($result = openvpn_validate_cidr($pconfig['local_network'], 'IPv4 Local Network', true, "ipv4", true)) {
203
	if (empty($pconfig['gwredir']) && ($result = openvpn_validate_cidr($pconfig['local_network'], 'IPv4 Local Network', true, "ipv4", true))) {
184 204
		$input_errors[] = $result;
185 205
	}
186 206

  
187
	if ($result = openvpn_validate_cidr($pconfig['local_networkv6'], 'IPv6 Local Network', true, "ipv6", true)) {
207
	if (empty($pconfig['gwredir6']) && ($result = openvpn_validate_cidr($pconfig['local_networkv6'], 'IPv6 Local Network', true, "ipv6", true))) {
188 208
		$input_errors[] = $result;
189 209
	}
190 210

  
211
	if (!empty($pconfig['gateway']) && !is_ipaddrv4($pconfig['gateway'])) {
212
		$input_errors[] = gettext("The specified IPv4 gateway address is invalid.");
213
	}
214

  
215
	if (!empty($pconfig['gateway6']) && !is_ipaddrv6($pconfig['gateway6'])) {
216
		$input_errors[] = gettext("The specified IPv6 gateway address is invalid.");
217
	}
218

  
191 219
	if ($result = openvpn_validate_cidr($pconfig['remote_network'], 'IPv4 Remote Network', true, "ipv4", true)) {
192 220
		$input_errors[] = $result;
193 221
	}
......
196 224
		$input_errors[] = $result;
197 225
	}
198 226

  
227
	if (!empty($pconfig['inactive_seconds']) && !is_numericint($pconfig['inactive_seconds'])) {
228
		$input_errors[] = gettext('The supplied "Inactivity Timeout" value is invalid.');
229
	}
230

  
231
	if (!empty($pconfig['ping_seconds']) && !is_numericint($pconfig['ping_seconds'])) {
232
		$input_errors[] = gettext('The supplied "Ping Interval" value is invalid.');
233
	}
234
	if (!empty($pconfig['ping_action']) && ($pconfig['ping_action'] != 'default')) {
235
		if (!isset($openvpn_ping_action[$pconfig['ping_action']])) {
236
			$input_errors[] = gettext('The field "Ping Action" contains an invalid selection.');
237
		}
238
		if (!is_numericint($pconfig['ping_action_seconds'])) {
239
			$input_errors[] = gettext('The supplied "Ping Action" timeout value is invalid.');
240
		}
241
	}
242

  
199 243
	if ($pconfig['dns_server_enable']) {
200 244
		if (!empty($pconfig['dns_server1']) && !is_ipaddr(trim($pconfig['dns_server1']))) {
201 245
			$input_errors[] = gettext("The field 'DNS Server #1' must contain a valid IP address");
......
239 283
			if (!empty($pconfig['nbdd_server1']) && !is_ipaddr(trim($pconfig['nbdd_server1']))) {
240 284
				$input_errors[] = gettext("The field 'NetBIOS Data Distribution Server #1' must contain a valid IP address");
241 285
			}
286
			if (!empty($pconfig['nbdd_server2']) && !is_ipaddr(trim($pconfig['nbdd_server2']))) {
287
				$input_errors[] = gettext("The field 'NetBIOS Data Distribution Server #2' must contain a valid IP address");
242 288
			}
289
		}
243 290

  
244 291
		if (!empty($pconfig['netbios_ntype']) &&
245 292
		    !array_key_exists($pconfig['netbios_ntype'], $netbios_nodetypes)) {
......
255 302
	if (!$input_errors) {
256 303
		$csc = array();
257 304

  
305
		// Handle "Reset Server Options" and "Reset Options"
306
		if ($pconfig['override_options'] == 'remove_specified') {
307
			// If no options are specified, keep the default behavior.
308
			if (!empty($pconfig['remove_options'])) {
309
				$csc['remove_options'] = implode(',', $pconfig['remove_options']);
310
				if ($pconfig['keep_minimal']) {
311
					$csc['keep_minimal'] = true;
312
				}
313
			}
314
		} elseif ($pconfig['override_options'] == 'push_reset') {
315
			$csc['push_reset'] = true;
316
			if ($pconfig['keep_minimal']) {
317
				$csc['keep_minimal'] = true;
318
			}
319
		}
320

  
258 321
		if (is_array($pconfig['server_list'])) {
259 322
			$csc['server_list'] = implode(",", $pconfig['server_list']);
260 323
		} else {
......
269 332
		$csc['description'] = $pconfig['description'];
270 333
		$csc['tunnel_network'] = $pconfig['tunnel_network'];
271 334
		$csc['tunnel_networkv6'] = $pconfig['tunnel_networkv6'];
335

  
336
		$csc['gateway'] = $pconfig['gateway'];
337
		$csc['gateway6'] = $pconfig['gateway6'];
338
		// Don't push routes if redirecting all traffic.
339
		if (!empty($pconfig['gwredir'])) {
340
			$csc['gwredir'] = $pconfig['gwredir'];
341
		} else {
272 342
			$csc['local_network'] = $pconfig['local_network'];
343
		}
344
		if (!empty($pconfig['gwredir6'])) {
345
			$csc['gwredir6'] = $pconfig['gwredir6'];
346
		} else {
273 347
			$csc['local_networkv6'] = $pconfig['local_networkv6'];
348
		}
349

  
274 350
		$csc['remote_network'] = $pconfig['remote_network'];
275 351
		$csc['remote_networkv6'] = $pconfig['remote_networkv6'];
276
		$csc['gwredir'] = $pconfig['gwredir'];
277
		$csc['push_reset'] = $pconfig['push_reset'];
278
		$csc['remove_route'] = $pconfig['remove_route'];
279 352

  
353
		if (is_numericint($pconfig['inactive_seconds'])) {
354
			$csc['inactive_seconds'] = $pconfig['inactive_seconds'];
355
		}
356
		if (is_numericint($pconfig['ping_seconds'])) {
357
			$csc['ping_seconds'] = $pconfig['ping_seconds'];
358
		}
359
		if (!empty($pconfig['ping_action']) && ($pconfig['ping_action'] != 'default')) {
360
			$csc['ping_action'] = $pconfig['ping_action'];
361
			$csc['ping_action_seconds'] = $pconfig['ping_action_seconds'];
362
		}
363

  
280 364
		if ($pconfig['dns_domain_enable']) {
281 365
			$csc['dns_domain'] = $pconfig['dns_domain'];
282 366
		}
......
288 372
			$csc['dns_server4'] = $pconfig['dns_server4'];
289 373
		}
290 374

  
375
		$csc['push_blockoutsidedns'] = $pconfig['push_blockoutsidedns'];
376
		$csc['push_register_dns'] = $pconfig['push_register_dns'];
377

  
291 378
		if ($pconfig['ntp_server_enable']) {
292 379
			$csc['ntp_server1'] = $pconfig['ntp_server1'];
293 380
			$csc['ntp_server2'] = $pconfig['ntp_server2'];
294 381
		}
295 382

  
296 383
		$csc['netbios_enable'] = $pconfig['netbios_enable'];
384

  
385
		if ($pconfig['netbios_enable']) {
297 386
		$csc['netbios_ntype'] = $pconfig['netbios_ntype'];
298 387
		$csc['netbios_scope'] = $pconfig['netbios_scope'];
299 388

  
300
		if ($pconfig['netbios_enable']) {
301 389
			if ($pconfig['wins_server_enable']) {
302 390
				$csc['wins_server1'] = $pconfig['wins_server1'];
303 391
				$csc['wins_server2'] = $pconfig['wins_server2'];
304 392
			}
305 393

  
306
			if ($pconfig['dns_server_enable']) {
394
			if ($pconfig['nbdd_server_enable']) {
307 395
				$csc['nbdd_server1'] = $pconfig['nbdd_server1'];
396
				$csc['nbdd_server2'] = $pconfig['nbdd_server2'];
308 397
			}
309 398
		}
310 399

  
......
407 496
		true
408 497
		))->setHelp('Select the servers that will utilize this override. When no servers are selected, the override will apply to all servers.');
409 498

  
499

  
500
	$section->addInput(new Form_Select(
501
		'override_options',
502
		'Reset Server Options',
503
		($pconfig['override_options'] ?? 'default'),
504
		[
505
			'default' => 'Keep all server options (default)',
506
			'push_reset' => 'Reset all options',
507
			'remove_specified' => 'Remove specified options'
508
		]
509
	))->setHelp('Prevent this client from receiving server-defined client settings. Other client-specific options on this page will supersede these options.');
510

  
511
	$group = new Form_Group('Remove Options');
512
	$group->addClass('remove_options');
513
	$group->add(new Form_Select(
514
		'remove_options',
515
		null,
516
		$pconfig['remove_options'],
517
		[
518
			'remove_route' => 'Local Routes & Gateways',
519
			'remove_iroute' => 'Remote Routes',
520
			'remove_redirect_gateway' => 'Redirect Gateways',
521
			'remove_inactive' => 'Inactivity Timeout',
522
			'remove_ping' => 'Client Ping',
523
			'remove_ping_action' => 'Ping Action',
524
			'remove_dnsdomain' => 'DNS Domains',
525
			'remove_dnsservers' => 'DNS Servers',
526
			'remove_blockoutsidedns' => 'Block Outside DNS',
527
			'remove_ntpservers' => 'NTP Options',
528
			'remove_netbios_ntype' => 'NetBIOS Type',
529
			'remove_netbios_scope' => 'NetBIOS Scope',
530
			'remove_wins' => 'WINS Options'
531
		],
532
		true
533
	))->setHelp('A "push-remove" option will be sent to the client for the selected options, removing the respective server-defined option.');
534
	$section->add($group);
535

  
536
	$section->addInput(new Form_Checkbox(
537
		'keep_minimal',
538
		'Keep minimal options',
539
		'Automatically determine the client topology and gateway',
540
		$pconfig['keep_minimal']
541
	))->setHelp('If checked, generate the required client configuration when server options are reset or removed.');
542

  
410 543
	$form->add($section);
411 544

  
412 545
	$section = new Form_Section('Tunnel Settings');
......
431 564
			'<br />');
432 565

  
433 566
	$section->addInput(new Form_Input(
567
		'gateway',
568
		'IPv4 Gateway',
569
		'text',
570
		$pconfig['gateway']
571
	))->setHelp('This is the IPv4 Gateway to push to the client. Normally it is left blank and determined automatically.');
572

  
573
	$section->addInput(new Form_Input(
574
		'gateway6',
575
		'IPv6 Gateway',
576
		'text',
577
		$pconfig['gateway6']
578
	))->setHelp('This is the IPv6 Gateway to push to the client. Normally it is left blank and determined automatically.');
579

  
580
	$section->addInput(new Form_Checkbox(
581
		'gwredir',
582
		'Redirect IPv4 Gateway',
583
		'Force all client generated IPv4 traffic through the tunnel.',
584
		$pconfig['gwredir']
585
	));
586

  
587
	$section->addInput(new Form_Checkbox(
588
		'gwredir6',
589
		'Redirect IPv6 Gateway',
590
		'Force all client-generated IPv6 traffic through the tunnel.',
591
		$pconfig['gwredir6']
592
	));
593

  
594
	$section->addInput(new Form_Input(
434 595
		'local_network',
435 596
		'IPv4 Local Network/s',
436 597
		'text',
......
468 629
		    'NOTE: Remember to add these subnets to the IPv6 Remote Networks list on the corresponding OpenVPN server settings.',
469 630
			'<br />');
470 631

  
471
	$section->addInput(new Form_Checkbox(
472
		'gwredir',
473
		'Redirect Gateway',
474
		'Force all client generated traffic through the tunnel.',
475
		$pconfig['gwredir']
476
	));
477

  
478 632
	$form->add($section);
479 633

  
480
	$section = new Form_Section('Client Settings');
634
	$section = new Form_Section('Other Client Settings');
481 635

  
482
	$section->addInput(new Form_Checkbox(
483
		'push_reset',
484
		'Server Definitions',
485
		'Prevent this client from receiving any server-defined client settings. ',
486
		$pconfig['push_reset']
487
	));
636
	$section->addInput(new Form_Input(
637
		'inactive_seconds',
638
		'Inactivity Timeout',
639
		'number',
640
		$pconfig['inactive_seconds'],
641
		['min' => '0']
642
	))->setHelp('Set connection inactivity timeout')->setWidth(3);
488 643

  
489
	/* as "push-reset" can break subnet topology, 
490
	 * "push-remove route" removes only IPv4/IPv6 routes, see #9702 */
491
	$section->addInput(new Form_Checkbox(
492
		'remove_route',
493
		'Remove Server Routes',
494
		'Prevent this client from receiving any server-defined routes without removing any other options. ',
495
		$pconfig['remove_route']
496
	));
644
	$section->addInput(new Form_Input(
645
		'ping_seconds',
646
		'Ping Interval',
647
		'number',
648
		$pconfig['ping_seconds'],
649
		['min' => '0']
650
	))->setHelp('Set peer ping interval')->setWidth(3);
497 651

  
652
	$group = new Form_Group('Ping Action');
653
	$group->add(new Form_Select(
654
		'ping_action',
655
		null,
656
		$pconfig['ping_action'] ?? 'default',
657
		array_merge([
658
			'default' => 'Don\'t override option (default)'
659
		], $openvpn_ping_action)
660
	))->setHelp('Exit or restart OpenVPN client after server timeout')->setWidth(4);
661
	$group->add(new Form_Input(
662
		'ping_action_seconds',
663
		'timeout seconds',
664
		'number',
665
		$pconfig['ping_action_seconds'],
666
		['min' => '0']
667
	))->setWidth(2)->addClass('ping_action_seconds');
668
	$section->add($group);
669

  
498 670
	$section->addInput(new Form_Checkbox(
499 671
		'dns_domain_enable',
500 672
		'DNS Default Domain',
......
555 727

  
556 728
	$section->add($group);
557 729

  
730
	$section->addInput(new Form_Checkbox(
731
		'push_blockoutsidedns',
732
		'Block Outside DNS',
733
		'Make Windows 10 Clients Block access to DNS servers except across OpenVPN while connected, forcing clients to use only VPN DNS servers.',
734
		$pconfig['push_blockoutsidedns']
735
	))->setHelp('Requires Windows 10 and OpenVPN 2.3.9 or later. Only Windows 10 is prone to DNS leakage in this way, other clients will ignore the option as they are not affected.');
736

  
737
	$section->addInput(new Form_Checkbox(
738
		'push_register_dns',
739
		'Force DNS cache update',
740
		'Run "net stop dnscache", "net start dnscache", "ipconfig /flushdns" and "ipconfig /registerdns" on connection initiation.',
741
		$pconfig['push_register_dns']
742
	))->setHelp('This is known to kick Windows into recognizing pushed DNS servers.');
743

  
558 744
	// NTP servers
559 745
	$section->addInput(new Form_Checkbox(
560 746
		'ntp_server_enable',
......
634 820

  
635 821
	$section->add($group);
636 822

  
823
	$section->addInput(new Form_Checkbox(
824
		'nbdd_server_enable',
825
		'NBDD servers',
826
		'Provide a NetBIOS over TCP/IP Datagram Distribution Servers list to clients',
827
		$pconfig['nbdd_server_enable']
828
	));
829

  
830
	$group = new Form_Group(null);
831

  
832
	$group->add(new Form_Input(
833
		'nbdd_server1',
834
		null,
835
		'text',
836
		$pconfig['nbdd_server1']
837
	))->setHelp('Server 1');
838

  
839
	$group->add(new Form_Input(
840
		'nbdd_server2',
841
		null,
842
		'text',
843
		$pconfig['nbdd_server2']
844
	))->setHelp('Server 2');
845

  
846
	$group->addClass('nbddservers');
847

  
848
	$section->add($group);
849

  
637 850
	$custops = new Form_Textarea(
638 851
		'custom_options',
639 852
		'Advanced',
......
671 884
<script type="text/javascript">
672 885
//<![CDATA[
673 886
events.push(function() {
887
	function gwredir_change() {
888
		hideInput('local_network', ($('#gwredir').prop('checked')));
889
	}
890

  
891
	function gwredir6_change() {
892
		hideInput('local_networkv6', ($('#gwredir6').prop('checked')));
893
	}
894

  
895
	function ping_action_change() {
896
		hideClass('ping_action_seconds', ($('#ping_action').find('option:selected').val() == 'default'));
897
	}
898

  
674 899
	function dnsdomain_change() {
675 900
		if ($('#dns_domain_enable').prop('checked')) {
676 901
			hideClass('dnsdomain', false);
......
702 927
			hideInput('netbios_scope', false);
703 928
			hideCheckbox('wins_server_enable', false);
704 929
			setWins();
930
			hideCheckbox('nbdd_server_enable', false);
931
			setNbdds();
705 932
		} else {
706 933
			hideInput('netbios_ntype', true);
707 934
			hideInput('netbios_scope', true);
708 935
			hideCheckbox('wins_server_enable', true);
709 936
			hideClass('winsservers', true);
937
			hideCheckbox('nbdd_server_enable', true);
938
			hideClass('nbddservers', true);
710 939
		}
711 940
	}
712 941

  
......
714 943
		hideClass('winsservers', ! $('#wins_server_enable').prop('checked'));
715 944
	}
716 945

  
946
	function setNbdds() {
947
		hideClass('nbddservers', ! $('#nbdd_server_enable').prop('checked'));
948
	}
949

  
950
	function remove_options_change() {
951
		hideCheckbox('keep_minimal', ($('#override_options').find('option:selected').val() == 'default'));
952
		hideClass('remove_options', ($('#override_options').find('option:selected').val() != 'remove_specified'));
953
	}
954

  
717 955
	// ---------- Click checkbox handlers ---------------------------------------------------------
718 956

  
957
	 // On clicking Gateway redirect
958
	$('#gwredir').click(function () {
959
		gwredir_change();
960
	});
961

  
962
	 // On clicking Gateway redirect IPv6
963
	$('#gwredir6').click(function () {
964
		gwredir6_change();
965
	});
966

  
967
	 // On clicking Ping Action
968
	$('#ping_action').click(function () {
969
		ping_action_change();
970
	});
971

  
719 972
	 // On clicking DNS Default Domain
720 973
	$('#dns_domain_enable').click(function () {
721 974
		dnsdomain_change();
......
741 994
		setWins();
742 995
	});
743 996

  
997
	// On clicking the nbdd_server_enable checkbox
998
	$('#nbdd_server_enable').click(function () {
999
		setNbdds();
1000
	});
1001

  
1002
	$('#override_options').on('change', function() {
1003
		remove_options_change();
1004
	});
744 1005
	// ---------- On initial page load ------------------------------------------------------------
745 1006

  
1007
	remove_options_change();
1008
	gwredir_change();
1009
	gwredir6_change();
1010
	ping_action_change();
746 1011
	setNetbios();
747 1012
	dnsdomain_change();
748 1013
	dnsservers_change();
749
-- a/src/etc/inc/upgrade_config.inc
1014
++ b/src/etc/inc/upgrade_config.inc
......
7026 7026
	}
7027 7027
}
7028 7028

  
7029
/* OpenVPN Client-Specific Override options have changed.
7030
 * https://redmine.pfsense.org/issues/12522 */
7031
 function upgrade_233_to_234() {
7032
	$openvpn_csc_config = config_get_path('openvpn/openvpn-csc', []);
7033
	if (empty($openvpn_csc_config)) {
7034
		return;
7035
	}
7036
	foreach ($openvpn_csc_config as &$settings) {
7037
		if (!is_array($settings)) {
7038
			continue;
7039
		}
7040

  
7041
		// Migrate "remove_route"
7042
		if (isset($settings['remove_route'])) {
7043
			$settings['remove_options'] = 'remove_route';
7044
			unset($settings['remove_route']);
7045
		}
7046
	}
7047
	config_set_path('openvpn/openvpn-csc', $openvpn_csc_config);
7048
}
7049

  
7029 7050
/*
7030 7051
 * Special function that is called independent of current config version. It's
7031 7052
 * a workaround to have config_upgrade running on older versions after next
7032
-- a/src/etc/inc/util.inc
7053
++ b/src/etc/inc/util.inc
......
533 533
	return long2ip32(ip2long($ip) + $offset);
534 534
}
535 535

  
536
/**
537
 * Return the next IPv6 address after the given address
538
 * 
539
 * @param string $ip IPv6 address
540
 * 
541
 * @return string|false IPv6 address; false if it cannot be incremented
542
 */
543
function ip6_after(string $ip): string|false {
544
	/* Convert the IPv6 string to its in_addr representation,
545
	 * increment it by one, then convert it back to a string. */
546
	return inet_ntop(str_pad(gmp_export(
547
		str_increment((string) gmp_import(inet_pton($ip)))
548
	), 16, "\0", STR_PAD_LEFT));
549
}
550

  
536 551
/* Return true if the first IP is 'before' the second */
537 552
function ip_less_than($ip1, $ip2) {
538 553
	// Compare as unsigned long because otherwise it wouldn't work when
(12-12/14)