pfSense

<?php

/*

	vpn.inc

	All rights reserved.

	All rights reserved.

	modification, are permitted provided that the following conditions are met:

	   this list of conditions and the following disclaimer.

	   notice, this list of conditions and the following disclaimer in the

	   documentation and/or other materials provided with the distribution.

	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE

	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,

	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF

	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)

	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

	POSSIBILITY OF SUCH DAMAGE.

*/

require_once("functions.inc");

function find_last_gif_device() {

        $last_gif_found = -1;

        if (!($fp = popen("/sbin/ifconfig -l", "r"))) return -1;

        $ifconfig_data = fread($fp, 4096);

        pclose($fp);

        $ifconfig_array = split(" ", $ifconfig_data);

        foreach ($ifconfig_array as $ifconfig) {

                ereg("gif(.)", $ifconfig, $regs);

                if($regs[0]) {

                        if($regs[0] > $last_gif_found)

                                $last_gif_found = $regs[1];

                }

        }

        return $last_gif_found;

}

	global $config, $g;

	} else {

		mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30");

	for($x=0; $x<$number_of_gifs; $x++) {

		mwexec("/sbin/ifconfig gif" . $x . " delete");

	}

	$ipseccfg = $config['ipsec'];

	$lancfg = $config['interfaces']['lan'];

	$lanip = $lancfg['ipaddr'];

	$lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);

	$lansn = $lancfg['subnet'];

		if (!isset($ipseccfg['enable']))

			return 0;

	} else {

		/* kill racoon */

		killbypid("{$g['varrun_path']}/racoon.pid");

		sleep(2);

		sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL");

	}

	mwexec("/usr/sbin/setkey -FP");

	mwexec("/usr/sbin/setkey -F");

			/* IP address not configured yet, exit */

			if ($g['booting'])

				echo "done\n";

			return 0;

		}

				isset($ipseccfg['mobileclients']['enable'])) {

				$fd = fopen("{$g['varetc_path']}/spd.conf", "w");

				if (!$fd) {

					printf("Error: cannot open spd.conf in vpn_ipsec_configure().\n");

					return 1;

				}

				$spdconf .= "spdadd {$lanip}/32 {$lansa}/{$lansn} any -P out none;\n";

						continue;

					if (!$ep)

						continue;

					if(isset($tunnel['creategif'])) {

						$number_of_gifs = find_last_gif_device();

						$number_of_gifs++;

						$curwanip = get_current_wan_address();

						mwexec("/sbin/ifconfig gif" . $number_of_gifs . " tunnel" . $curwanip . " " . $tunnel['remote-gateway']);

						mwexec("/sbin/ifconfig gif" . $number_of_gifs . " {$lansa}/{$lansn} {$lanip}/32");

					}

					$spdconf .= "spdadd {$sa}/{$sn} " .

						"{$tunnel['remote-subnet']} any -P out ipsec " .

						"{$tunnel['remote-gateway']}/unique;\n";

					$spdconf .= "spdadd {$tunnel['remote-subnet']} " .

						"{$sa}/{$sn} any -P in ipsec " .

						"{$ep}/unique;\n";

				}

				fclose($fd);

				mwexec("/usr/sbin/setkey -c < {$g['varetc_path']}/spd.conf");

			}

			$fd = fopen("{$g['varetc_path']}/racoon.conf", "w");

			if (!$fd) {

				printf("Error: cannot open racoon.conf in vpn_ipsec_configure().\n");

				return 1;

			}

				foreach ($ipseccfg['tunnel'] as $tunnel) {

					continue;

				if (!$ep)

					continue;

					$myidentt = "address";

					$myident = $ep;

				} else if (isset($tunnel['p1']['myident']['address'])) {

					$myidentt = "address";

					$myident = $tunnel['p1']['myident']['address'];

				} else if (isset($tunnel['p1']['myident']['fqdn'])) {

					$myidentt = "fqdn";

					$myident = $tunnel['p1']['myident']['fqdn'];

				} else if (isset($tunnel['p1']['myident']['ufqdn'])) {

					$myidentt = "user_fqdn";

					$myident = $tunnel['p1']['myident']['ufqdn'];

 				}

remote {$tunnel['remote-gateway']} \{

	exchange_mode {$tunnel['p1']['mode']};

	my_identifier {$myidentt} "{$myident}";

	peers_identifier address {$tunnel['remote-gateway']};

	initial_contact on;

	support_proxy on;

	proposal_check obey;

	proposal \{

		encryption_algorithm {$tunnel['p1']['encryption-algorithm']};

		hash_algorithm {$tunnel['p1']['hash-algorithm']};

		authentication_method pre_shared_key;

		dh_group {$tunnel['p1']['dhgroup']};

EOD;

				if ($tunnel['p1']['lifetime'])

					$racoonconf .= "		lifetime time {$tunnel['p1']['lifetime']} secs;\n";

					$racoonconf .= "	lifetime time {$tunnel['p1']['lifetime']} secs;\n";

				$p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']);

sainfo address {$sa}/{$sn} any address {$tunnel['remote-subnet']} any \{

	encryption_algorithm {$p2ealgos};

	authentication_algorithm {$p2halgos};

	compression_algorithm deflate;

EOD;

				if ($tunnel['p2']['pfsgroup'])

					$racoonconf .= "	pfs_group {$tunnel['p2']['pfsgroup']};\n";

					$racoonconf .= "	lifetime time {$tunnel['p2']['lifetime']} secs;\n";

			}

			if (isset($ipseccfg['mobileclients']['enable'])) {

					$myidentt = "address";

					$myident = $curwanip;

				} else if (isset($tunnel['p1']['myident']['address'])) {

					$myidentt = "address";

					$myident = $tunnel['p1']['myident']['address'];

				} else if (isset($tunnel['p1']['myident']['fqdn'])) {

					$myidentt = "fqdn";

					$myident = $tunnel['p1']['myident']['fqdn'];

				} else if (isset($tunnel['p1']['myident']['ufqdn'])) {

					$myidentt = "user_fqdn";

					$myident = $tunnel['p1']['myident']['ufqdn'];

 				}

remote anonymous \{

	exchange_mode {$tunnel['p1']['mode']};

	my_identifier {$myidentt} "{$myident}";

	initial_contact on;

	passive on;

	generate_policy on;

	support_proxy on;

	proposal_check obey;

	proposal \{

		encryption_algorithm {$tunnel['p1']['encryption-algorithm']};

		hash_algorithm {$tunnel['p1']['hash-algorithm']};

		authentication_method pre_shared_key;

		dh_group {$tunnel['p1']['dhgroup']};

EOD;

				if ($tunnel['p1']['lifetime'])

					$racoonconf .= "		lifetime time {$tunnel['p1']['lifetime']} secs;\n";

					$racoonconf .= "	lifetime time {$tunnel['p1']['lifetime']} secs;\n";

				$p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']);

sainfo anonymous \{

	encryption_algorithm {$p2ealgos};

	authentication_algorithm {$p2halgos};

	compression_algorithm deflate;

EOD;

				if ($tunnel['p2']['pfsgroup'])

					$racoonconf .= "	pfs_group {$tunnel['p2']['pfsgroup']};\n";

					$racoonconf .= "	lifetime time {$tunnel['p2']['lifetime']} secs;\n";

			}

			fclose($fd);

			$fd = fopen("{$g['varetc_path']}/psk.txt", "w");

			if (!$fd) {

				printf("Error: cannot open psk.txt in vpn_ipsec_configure().\n");

				return 1;

			}

				foreach ($ipseccfg['tunnel'] as $tunnel) {

					if (isset($tunnel['disabled']))

						continue;

					$pskconf .= "{$tunnel['remote-gateway']}	 {$tunnel['p1']['pre-shared-key']}\n";

				}

			}

			if (is_array($ipseccfg['mobilekey'])) {

				foreach ($ipseccfg['mobilekey'] as $key) {

					$pskconf .= "{$key['ident']}	{$key['pre-shared-key']}\n";

				}

			}

			fclose($fd);

			chmod("{$g['varetc_path']}/psk.txt", 0600);

			mwexec("/usr/local/sbin/racoon -d -f {$g['varetc_path']}/racoon.conf");

				if (isset($tunnel['auto'])) {

					$remotehost = substr($tunnel['remote-subnet'],0,strpos($tunnel['remote-subnet'],"/"));

					$srchost = vpn_endpoint_determine($tunnel, $curwanip);

					if ($srchost)

						mwexec_bg("/sbin/ping -c 1 -S {$srchost} {$remotehost}");

				}

			}

		}

	}

		/* reload the filter */

		filter_configure();

	}

		echo "done\n";

}

function vpn_pptpd_configure() {

	global $config, $g;

	$pptpdcfg = $config['pptpd'];

		if (!$pptpdcfg['mode'] || ($pptpdcfg['mode'] == "off"))

			return 0;

		killbypid("{$g['varrun_path']}/mpd-vpn.pid");

		sleep(2);

		unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.conf");

		unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.links");

		unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.secret");

	}

	if (!file_exists("{$g['varetc_path']}/mpd-vpn"))

		mkdir("{$g['varetc_path']}/mpd-vpn");

			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "w");

			if (!$fd) {

				printf("Error: cannot open mpd.conf in vpn_pptpd_configure().\n");

				return 1;

			}

pptpd:

EOD;

			for ($i = 0; $i < $g['n_pptp_units']; $i++) {

				$mpdconf .= "	load pt{$i}\n";

			}

				$ngif = "ng" . ($i+1);

pt{$i}:

	new -i {$ngif} pt{$i} pt{$i}

	set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32

	load pts

EOD;

			}

pts:

	set iface disable on-demand

	set iface enable proxy-arp

	set iface enable tcpmssfix

	set iface idle 1800

	set iface up-script /usr/local/sbin/vpn-linkup

	set iface down-script /usr/local/sbin/vpn-linkdown

	set bundle enable multilink

	set bundle enable crypt-reqd

	set link yes acfcomp protocomp

	set link no pap chap

	set link enable chap-msv2

	set link mtu 1460

	set link keep-alive 10 60

	set ipcp yes vjcomp

	set bundle enable compression

	set ccp yes mppc

	set ccp yes mpp-e128

	set ccp yes mpp-stateless

EOD;

				$mpdconf .= <<<EOD

	set ccp yes mpp-e40

	set ccp yes mpp-e56

EOD;

			}

				$mpdconf .= "	set ipcp dns " . $config['interfaces']['lan']['ipaddr'];

				if ($syscfg['dnsserver'][0])

					$mpdconf .= " " . $syscfg['dnsserver'][0];

				$mpdconf .= "\n";

			} else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {

				$mpdconf .= "	set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";

			}

				$mpdconf .= <<<EOD

	set radius server {$pptpdcfg['radius']['server']} "{$pptpdcfg['radius']['secret']}"

	set radius retries 3

	set radius timeout 10

	set bundle enable radius-auth

	set bundle disable radius-fallback

EOD;

				if (isset($pptpdcfg['radius']['accounting'])) {

					$mpdconf .= <<<EOD

	set bundle enable radius-acct

EOD;

				}

			}

			fwrite($fd, $mpdconf);

			fclose($fd);

			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "w");

			if (!$fd) {

				printf("Error: cannot open mpd.links in vpn_pptpd_configure().\n");

				return 1;

			}

				$mpdlinks .= <<<EOD

pt{$i}:

	set link type pptp

	set pptp enable incoming

	set pptp disable originate

	set pptp disable windowing

	set pptp self 127.0.0.1

EOD;

			}

			fwrite($fd, $mpdlinks);

			fclose($fd);

			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "w");

			if (!$fd) {

				printf("Error: cannot open mpd.secret in vpn_pptpd_configure().\n");

				return 1;

			}

				foreach ($pptpdcfg['user'] as $user)

					$mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n";

			}

			fwrite($fd, $mpdsecret);

			fclose($fd);

			chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600);

			mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid pptpd");

			break;

	}

		/* reload the filter */

		filter_configure();

	}

		echo "done\n";

}

function vpn_localnet_determine($adr, &$sa, &$sn) {

	global $config, $g;

	if (isset($adr)) {

				case 'lan':

					$sn = $config['interfaces']['lan']['subnet'];

					$sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn);

					break;

			}

		} else if ($adr['address']) {

			list($sa,$sn) = explode("/", $adr['address']);

			if (is_null($sn))

				$sn = 32;

		}

	} else {

		$sn = $config['interfaces']['lan']['subnet'];

		$sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn);

	}

}

function vpn_endpoint_determine($tunnel, $curwanip) {

		if ($curwanip)

			return $curwanip;

		else

			return null;

	} else if ($tunnel['interface'] == "lan") {

		return $config['interfaces']['lan']['ipaddr'];

	} else {

		$oc = $config['interfaces'][$tunnel['interface']];

			return $oc['ipaddr'];

		}

	}

}