/usr/local/www/vpn_openvpn_client.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/usr/local/www/vpn_openvpn_client.php @ aa49b6b3

-e545b4
+<?php
-            d799787e
+/*
 	vpn_openvpn_client.php
 	Copyright (C) 2008 Shrew Soft Inc.
-            ce77a9c4
+	Copyright (C) 2013-2015 Electric Sheep Fencing, LP
-e545b4
+	All rights reserved.
-            d799787e
+            Matthew Grooms
 	Redistribution and use in source and binary forms, with or without
 	modification, are permitted provided that the following conditions are met:
-e545b4
+            jim-p
-            d799787e
+. Redistributions of source code must retain the above copyright notice,
 	   this list of conditions and the following disclaimer.
-e545b4
+            jim-p
-            d799787e
+. Redistributions in binary form must reproduce the above copyright
 	   notice, this list of conditions and the following disclaimer in the
 	   documentation and/or other materials provided with the distribution.
-e545b4
+            jim-p
-            d799787e
+	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
 	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
 	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
 	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 	POSSIBILITY OF SUCH DAMAGE.
 */
 ##|+PRIV
 ##|*IDENT=page-openvpn-client
 ##|*NAME=OpenVPN: Client page
 ##|*DESCR=Allow access to the 'OpenVPN: Client' page.
 ##|*MATCH=vpn_openvpn_client.php*
 ##|-PRIV
 require("guiconfig.inc");
-            d84bd468
+require_once("openvpn.inc");
-            d799787e
+            Matthew Grooms
-fa7a468
+$pgtitle = array(gettext("OpenVPN"), gettext("Client"));
-            b32dd0a6
+$shortcut_section = "openvpn";
-            d799787e
+            Matthew Grooms
 if (!is_array($config['openvpn']['openvpn-client']))
 	$config['openvpn']['openvpn-client'] = array();
 $a_client = &$config['openvpn']['openvpn-client'];
-e66b6
+if (!is_array($config['ca']))
 	$config['ca'] = array();
 $a_ca =& $config['ca'];
 if (!is_array($config['cert']))
 	$config['cert'] = array();
 $a_cert =& $config['cert'];
 if (!is_array($config['crl']))
 	$config['crl'] = array();
 $a_crl =& $config['crl'];
-            e41ec584
+if (is_numericint($_GET['id']))
 	$id = $_GET['id'];
 if (isset($_POST['id']) && is_numericint($_POST['id']))
-            d799787e
+	$id = $_POST['id'];
 $act = $_GET['act'];
 if (isset($_POST['act']))
 	$act = $_POST['act'];
-d9b1074
+if (isset($id) && $a_client[$id])
 	$vpnid = $a_client[$id]['vpnid'];
 else
 	$vpnid = 0;
-            d799787e
+if ($_GET['act'] == "del") {
-cf960
+	if (!isset($a_client[$id])) {
-            d799787e
+		pfSenseHeader("vpn_openvpn_client.php");
 		exit;
+	}
-cf960
+	if (!empty($a_client[$id]))
 		openvpn_delete('client', $a_client[$id]);
-            d799787e
+	unset($a_client[$id]);
 	write_config();
-cd558b6
+	$savemsg = gettext("Client successfully deleted")."<br />";
-            d799787e
+            Matthew Grooms
-            f432e364
+if($_GET['act']=="new"){
-c11bd3c
+	$pconfig['autokey_enable'] = "yes";
 	$pconfig['tlsauth_enable'] = "yes";
 	$pconfig['autotls_enable'] = "yes";
-            f432e364
+	$pconfig['interface'] = "wan";
 	$pconfig['server_port'] = 1194;
-            b9e9903d
+	$pconfig['verbosity_level'] = 1; // Default verbosity is 1
-d5b59b
+	// OpenVPN Defaults to SHA1
 	$pconfig['digest'] = "SHA1";
-            f432e364
+            Matthew Grooms
-f242576
+global $simplefields;
 $simplefields = array('auth_user','auth_pass');
-            d799787e
+if($_GET['act']=="edit"){
 	if (isset($id) && $a_client[$id]) {
-f242576
+		foreach($simplefields as $stat)
 			$pconfig[$stat] = $a_client[$id][$stat];
-e545b4
+            jim-p
-ee63
+		$pconfig['disable'] = isset($a_client[$id]['disable']);
-c11bd3c
+		$pconfig['mode'] = $a_client[$id]['mode'];
-            d799787e
+		$pconfig['protocol'] = $a_client[$id]['protocol'];
 		$pconfig['interface'] = $a_client[$id]['interface'];
-b0902f
+		if (!empty($a_client[$id]['ipaddr'])) {
 			$pconfig['interface'] = $pconfig['interface'] . '|' . $a_client[$id]['ipaddr'];
+		}
-            d799787e
+		$pconfig['local_port'] = $a_client[$id]['local_port'];
 		$pconfig['server_addr'] = $a_client[$id]['server_addr'];
 		$pconfig['server_port'] = $a_client[$id]['server_port'];
 		$pconfig['resolve_retry'] = $a_client[$id]['resolve_retry'];
 		$pconfig['proxy_addr'] = $a_client[$id]['proxy_addr'];
 		$pconfig['proxy_port'] = $a_client[$id]['proxy_port'];
-a24a3
+		$pconfig['proxy_user'] = $a_client[$id]['proxy_user'];
 		$pconfig['proxy_passwd'] = $a_client[$id]['proxy_passwd'];
 		$pconfig['proxy_authtype'] = $a_client[$id]['proxy_authtype'];
-            d799787e
+		$pconfig['description'] = $a_client[$id]['description'];
-            c7323d81
+		$pconfig['custom_options'] = $a_client[$id]['custom_options'];
-fbf14
+		$pconfig['ns_cert_type'] = $a_client[$id]['ns_cert_type'];
-ff53
+		$pconfig['dev_mode'] = $a_client[$id]['dev_mode'];
-e545b4
+            jim-p
-c11bd3c
+		if ($pconfig['mode'] != "p2p_shared_key") {
-            d799787e
+			$pconfig['caref'] = $a_client[$id]['caref'];
 			$pconfig['certref'] = $a_client[$id]['certref'];
-c11bd3c
+			if ($a_client[$id]['tls']) {
 				$pconfig['tlsauth_enable'] = "yes";
 				$pconfig['tls'] = base64_decode($a_client[$id]['tls']);
+			}
 		} else
 			$pconfig['shared_key'] = base64_decode($a_client[$id]['shared_key']);
-            d799787e
+		$pconfig['crypto'] = $a_client[$id]['crypto'];
-d5b59b
+		// OpenVPN Defaults to SHA1 if unset
 		$pconfig['digest'] = !empty($a_client[$id]['digest']) ? $a_client[$id]['digest'] : "SHA1";
-            f5c704b6
+		$pconfig['engine'] = $a_client[$id]['engine'];
-            d799787e
+            Matthew Grooms
 		$pconfig['tunnel_network'] = $a_client[$id]['tunnel_network'];
-df9b
+		$pconfig['tunnel_networkv6'] = $a_client[$id]['tunnel_networkv6'];
-            d799787e
+		$pconfig['remote_network'] = $a_client[$id]['remote_network'];
-df9b
+		$pconfig['remote_networkv6'] = $a_client[$id]['remote_networkv6'];
-            b422360c
+		$pconfig['use_shaper'] = $a_client[$id]['use_shaper'];
-            d799787e
+		$pconfig['compression'] = $a_client[$id]['compression'];
-cb0b40a
+		$pconfig['passtos'] = $a_client[$id]['passtos'];
-c11bd3c
+            Matthew Grooms
 		// just in case the modes switch
 		$pconfig['autokey_enable'] = "yes";
 		$pconfig['autotls_enable'] = "yes";
-            bea9e9d6
+            sbeaver
-            b9e9903d
+		$pconfig['no_tun_ipv6'] = $a_client[$id]['no_tun_ipv6'];
 		$pconfig['route_no_pull'] = $a_client[$id]['route_no_pull'];
 		$pconfig['route_no_exec'] = $a_client[$id]['route_no_exec'];
-            c7264382
+		if (isset($a_client[$id]['verbosity_level']))
 			$pconfig['verbosity_level'] = $a_client[$id]['verbosity_level'];
 		else
 			$pconfig['verbosity_level'] = 1; // Default verbosity is 1
-            d799787e
+            Matthew Grooms
+}
 if ($_POST) {
 	unset($input_errors);
 	$pconfig = $_POST;
-            dc408939
+	if (isset($id) && $a_client[$id])
 		$vpnid = $a_client[$id]['vpnid'];
-            f432e364
+	else
 		$vpnid = 0;
-bb449
+	list($iv_iface, $iv_ip) = explode ("|",$pconfig['interface']);
 	if (is_ipaddrv4($iv_ip) && (stristr($pconfig['protocol'], "6") !== false)) {
 		$input_errors[] = gettext("Protocol and IP address families do not match. You cannot select an IPv6 protocol and an IPv4 IP address.");
 	} elseif (is_ipaddrv6($iv_ip) && (stristr($pconfig['protocol'], "6") === false)) {
 		$input_errors[] = gettext("Protocol and IP address families do not match. You cannot select an IPv4 protocol and an IPv6 IP address.");
-f484c
+	} elseif ((stristr($pconfig['protocol'], "6") === false) && !get_interface_ip($iv_iface) && ($pconfig['interface'] != "any")) {
-bb449
+		$input_errors[] = gettext("An IPv4 protocol was selected, but the selected interface has no IPv4 address.");
-f484c
+	} elseif ((stristr($pconfig['protocol'], "6") !== false) && !get_interface_ipv6($iv_iface) && ($pconfig['interface'] != "any")) {
-bb449
+		$input_errors[] = gettext("An IPv6 protocol was selected, but the selected interface has no IPv6 address.");
+	}
-c0c87a
+	if ($pconfig['mode'] != "p2p_shared_key")
-c11bd3c
+		$tls_mode = true;
 	else
 		$tls_mode = false;
-            d799787e
+	/* input validation */
-            f432e364
+	if ($pconfig['local_port']) {
 		if ($result = openvpn_validate_port($pconfig['local_port'], 'Local port'))
 			$input_errors[] = $result;
-b76122
+		$portused = openvpn_port_used($pconfig['protocol'], $pconfig['interface'], $pconfig['local_port'], $vpnid);
-accf130
+		if (($portused != $vpnid) && ($portused != 0))
-fa7a468
+			$input_errors[] = gettext("The specified 'Local port' is in use. Please select another value");
-            f432e364
+            Matthew Grooms
-            d799787e
+	if ($result = openvpn_validate_host($pconfig['server_addr'], 'Server host or address'))
 		$input_errors[] = $result;
 	if ($result = openvpn_validate_port($pconfig['server_port'], 'Server port'))
 		$input_errors[] = $result;
 	if ($pconfig['proxy_addr']) {
 		if ($result = openvpn_validate_host($pconfig['proxy_addr'], 'Proxy host or address'))
 			$input_errors[] = $result;
 		if ($result = openvpn_validate_port($pconfig['proxy_port'], 'Proxy port'))
 			$input_errors[] = $result;
-a24a3
+            Ermal Lu?i
 		if ($pconfig['proxy_authtype'] != "none") {
 			if (empty($pconfig['proxy_user']) || empty($pconfig['proxy_passwd']))
-fa7a468
+				$input_errors[] = gettext("User name and password are required for proxy with authentication.");
-a24a3
+            Ermal Lu?i
-            d799787e
+            Matthew Grooms
-            c13b87a0
+	if($pconfig['tunnel_network'])
-            a28d40cb
+		if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'IPv4 Tunnel Network', false, "ipv4"))
-            c13b87a0
+			$input_errors[] = $result;
-            d799787e
+            Matthew Grooms
-            a28d40cb
+	if($pconfig['tunnel_networkv6'])
 		if ($result = openvpn_validate_cidr($pconfig['tunnel_networkv6'], 'IPv6 Tunnel Network', false, "ipv6"))
 			$input_errors[] = $result;
 	if ($result = openvpn_validate_cidr($pconfig['remote_network'], 'IPv4 Remote Network', true, "ipv4"))
 		$input_errors[] = $result;
 	if ($result = openvpn_validate_cidr($pconfig['remote_networkv6'], 'IPv6 Remote Network', true, "ipv6"))
-            d799787e
+		$input_errors[] = $result;
-            b422360c
+	if (!empty($pconfig['use_shaper']) && (!is_numeric($pconfig['use_shaper']) || ($pconfig['use_shaper'] <= 0)))
 		$input_errors[] = gettext("The bandwidth limit must be a positive numeric value.");
-e545b4
+	if ($pconfig['autokey_enable'])
 		$pconfig['shared_key'] = openvpn_create_key();
-e6e210
+            jim-p
-c11bd3c
+	if (!$tls_mode && !$pconfig['autokey_enable'])
-            d799787e
+		if (!strstr($pconfig['shared_key'], "-----BEGIN OpenVPN Static key V1-----") ||
 			!strstr($pconfig['shared_key'], "-----END OpenVPN Static key V1-----"))
-fa7a468
+			$input_errors[] = gettext("The field 'Shared Key' does not appear to be valid");
-c11bd3c
+            Matthew Grooms
 	if ($tls_mode && $pconfig['tlsauth_enable'] && !$pconfig['autotls_enable'])
 		if (!strstr($pconfig['tls'], "-----BEGIN OpenVPN Static key V1-----") ||
 			!strstr($pconfig['tls'], "-----END OpenVPN Static key V1-----"))
-fa7a468
+			$input_errors[] = gettext("The field 'TLS Authentication Key' does not appear to be valid");
-            d799787e
+            Matthew Grooms
-c3ae
+	/* If we are not in shared key mode, then we need the CA/Cert. */
 	if ($pconfig['mode'] != "p2p_shared_key") {
-da48592
+		$reqdfields = explode(" ", "caref");
 		$reqdfieldsn = array(gettext("Certificate Authority"));
-c3ae
+	} elseif (!$pconfig['autokey_enable']) {
 		/* We only need the shared key filled in if we are in shared key mode and autokey is not selected. */
 		$reqdfields = array('shared_key');
-fa7a468
+		$reqdfieldsn = array(gettext('Shared key'));
-            d799787e
+            Matthew Grooms
-e9b4611
+	do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
-da48592
+            jim-p
 	if (($pconfig['mode'] != "p2p_shared_key") && empty($pconfig['certref']) && empty($pconfig['auth_user']) && empty($pconfig['auth_pass'])) {
 		$input_errors[] = gettext("If no Client Certificate is selected, a username and password must be entered.");
+	}
-            d799787e
+	if (!$input_errors) {
 		$client = array();
-e545b4
+            jim-p
-f242576
+		foreach($simplefields as $stat)
 			update_if_changed($stat, $client[$stat], $_POST[$stat]);
-e545b4
+            jim-p
-            f432e364
+		if ($vpnid)
 			$client['vpnid'] = $vpnid;
-            d799787e
+		else
 			$client['vpnid'] = openvpn_vpnid_next();
-ee63
+		if ($_POST['disable'] == "yes")
-            b65f56f6
+			$client['disable'] = true;
-            d799787e
+		$client['protocol'] = $pconfig['protocol'];
-ff53
+		$client['dev_mode'] = $pconfig['dev_mode'];
-b0902f
+		list($client['interface'], $client['ipaddr']) = explode ("|",$pconfig['interface']);
-            d799787e
+		$client['local_port'] = $pconfig['local_port'];
 		$client['server_addr'] = $pconfig['server_addr'];
 		$client['server_port'] = $pconfig['server_port'];
 		$client['resolve_retry'] = $pconfig['resolve_retry'];
 		$client['proxy_addr'] = $pconfig['proxy_addr'];
 		$client['proxy_port'] = $pconfig['proxy_port'];
-a24a3
+		$client['proxy_authtype'] = $pconfig['proxy_authtype'];
 		$client['proxy_user'] = $pconfig['proxy_user'];
 		$client['proxy_passwd'] = $pconfig['proxy_passwd'];
-            d799787e
+		$client['description'] = $pconfig['description'];
-a9d5b9
+		$client['mode'] = $pconfig['mode'];
-            e3bbd29a
+		$client['custom_options'] = str_replace("\r\n", "\n", $pconfig['custom_options']);
-            d799787e
+            Matthew Grooms
-e545b4
+		if ($tls_mode) {
 			$client['caref'] = $pconfig['caref'];
 			$client['certref'] = $pconfig['certref'];
 			if ($pconfig['tlsauth_enable']) {
 				if ($pconfig['autotls_enable'])
 					$pconfig['tls'] = openvpn_create_key();
 				$client['tls'] = base64_encode($pconfig['tls']);
+			}
 		} else {
 			$client['shared_key'] = base64_encode($pconfig['shared_key']);
+		}
-            d799787e
+		$client['crypto'] = $pconfig['crypto'];
-d5b59b
+		$client['digest'] = $pconfig['digest'];
-c58ae
+		$client['engine'] = $pconfig['engine'];
-            d799787e
+            Matthew Grooms
 		$client['tunnel_network'] = $pconfig['tunnel_network'];
-df9b
+		$client['tunnel_networkv6'] = $pconfig['tunnel_networkv6'];
-            d799787e
+		$client['remote_network'] = $pconfig['remote_network'];
-df9b
+		$client['remote_networkv6'] = $pconfig['remote_networkv6'];
-            b422360c
+		$client['use_shaper'] = $pconfig['use_shaper'];
-            d799787e
+		$client['compression'] = $pconfig['compression'];
-            e067306d
+		$client['passtos'] = $pconfig['passtos'];
-            d799787e
+            Matthew Grooms
-            b9e9903d
+		$client['no_tun_ipv6'] = $pconfig['no_tun_ipv6'];
 		$client['route_no_pull'] = $pconfig['route_no_pull'];
 		$client['route_no_exec'] = $pconfig['route_no_exec'];
 		$client['verbosity_level'] = $pconfig['verbosity_level'];
-            d799787e
+		if (isset($id) && $a_client[$id])
 			$a_client[$id] = $client;
 		else
 			$a_client[] = $client;
-            dc408939
+		openvpn_resync('client', $client);
-            d799787e
+		write_config();
-e545b4
+            jim-p
-            d799787e
+		header("Location: vpn_openvpn_client.php");
 		exit;
+	}
+}
 include("head.inc");
-            bea9e9d6
+function build_if_list() {
 	$list = array();
-            d799787e
+            Matthew Grooms
-            bea9e9d6
+	$interfaces = get_configured_interface_with_descr();
 	$carplist = get_configured_carp_interface_list();
-            d799787e
+            Matthew Grooms
-            bea9e9d6
+	foreach ($carplist as $cif => $carpip)
 		$interfaces[$cif.'|'.$carpip] = $carpip." (".get_vip_descr($carpip).")";
-            d799787e
+            Matthew Grooms
-            bea9e9d6
+	$aliaslist = get_configured_ip_aliases_list();
-            b9e9903d
+            Dmitriy K.
-            bea9e9d6
+	foreach ($aliaslist as $aliasip => $aliasif)
 		$interfaces[$aliasif.'|'.$aliasip] = $aliasip." (".get_vip_descr($aliasip).")";
 	$grouplist = return_gateway_groups_array();
-c11bd3c
+            Matthew Grooms
-            bea9e9d6
+	foreach ($grouplist as $name => $group) {
 		if($group['ipprotocol'] != inet)
 			continue;
-a24a3
+            Ermal Lu?i
-            bea9e9d6
+		if($group[0]['vip'] != "")
 			$vipif = $group[0]['vip'];
 		else
 			$vipif = $group[0]['int'];
 		$interfaces[$name] = "GW Group {$name}";
-e545b4
+            jim-p
-a24a3
+            Ermal Lu?i
-            bea9e9d6
+	$interfaces['lo0'] = "Localhost";
 	$interfaces['any'] = "any";
-c11bd3c
+            Matthew Grooms
-            bea9e9d6
+	foreach ($interfaces as $iface => $ifacename)
 	   $list[$iface] = $ifacename;
-c11bd3c
+            Matthew Grooms
-            bea9e9d6
+	return($list);
-c11bd3c
+            Matthew Grooms
-            bea9e9d6
+function build_cert_list() {
 	global $a_cert;
-c11bd3c
+            Matthew Grooms
-            bea9e9d6
+	$list = array();
-c11bd3c
+            Matthew Grooms
-            bea9e9d6
+	foreach ($a_cert as $cert) {
 		$caname = "";
 		$inuse = "";
 		$revoked = "";
 		$ca = lookup_ca($cert['caref']);
 		if ($ca)
 			$caname = " (CA: {$ca['descr']})";
 		if ($pconfig['certref'] == $cert['refid'])
 			$selected = "selected=\"selected\"";
 		if (cert_in_use($cert['refid']))
 			$inuse = " *In Use";
 		if (is_cert_revoked($cert))
 		   $revoked = " *Revoked";
 		$list[$cert['refid']] = $cert['descr'] . $caname . $inuse . $revoked;
+	}
 	return($list);
-c11bd3c
+            Matthew Grooms
-e66b6
+if (!$savemsg)
 	$savemsg = "";
 if ($input_errors)
 	print_input_errors($input_errors);
-            bea9e9d6
+            sbeaver
-e66b6
+if ($savemsg)
-            bea9e9d6
+	print_info_box($savemsg, 'success');
 $tab_array = array();
 $tab_array[] = array(gettext("Server"), false, "vpn_openvpn_server.php");
 $tab_array[] = array(gettext("Client"), true, "vpn_openvpn_client.php");
 $tab_array[] = array(gettext("Client Specific Overrides"), false, "vpn_openvpn_csc.php");
 $tab_array[] = array(gettext("Wizards"), false, "wizard.php?xml=openvpn_wizard.xml");
 add_package_tabs("OpenVPN", $tab_array);
 display_top_tabs($tab_array);
 if($act=="new" || $act=="edit") :
 	require('classes/Form.class.php');
 	$form = new Form();
 	$section = new Form_Section('General Information');
 	$section->addInput(new Form_checkbox(
 		'disable',
 		'Disabled',
 		'Disable this server',
 		$pconfig['disable']
 	))->setHelp('Set this option to disable this client without removing it from the list');
 	$section->addInput(new Form_Select(
 		'mode',
 		'Server mode',
 		$pconfig['mode'],
 		$openvpn_client_modes
 		));
 	$section->addInput(new Form_Select(
 		'protocol',
 		'Protocol',
 		$pconfig['protocol'],
 		$openvpn_prots
 		));
 	$section->addInput(new Form_Select(
 		'dev_mode',
 		'Device mode',
 		empty($pconfig['dev_mode']) ? 'tun':$pconfig['dev_mode'],
 		array_combine($openvpn_dev_mode, $openvpn_dev_mode)
 		));
 	$section->addInput(new Form_Select(
 		'interface',
 		'Interface',
 		$pconfig['interface'],
 		build_if_list()
 		));
 	$section->addInput(new Form_Input(
 		'local_port',
 		'Local port',
 		'number',
 		$pconfig['local_port']
 	))->setHelp('Set this option if you would like to bind to a specific port. Leave this blank or enter 0 for a random dynamic port.');
 	$section->addInput(new Form_Input(
 		'sever_addr',
 		'Server host or address',
 		'text',
 		$pconfig['sever_addr']
 	));
 	$section->addInput(new Form_Input(
 		'server_port',
 		'Server port',
 		'number',
 		$pconfig['server_port']
 	));
 	$section->addInput(new Form_Input(
 		'proxy_addr',
 		'Proxy host or address',
 		'text',
 		$pconfig['proxy_addr']
 	));
 	$section->addInput(new Form_Select(
 		'proxy_authtype',
 		'Proxy Auth. - Extra options',
 		$pconfig['proxy_authtype'],
 		array('none' => 'none', 'basic' => 'basic', 'ntlm' => 'ntlm')
 		));
 	$section->addInput(new Form_Input(
 		'proxy_user',
 		'Username',
 		'text',
 		$pconfig['proxy_user']
 	));
 	$section->addInput(new Form_Input(
 		'proxy_passwd',
 		'Password',
 		'password',
 		$pconfig['proxy_passwd']
 	));
 	$section->addInput(new Form_checkbox(
 		'resolve_retry',
 		'Server hostname resolution',
 		'Infinitely resolve server ',
 		$pconfig['resolve_retry']
 	))->setHelp('Continuously attempt to resolve the server host name. ' .
 				'Useful when communicating with a server that is not permanently connected to the Internet.');
 	$section->addInput(new Form_Input(
 		'description',
 		'Description',
 		'text',
 		$pconfig['description']
 	))->setHelp('You may enter a description here for your reference (not parsed).');
 	$form->add($section);
 	$section = new Form_Section('User Authentication settings');
 	$section->addClass('authentication');
 	$section->addInput(new Form_Input(
 		'auth_user',
 		'Username',
 		'text',
 		$pconfig['auth_user']
 	))->setHelp('Leave empty when no user name is needed');
 	$section->addInput(new Form_Input(
 		'auth_passwd',
 		'Password',
 		'password',
 		$pconfig['auth_passwd']
 	))->setHelp('Leave empty when no password is needed');
 	$form->add($section);
 	$section = new Form_Section('Cryptographic settings');
 	$section->addInput(new Form_checkbox(
 		'tlsauth_enable',
 		'TLS authentication',
 		'Enable authentication of TLS packets.',
 		$pconfig['tlsauth_enable']
 	));
 	if (!$pconfig['tls']) {
 		$section->addInput(new Form_checkbox(
 			'autotls_enable',
 			null,
 			'Automatically generate a shared TLS authentication key.',
 			$pconfig['autotls_enable']
 		));
+	}
 	$section->addInput(new Form_TextArea(
 		'tls',
 		'Key',
 		$pconfig['tls']
 	))->setHelp('Paste your shared key here');
 	$section->addInput(new Form_Select(
 		'caref',
 		'Peer Certifiacte Authority',
 		$pconfig['caref'],
 		count($a_ca) ? array_combine($a_ca, $a_ca) : ['' => 'None']
 		))->setHelp(count($a_ca) ? '':sprintf('No Certificate Authorities defined. You may create one here: %s', '<a href="system_camanager.php">System &gt; Cert Manager</a>'));
 	$section->addInput(new Form_Select(
 		'certref',
 		'Peer Certifiacte Authority',
 		$pconfig['certref'],
 		build_cert_list()
 		))->setHelp(count($a_cert) ? '':sprintf('No Certificates defined. You may create one here: %s', '<a href="system_camanager.php">System &gt; Cert Manager</a>'));
 	if (!$pconfig['shared_key']) {
 		$section->addInput(new Form_checkbox(
 			'autokey_enable',
 			'Auto generate',
 			'Automatically generate a shared key',
 			$pconfig['autokey_enable']
 		));
+	}
 	$section->addInput(new Form_TextArea(
 		'shared_key',
 		'Shared Key',
 		$pconfig['shared_key']
 	))->setHelp('Paste your shared key here');
 	$section->addInput(new Form_Select(
 		'crypto',
 		'Encryption Algorithm',
 		$pconfig['crypto'],
 		openvpn_get_cipherlist()
 		));
 	$section->addInput(new Form_Select(
 		'digest',
 		'Auth digest algorithm',
 		$pconfig['digest'],
 		openvpn_get_digestlist()
 		))->setHelp('Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN. ');
 	$section->addInput(new Form_Select(
 		'engine',
 		'Hardware Crypto',
 		$pconfig['engine'],
 		openvpn_get_engines()
 		));
 	$form->add($section);
 	$section = new Form_Section('Tunnel settings');
 	$section->addInput(new Form_Input(
 		'tunnel_network',
 		'IPv4 Tunnel Network',
 		'text',
 		$pconfig['tunnel_network']
 	))->setHelp('This is the IPv4 virtual network used for private communications between this client and the sercer ' .
 				'expressed using CIDR (eg. 10.0.8.0/24). The first network address will be assigned to ' .
 				'the client virtual interface.');
 	$section->addInput(new Form_Input(
 		'tunnel_networkv6',
 		'IPv6 Tunnel Network',
 		'text',
 		$pconfig['tunnel_networkv6']
 	))->setHelp('This is the IPv6 virtual network used for private ' .
 				'communications between this client and the server	expressed using CIDR (eg. fe80::/64). ' .
 				'The first network address will be assigned to the server virtual interface.');
 	$section->addInput(new Form_Input(
 		'remote_network',
 		'IPv4 Remote network(s)',
 		'text',
 		$pconfig['remote_network']
 	))->setHelp('IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually ' .
 				'changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. ' .
 				'If this is a site-to-site VPN, enter the remote LAN/s here. You may leave this blank if you don\'t want a site-to-site VPN.');
 	$section->addInput(new Form_Input(
 		'remote_networkv6',
 		'IPv6 Remote network(s)',
 		'text',
 		$pconfig['remote_networkv6']
 	))->setHelp('These are the IPv6 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually ' .
 				'changing the routing tables. Expressed as a comma-separated list of one or more IP/PREFIX. ' .
 				'If this is a site-to-site VPN, enter the remote LAN/s here. You may leave this blank if you don\'t want a site-to-site VPN.');
 $section->addInput(new Form_Input(
 		'use_shaper',
 		'Limit outgoing bandwidth',
 		'number',
 		$pconfig['use_shaper'],
 		['min' => 100, 'max' => 100000000, 'placeholder' => 'Between 100 and 100,000,000 bytes/sec']
 	))->setHelp('Maximum outgoing bandwidth for this tunnel. Leave empty for no limit. The input value has to be something between 100 bytes/sec and 100 Mbytes/sec (entered as bytes per second).');
 	$section->addInput(new Form_Select(
 		'compression',
 		'Compression',
 		$pconfig['compression'],
 		$openvpn_compression_modes
 		))->setHelp('Compress tunnel packets using the LZO algorithm. Adaptive compression will dynamically disable compression for a period of time if OpenVPN detects that the data in the packets is not being compressed efficiently.');
 	$section->addInput(new Form_checkbox(
 		'passtos',
 		'Type-of-Service',
 		'Set the TOS IP header value of tunnel packets to match the encapsulated packet value.',
 		$pconfig['passtos']
 	));
 	$section->addInput(new Form_checkbox(
 		'no_tun_ipv6',
 		'Disable IPv6',
 		'Don\'t forward IPv6 traffic. ',
 		$pconfig['no_tun_ipv6']
 	));
 	$section->addInput(new Form_checkbox(
 		'route_no_pull',
 		'Don\'t pull routes',
 		'Bars the server from adding routes to the client\'s routing table',
 		$pconfig['route_no_pull']
 	))->setHelp('This option still allows the server to set the TCP/IP properties of the client\'s TUN/TAP interface. ');
 	$section->addInput(new Form_checkbox(
 		'route_no_exec',
 		'Don\'t add/remove routes',
 		'Don\'t add or remove routes automatically',
 		$pconfig['route_no_exec']
 	))->setHelp('Pass routes to --route-upscript using environmental variables');
 	$form->add($section);
 	$section = new Form_Section('Advanced Configuration');
 	$section->addClass('advanced');
 	$section->addInput(new Form_TextArea(
 		'custom_options',
 		'Custom options',
 		$pconfig['custom_options']
 	))->setHelp('Enter any additional options you would like to add to the OpenVPN server configuration here, separated by semicolon' . '<br />' .
 				'EXAMPLE: push "route 10.0.0.0 255.255.255.0"');
 	$section->addInput(new Form_Select(
 		'verbosity_level',
 		'Verbosity level',
 		$pconfig['verbosity_level'],
 		$openvpn_verbosity_level
 		))->setHelp('Each level shows all info from the previous levels. Level 3 is recommended if you want a good summary of what\'s happening without being swamped by output' . '<br /><br />' .
 					'None: Only fatal errors' . '<br />' .
 					'Default: Normal usage range' . '<br />' .
 					'5: Output R and W characters to the console for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets' .'<br />' .
 					'6: Debug info range');
 	$section->addInput(new Form_Input(
 		'act',
 		null,
 		'hidden',
 		$act
 	));
 	if (isset($id) && $a_server[$id]) {
 		$section->addInput(new Form_Input(
 			'id',
 			null,
 			'hidden',
 			$id
 		));
+	}
 	$form->add($section);
 	print($form);
 else:
-            d799787e
+?>
-            bea9e9d6
+<div class="panel panel-default">
-            f17594c7
+	<div class="panel-heading"><h2 class="panel-title"><?=gettext('OpenVPN Servers')?></h2></div>
-            bea9e9d6
+		<div class="panel-body table-responsive">
 		<table class="table table-striped table-hover table-condensed">
 			<thead>
-f29c4
+				<tr>
-            bea9e9d6
+					<th><?=gettext("Protocol")?></th>
 					<th><?=gettext("Server")?></th>
 					<th><?=gettext("Description")?></th>
 					<th><!-- Buttons --></th>
-f29c4
+				</tr>
-            bea9e9d6
+			</thead>
 			<tbody>
 <?php
 	$i = 0;
 	foreach($a_client as $client):
 		$server = "{$client['server_addr']}:{$client['server_port']}";
 ?>
 				<tr <?=isset($server['disable']) ? 'class="disabled"':''?>>
 					<td>
 						<?=htmlspecialchars($client['protocol'])?>
-            d799787e
+					</td>
-            bea9e9d6
+					<td>
 						<?=htmlspecialchars($server)?>
-            d799787e
+					</td>
-            bea9e9d6
+					<td>
 						<?=htmlspecialchars($client['description'])?>
-            d799787e
+					</td>
-            bea9e9d6
+					<td>
 						<a href="vpn_openvpn_client.php?act=edit&amp;id=<?=$i?>" class="btn btn-xs btn-info"><?=gettext("Edit")?></a>
 						<a href="vpn_openvpn_client.php?act=del&amp;id=<?=$i?>" class="btn btn-xs btn-danger"><?=gettext("Delete")?></a>
-            d799787e
+					</td>
 				</tr>
-            bea9e9d6
+<?php
 		$i++;
 	endforeach;
 ?>
 			</tbody>
 		</table>
 	</div>
 </div>
 <nav class="action-buttons">
 	<a href="vpn_openvpn_client.php?act=new" class="btn btn-sm btn-success">
 		<?=gettext("Add server")?>
 	</a>
 </nav>
 <?php
 endif;
 // Note:
 // The following *_change() functions were converted from Javascript/DOM to JQuery but otherwise
 // mostly left unchanged. The logic on this form is complex andthis works!
 ?>
-f026b0
+<script type="text/javascript">
-f29c4
+//<![CDATA[
-            bea9e9d6
+events.push(function(){
 	function mode_change() {
 		value = $('#mode').val();
 		switch(value) {
 			case "p2p_tls":
 				hideInput('tls', false);
 				hideCheckbox('tlsauth_enable', false);
 				hideCheckbox('autotls_enable', false);
 				hideInput('caref', false);
 				hideInput('certreft', false);
 				hideClass('authentication', false);
 				hideCheckbox('autokey_enable', true);
 				hideInput('shared_key', true);
 				break;
 			case "p2p_shared_key":
 				hideInput('tls', true);
 				hideCheckbox('tlsauth_enable', true);
 				hideCheckbox('autotls_enable', true);
 				hideInput('caref', true);
 				hideInput('certreft', true);
 				hideClass('authentication', true);
 				hideCheckbox('autokey_enable', false);
 				hideInput('shared_key', false);
 				break;
+		}
+	}
-            d799787e
+            Matthew Grooms
-            bea9e9d6
+	function dev_mode_change() {
 		hideCheckbox('no_tun_ipv6', ($('#dev_mode').val() == 'tap'));
+	}
 	function autokey_change() {
 		hideInput('shared_key', $('#autokey_enable').prop('checked'));
+	}
 	function useproxy_changed() {
 		hideInput('proxy_user', ($('#proxy_authtype').val() == 'none'));
 		hideInput('proxy_passwd', ($('#proxy_authtype').val() == 'none'));
+	}
 	function tlsauth_change() {
 		var hide  = ! $('#tlsauth_enable').prop('checked')
 	<?php if (!$pconfig['tls']): ?>
 		hideCheckbox('autotls_enable', hide);
 	<?php endif; ?>
-            d799787e
+            Matthew Grooms
-            bea9e9d6
+		autotls_change();
+	}
 	function autotls_change() {
 	<?php if (!$pconfig['tls']): ?>
 		autocheck = $('#autotls_enable').prop('checked');
 	<?php else: ?>
 		autocheck = false;
 	<?php endif; ?>
-            d799787e
+            Matthew Grooms
-            bea9e9d6
+	if ($('#tlsauth_enable').prop('checked')  && !autocheck)
 	   hideInput('tls', false);
-e545b4
+	else
-            bea9e9d6
+	   hideInput('tls', true);
+	}
-            d799787e
+            Matthew Grooms
-            bea9e9d6
+	// ---------- Library of show/hide functions ----------------------------------------------------------------------
 	// Hides the <div> in which the specified input element lives so that the input,
 	// its label and help text are hidden
 	function hideInput(id, hide) {
 		if(hide)
 			$('#' + id).parent().parent('div').addClass('hidden');
 		else
 			$('#' + id).parent().parent('div').removeClass('hidden');
+	}
 	// Hides the <div> in which the specified checkbox lives so that the checkbox,
 	// its label and help text are hidden
 	function hideCheckbox(id, hide) {
 		if(hide)
 			$('#' + id).parent().parent().parent('div').addClass('hidden');
 		else
 			$('#' + id).parent().parent().parent('div').removeClass('hidden');
+	}
 	// Disables the specified input element
 	function disableInput(id, disable) {
 		$('#' + id).prop("disabled", disable);
+	}
 	// Hides all elements of the specified class. This will usually be a section or group
 	function hideClass(s_class, hide) {
 		if(hide)
 			$('.' + s_class).hide();
 		else
 			$('.' + s_class).show();
+	}
 	// ---------- Monitor elements for change and call the appropriate display functions ------------------------------
 	 // TLS Authorization
 	$('#tlsauth_enable').click(function () {
 		tlsauth_change();
 	});
 	 // Auto key
 	$('#autokey_enable').click(function () {
 		autokey_change();
 	});
 	 // Mode
 	$('#mode').click(function () {
 		mode_change();
 	});
 	 // Use proxy
 	$('#proxy_authtype').click(function () {
 		useproxy_changed();
 	});
 	 // Tun/tap
 	$('#dev_mode').click(function () {
 		dev_mode_change();
 	});
 	// ---------- Set initial page display state ----------------------------------------------------------------------
 	mode_change();
 	autokey_change();
 	tlsauth_change();
 	useproxy_changed();
 	dev_mode_change();
 });
 //]]>
 </script>
 <?php include("foot.inc");

Project

General

Profile

pfSense