| 33 |
33 |
require_once("openvpn.inc");
|
| 34 |
34 |
require_once("pfsense-utils.inc");
|
| 35 |
35 |
require_once("pkg-utils.inc");
|
|
36 |
require_once("vpn_openvpn_server.inc");
|
| 36 |
37 |
|
| 37 |
38 |
global $openvpn_topologies, $openvpn_tls_modes, $openvpn_exit_notify_server;
|
| 38 |
39 |
|
| ... | ... | |
| 103 |
104 |
}
|
| 104 |
105 |
|
| 105 |
106 |
if ($_POST['save']) {
|
| 106 |
|
unset($input_errors);
|
| 107 |
|
$pconfig = $_POST;
|
| 108 |
|
|
| 109 |
|
if (isset($id) && $a_server[$id]) {
|
| 110 |
|
$vpnid = $a_server[$id]['vpnid'];
|
| 111 |
|
} else {
|
| 112 |
|
$vpnid = 0;
|
| 113 |
|
}
|
| 114 |
|
|
| 115 |
|
$pconfig['ncp_enable'] = ($pconfig['ncp_enable'] == 'yes') ? 'enabled' : 'disabled';
|
| 116 |
|
|
| 117 |
|
if ($pconfig['disable'] && openvpn_inuse($vpnid, 'server')) {
|
| 118 |
|
$input_errors[] = gettext("Cannot disable an OpenVPN instance while the interface is assigned. Remove the interface assignment first.");
|
| 119 |
|
}
|
| 120 |
|
|
| 121 |
|
if (isset($pconfig['custom_options']) &&
|
| 122 |
|
($pconfig['custom_options'] != $a_server[$id]['custom_options']) &&
|
| 123 |
|
!$user_can_edit_advanced) {
|
| 124 |
|
$input_errors[] = gettext("This user does not have sufficient privileges to edit Advanced options on this instance.");
|
| 125 |
|
}
|
| 126 |
|
if (!$user_can_edit_advanced && !empty($a_server[$id]['custom_options'])) {
|
| 127 |
|
$pconfig['custom_options'] = $a_server[$id]['custom_options'];
|
| 128 |
|
}
|
| 129 |
|
|
| 130 |
|
if (!empty($pconfig['mode']) &&
|
| 131 |
|
!array_key_exists($pconfig['mode'], openvpn_build_mode_list())) {
|
| 132 |
|
$input_errors[] = gettext("The selected Server Mode is not valid.");
|
| 133 |
|
}
|
| 134 |
|
|
| 135 |
|
if (!empty($pconfig['dev_mode']) &&
|
| 136 |
|
!array_key_exists($pconfig['dev_mode'], $openvpn_dev_mode)) {
|
| 137 |
|
$input_errors[] = gettext("The selected Device Mode is not valid.");
|
| 138 |
|
}
|
| 139 |
|
|
| 140 |
|
if (!empty($pconfig['protocol']) &&
|
| 141 |
|
!array_key_exists($pconfig['protocol'], $openvpn_prots)) {
|
| 142 |
|
$input_errors[] = gettext("The selected Protocol is not valid.");
|
| 143 |
|
}
|
| 144 |
|
|
| 145 |
|
if (!empty($pconfig['interface']) &&
|
| 146 |
|
!array_key_exists($pconfig['interface'], openvpn_build_if_list())) {
|
| 147 |
|
$input_errors[] = gettext("The selected Interface is not valid.");
|
| 148 |
|
}
|
| 149 |
|
|
| 150 |
|
if (!empty($pconfig['ecdh_curve']) &&
|
| 151 |
|
!array_key_exists($pconfig['ecdh_curve'], openvpn_get_curvelist())) {
|
| 152 |
|
$input_errors[] = gettext("The selected ECDH Curve is not valid.");
|
| 153 |
|
}
|
| 154 |
|
|
| 155 |
|
$cipher_validation_list = array_keys(openvpn_get_cipherlist());
|
| 156 |
|
if (!in_array($pconfig['data_ciphers_fallback'], $cipher_validation_list)) {
|
| 157 |
|
$input_errors[] = gettext("The selected Fallback Data Encryption Algorithm is not valid.");
|
| 158 |
|
}
|
| 159 |
|
|
| 160 |
|
/* Maximum option line length = 256, see https://redmine.pfsense.org/issues/11559 */
|
| 161 |
|
if (!empty($pconfig['data_ciphers']) && (strlen("data-ciphers " . implode(",", $pconfig['data_ciphers'])) > 254)) {
|
| 162 |
|
$input_errors[] = gettext("Too many Data Encryption Algorithms have been selected.");
|
| 163 |
|
}
|
| 164 |
|
|
| 165 |
|
if (!empty($pconfig['data_ciphers']) && is_array($pconfig['data_ciphers'])) {
|
| 166 |
|
foreach ($pconfig['data_ciphers'] as $dc) {
|
| 167 |
|
if (!in_array(trim($dc), $cipher_validation_list)) {
|
| 168 |
|
$input_errors[] = gettext("One or more of the selected Data Encryption Algorithms is not valid.");
|
| 169 |
|
}
|
| 170 |
|
}
|
| 171 |
|
} else {
|
| 172 |
|
/* If data_ciphers is not empty and also not an array, it can't be valid. */
|
| 173 |
|
$input_errors[] = gettext("The Data Encryption Algorithm list is not valid.");
|
| 174 |
|
}
|
| 175 |
|
|
| 176 |
|
if (!empty($pconfig['digest']) &&
|
| 177 |
|
!array_key_exists($pconfig['digest'], openvpn_get_digestlist())) {
|
| 178 |
|
$input_errors[] = gettext("The selected Auth Digest Algorithm is not valid.");
|
| 179 |
|
}
|
| 180 |
|
|
| 181 |
|
if (!empty($pconfig['engine']) &&
|
| 182 |
|
!array_key_exists($pconfig['engine'], openvpn_get_engines())) {
|
| 183 |
|
$input_errors[] = gettext("The selected Hardware Crypto engine is not valid.");
|
| 184 |
|
}
|
| 185 |
|
|
| 186 |
|
if (!empty($pconfig['cert_depth']) &&
|
| 187 |
|
!array_key_exists($pconfig['cert_depth'], $openvpn_cert_depths)) {
|
| 188 |
|
$input_errors[] = gettext("The selected Certificate Depth is not valid.");
|
| 189 |
|
}
|
| 190 |
|
|
| 191 |
|
list($iv_iface, $iv_ip) = explode ("|", $pconfig['interface']);
|
| 192 |
|
if (is_ipaddrv4($iv_ip) && (stristr($pconfig['protocol'], "6") !== false)) {
|
| 193 |
|
$input_errors[] = gettext("Protocol and IP address families do not match. An IPv6 protocol and an IPv4 IP address cannot be selected.");
|
| 194 |
|
} elseif (is_ipaddrv6($iv_ip) && (stristr($pconfig['protocol'], "6") === false)) {
|
| 195 |
|
$input_errors[] = gettext("Protocol and IP address families do not match. An IPv4 protocol and an IPv6 IP address cannot be selected.");
|
| 196 |
|
} elseif ((stristr($pconfig['protocol'], "6") === false) && !get_interface_ip($iv_iface) && ($pconfig['interface'] != "any")) {
|
| 197 |
|
// If an underlying interface to be used by this server uses DHCP, then it may not have received an IP address yet.
|
| 198 |
|
// So in that case we do not report a problem.
|
| 199 |
|
if (!interface_has_dhcp($iv_iface, 4)) {
|
| 200 |
|
$input_errors[] = gettext("An IPv4 protocol was selected, but the selected interface has no IPv4 address.");
|
| 201 |
|
}
|
| 202 |
|
} elseif ((stristr($pconfig['protocol'], "6") !== false) && !get_interface_ipv6($iv_iface) && ($pconfig['interface'] != "any")) {
|
| 203 |
|
// If an underlying interface to be used by this server uses DHCP6, then it may not have received an IP address yet.
|
| 204 |
|
// So in that case we do not report a problem.
|
| 205 |
|
if (!interface_has_dhcp($iv_iface, 6)) {
|
| 206 |
|
$input_errors[] = gettext("An IPv6 protocol was selected, but the selected interface has no IPv6 address.");
|
| 207 |
|
}
|
| 208 |
|
}
|
| 209 |
|
|
| 210 |
|
if ($pconfig['mode'] != "p2p_shared_key") {
|
| 211 |
|
$tls_mode = true;
|
| 212 |
|
|
| 213 |
|
if (!empty($pconfig['caref']) &&
|
| 214 |
|
!array_key_exists($pconfig['caref'], cert_build_list('ca', 'OpenVPN'))) {
|
| 215 |
|
$input_errors[] = gettext("The selected Peer Certificate Authority is not valid.");
|
| 216 |
|
}
|
| 217 |
|
|
| 218 |
|
if (!empty($pconfig['crlref']) &&
|
| 219 |
|
!array_key_exists($pconfig['crlref'], openvpn_build_crl_list())) {
|
| 220 |
|
$input_errors[] = gettext("The selected Peer Certificate Revocation List is not valid.");
|
| 221 |
|
}
|
| 222 |
|
|
| 223 |
|
if (!empty($pconfig['certref']) &&
|
| 224 |
|
!array_key_exists($pconfig['certref'], $certlist['server'] + $certlist['non-server'])) {
|
| 225 |
|
$input_errors[] = gettext("The selected Server Certificate is not valid.");
|
| 226 |
|
}
|
| 227 |
|
|
| 228 |
|
} else {
|
| 229 |
|
$tls_mode = false;
|
| 230 |
|
}
|
| 231 |
|
|
| 232 |
|
if (empty($pconfig['authmode']) && (($pconfig['mode'] == "server_user") || ($pconfig['mode'] == "server_tls_user"))) {
|
| 233 |
|
$input_errors[] = gettext("A Backend for Authentication must be selected if the server mode requires User Auth.");
|
| 234 |
|
}
|
| 235 |
|
|
| 236 |
|
/* input validation */
|
| 237 |
|
if ($result = openvpn_validate_port($pconfig['local_port'], 'Local port', 1)) {
|
| 238 |
|
$input_errors[] = $result;
|
| 239 |
|
}
|
| 240 |
|
|
| 241 |
|
/* Maximum option line length = 256, see https://redmine.pfsense.org/issues/11104 */
|
| 242 |
|
if (!empty($pconfig['authmode']) && is_port($pconfig['local_port'])) {
|
| 243 |
|
$strictusercn = "false";
|
| 244 |
|
if ($pconfig['strictusercn']) {
|
| 245 |
|
$strictusercn = "true";
|
| 246 |
|
}
|
| 247 |
|
$authstring = openvpn_authscript_string(implode(',', $pconfig['authmode']),
|
| 248 |
|
$strictusercn, $vpnid, $pconfig['local_port']);
|
| 249 |
|
if (strlen($authstring) > 254) {
|
| 250 |
|
$input_errors[] = gettext("Too many Authentication Backends have been selected or their names are too long.");
|
| 251 |
|
}
|
| 252 |
|
}
|
| 253 |
|
|
| 254 |
|
if (!empty($pconfig['tunnel_network']) && !openvpn_validate_tunnel_network($pconfig['tunnel_network'], 'ipv4')) {
|
| 255 |
|
$input_errors[] = gettext("The field 'IPv4 Tunnel Network' must contain a valid IPv4 subnet with CIDR mask or an alias with a single IPv4 subnet with CIDR mask.");
|
| 256 |
|
}
|
| 257 |
|
|
| 258 |
|
if (!empty($pconfig['tunnel_network']) &&
|
| 259 |
|
(!isset($a_server[$id]) ||
|
| 260 |
|
($a_server[$id]['tunnel_network'] != $pconfig['tunnel_network'])) &&
|
| 261 |
|
openvpn_is_tunnel_network_in_use($pconfig['tunnel_network'])) {
|
| 262 |
|
$input_errors[] = gettext("The submitted IPv4 Tunnel Network is already in use.");
|
| 263 |
|
}
|
| 264 |
|
|
| 265 |
|
if (!empty($pconfig['tunnel_networkv6']) && !openvpn_validate_tunnel_network($pconfig['tunnel_networkv6'], 'ipv6')) {
|
| 266 |
|
$input_errors[] = gettext("The field 'IPv6 Tunnel Network' must contain a valid IPv6 prefix or an alias with a single IPv6 prefix.");
|
| 267 |
|
}
|
| 268 |
|
|
| 269 |
|
if (!empty($pconfig['tunnel_networkv6']) &&
|
| 270 |
|
(!isset($a_server[$id]) ||
|
| 271 |
|
($a_server[$id]['tunnel_networkv6'] != $pconfig['tunnel_networkv6'])) &&
|
| 272 |
|
openvpn_is_tunnel_network_in_use($pconfig['tunnel_networkv6'])) {
|
| 273 |
|
$input_errors[] = gettext("The submitted IPv6 Tunnel Network is already in use.");
|
| 274 |
|
}
|
| 275 |
|
|
| 276 |
|
if ($result = openvpn_validate_cidr($pconfig['remote_network'], 'IPv4 Remote Network', true, "ipv4", true)) {
|
| 277 |
|
$input_errors[] = $result;
|
| 278 |
|
}
|
| 279 |
|
|
| 280 |
|
if ($result = openvpn_validate_cidr($pconfig['remote_networkv6'], 'IPv6 Remote Network', true, "ipv6", true)) {
|
| 281 |
|
$input_errors[] = $result;
|
| 282 |
|
}
|
| 283 |
|
|
| 284 |
|
if ($result = openvpn_validate_cidr($pconfig['local_network'], 'IPv4 Local Network', true, "ipv4", true)) {
|
| 285 |
|
$input_errors[] = $result;
|
| 286 |
|
}
|
| 287 |
|
|
| 288 |
|
if ($result = openvpn_validate_cidr($pconfig['local_networkv6'], 'IPv6 Local Network', true, "ipv6", true)) {
|
| 289 |
|
$input_errors[] = $result;
|
| 290 |
|
}
|
| 291 |
|
|
| 292 |
|
if (!empty($pconfig['allow_compression']) &&
|
| 293 |
|
!array_key_exists($pconfig['allow_compression'], $openvpn_allow_compression)) {
|
| 294 |
|
$input_errors[] = gettext("The selected Allow Compression value is not valid.");
|
| 295 |
|
}
|
| 296 |
|
|
| 297 |
|
if (!empty($pconfig['compression']) &&
|
| 298 |
|
!array_key_exists($pconfig['compression'], $openvpn_compression_modes)) {
|
| 299 |
|
$input_errors[] = gettext("The selected Compression is not valid.");
|
| 300 |
|
}
|
| 301 |
|
|
| 302 |
|
$portused = openvpn_port_used($pconfig['protocol'], $pconfig['interface'], $pconfig['local_port'], $vpnid);
|
| 303 |
|
if (($portused != $vpnid) && ($portused != 0)) {
|
| 304 |
|
$input_errors[] = gettext("The specified 'Local port' is in use. Please select another value");
|
| 305 |
|
}
|
| 306 |
|
|
| 307 |
|
if ($pconfig['autokey_enable']) {
|
| 308 |
|
$pconfig['shared_key'] = openvpn_create_key();
|
| 309 |
|
}
|
| 310 |
|
|
| 311 |
|
if (!$tls_mode && !$pconfig['autokey_enable']) {
|
| 312 |
|
if (!strstr($pconfig['shared_key'], "-----BEGIN OpenVPN Static key V1-----") ||
|
| 313 |
|
!strstr($pconfig['shared_key'], "-----END OpenVPN Static key V1-----")) {
|
| 314 |
|
$input_errors[] = gettext("The field 'Shared Key' does not appear to be valid");
|
| 315 |
|
}
|
| 316 |
|
}
|
| 317 |
|
|
| 318 |
|
if ($tls_mode && $pconfig['tlsauth_enable'] && !$pconfig['autotls_enable']) {
|
| 319 |
|
if (!strstr($pconfig['tls'], "-----BEGIN OpenVPN Static key V1-----") ||
|
| 320 |
|
!strstr($pconfig['tls'], "-----END OpenVPN Static key V1-----")) {
|
| 321 |
|
$input_errors[] = gettext("The field 'TLS Key' does not appear to be valid");
|
| 322 |
|
}
|
| 323 |
|
if (!in_array($pconfig['tls_type'], array_keys($openvpn_tls_modes))) {
|
| 324 |
|
$input_errors[] = gettext("The field 'TLS Key Usage Mode' is not valid");
|
| 325 |
|
}
|
| 326 |
|
if (!empty($pconfig['tlsauth_keydir']) &&
|
| 327 |
|
!array_key_exists($pconfig['tlsauth_keydir'], openvpn_get_keydirlist())) {
|
| 328 |
|
$input_errors[] = gettext("The selected TLS Key Direction is not valid.");
|
| 329 |
|
}
|
| 330 |
|
}
|
| 331 |
|
|
| 332 |
|
if ($pconfig['dns_server_enable']) {
|
| 333 |
|
if (!empty($pconfig['dns_server1']) && !is_ipaddr(trim($pconfig['dns_server1']))) {
|
| 334 |
|
$input_errors[] = gettext("The field 'DNS Server #1' must contain a valid IPv4 or IPv6 address");
|
| 335 |
|
}
|
| 336 |
|
if (!empty($pconfig['dns_server2']) && !is_ipaddr(trim($pconfig['dns_server2']))) {
|
| 337 |
|
$input_errors[] = gettext("The field 'DNS Server #2' must contain a valid IPv4 or IPv6 address");
|
| 338 |
|
}
|
| 339 |
|
if (!empty($pconfig['dns_server3']) && !is_ipaddr(trim($pconfig['dns_server3']))) {
|
| 340 |
|
$input_errors[] = gettext("The field 'DNS Server #3' must contain a valid IPv4 or IPv6 address");
|
| 341 |
|
}
|
| 342 |
|
if (!empty($pconfig['dns_server4']) && !is_ipaddr(trim($pconfig['dns_server4']))) {
|
| 343 |
|
$input_errors[] = gettext("The field 'DNS Server #4' must contain a valid IPv4 or IPv6 address");
|
| 344 |
|
}
|
| 345 |
|
}
|
| 346 |
|
|
| 347 |
|
if ($pconfig['ntp_server_enable']) {
|
| 348 |
|
if (!empty($pconfig['ntp_server1']) && !is_ipaddr(trim($pconfig['ntp_server1']))) {
|
| 349 |
|
$input_errors[] = gettext("The field 'NTP Server #1' must contain a valid IP address");
|
| 350 |
|
}
|
| 351 |
|
if (!empty($pconfig['ntp_server2']) && !is_ipaddr(trim($pconfig['ntp_server2']))) {
|
| 352 |
|
$input_errors[] = gettext("The field 'NTP Server #2' must contain a valid IP address");
|
| 353 |
|
}
|
| 354 |
|
if (!empty($pconfig['ntp_server3']) && !is_ipaddr(trim($pconfig['ntp_server3']))) {
|
| 355 |
|
$input_errors[] = gettext("The field 'NTP Server #3' must contain a valid IP address");
|
| 356 |
|
}
|
| 357 |
|
if (!empty($pconfig['ntp_server4']) && !is_ipaddr(trim($pconfig['ntp_server4']))) {
|
| 358 |
|
$input_errors[] = gettext("The field 'NTP Server #4' must contain a valid IP address");
|
| 359 |
|
}
|
| 360 |
|
}
|
| 361 |
|
|
| 362 |
|
if ($pconfig['netbios_enable']) {
|
| 363 |
|
if ($pconfig['wins_server_enable']) {
|
| 364 |
|
if (!empty($pconfig['wins_server1']) && !is_ipaddr(trim($pconfig['wins_server1']))) {
|
| 365 |
|
$input_errors[] = gettext("The field 'WINS Server #1' must contain a valid IP address");
|
| 366 |
|
}
|
| 367 |
|
if (!empty($pconfig['wins_server2']) && !is_ipaddr(trim($pconfig['wins_server2']))) {
|
| 368 |
|
$input_errors[] = gettext("The field 'WINS Server #2' must contain a valid IP address");
|
| 369 |
|
}
|
| 370 |
|
}
|
| 371 |
|
if ($pconfig['nbdd_server_enable']) {
|
| 372 |
|
if (!empty($pconfig['nbdd_server1']) && !is_ipaddr(trim($pconfig['nbdd_server1']))) {
|
| 373 |
|
$input_errors[] = gettext("The field 'NetBIOS Data Distribution Server #1' must contain a valid IP address");
|
| 374 |
|
}
|
| 375 |
|
}
|
| 376 |
|
|
| 377 |
|
if (!empty($pconfig['netbios_ntype']) &&
|
| 378 |
|
!array_key_exists($pconfig['netbios_ntype'], $netbios_nodetypes)) {
|
| 379 |
|
$input_errors[] = gettext("The selected NetBIOS Node Type is not valid.");
|
| 380 |
|
}
|
| 381 |
|
}
|
| 382 |
|
|
| 383 |
|
if ($pconfig['maxclients'] && !is_numericint($pconfig['maxclients'])) {
|
| 384 |
|
$input_errors[] = gettext("The field 'Concurrent connections' must be numeric.");
|
| 385 |
|
}
|
| 386 |
|
|
| 387 |
|
if (!array_key_exists($pconfig['topology'], $openvpn_topologies)) {
|
| 388 |
|
$input_errors[] = gettext("The field 'Topology' contains an invalid selection");
|
| 389 |
|
}
|
| 390 |
|
|
| 391 |
|
/* If we are not in shared key mode, then we need the CA/Cert. */
|
| 392 |
|
if ($pconfig['mode'] != "p2p_shared_key") {
|
| 393 |
|
if (empty(trim($pconfig['certref']))) {
|
| 394 |
|
$input_errors[] = gettext("The selected certificate is not valid");
|
| 395 |
|
}
|
| 396 |
|
|
| 397 |
|
if (!empty($pconfig['dh_length']) && !in_array($pconfig['dh_length'], array_keys($openvpn_dh_lengths))) {
|
| 398 |
|
$input_errors[] = gettext("The specified DH Parameter length is invalid or " .
|
| 399 |
|
"the DH file does not exist.");
|
| 400 |
|
}
|
| 401 |
|
|
| 402 |
|
if (!empty($pconfig['ecdh_curve']) && !openvpn_validate_curve($pconfig['ecdh_curve'])) {
|
| 403 |
|
$input_errors[] = gettext("The specified ECDH Curve is invalid.");
|
| 404 |
|
}
|
| 405 |
|
$reqdfields = explode(" ", "caref certref");
|
| 406 |
|
$reqdfieldsn = array(gettext("Certificate Authority"), gettext("Certificate"));
|
| 407 |
|
} elseif (!$pconfig['autokey_enable']) {
|
| 408 |
|
/* We only need the shared key filled in if we are in shared key mode and autokey is not selected. */
|
| 409 |
|
$reqdfields = array('shared_key');
|
| 410 |
|
$reqdfieldsn = array(gettext('Shared key'));
|
| 411 |
|
}
|
| 412 |
|
|
| 413 |
|
if (($pconfig['mode'] == "p2p_shared_key") && strstr($pconfig['data_ciphers_fallback'], "GCM")) {
|
| 414 |
|
$input_errors[] = gettext("GCM Encryption Algorithms cannot be used with Shared Key mode.");
|
| 415 |
|
}
|
| 416 |
|
|
| 417 |
|
if ($pconfig['dev_mode'] == "tap") {
|
| 418 |
|
if (!empty($pconfig['serverbridge_interface']) &&
|
| 419 |
|
!array_key_exists($pconfig['serverbridge_interface'], openvpn_build_bridge_list())) {
|
| 420 |
|
$input_errors[] = gettext("The selected Server Bridge Interface is not valid.");
|
| 421 |
|
}
|
| 422 |
|
|
| 423 |
|
if ($pconfig['serverbridge_dhcp'] && $pconfig['tunnel_network']) {
|
| 424 |
|
$input_errors[] = gettext("Using a tunnel network and server bridge settings together is not allowed.");
|
| 425 |
|
}
|
| 426 |
|
if (($pconfig['serverbridge_dhcp'] && $pconfig['serverbridge_routegateway']) &&
|
| 427 |
|
((empty($pconfig['serverbridge_interface'])) || (strcmp($pconfig['serverbridge_interface'], "none") == 0))) {
|
| 428 |
|
$input_errors[] = gettext("Bridge Route Gateway requires a valid Bridge Interface.");
|
| 429 |
|
}
|
| 430 |
|
if (($pconfig['serverbridge_dhcp_start'] && !$pconfig['serverbridge_dhcp_end']) ||
|
| 431 |
|
(!$pconfig['serverbridge_dhcp_start'] && $pconfig['serverbridge_dhcp_end'])) {
|
| 432 |
|
$input_errors[] = gettext("Server Bridge DHCP Start and End must both be empty, or defined.");
|
| 433 |
|
}
|
| 434 |
|
if (($pconfig['serverbridge_dhcp_start'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_start']))) {
|
| 435 |
|
$input_errors[] = gettext("Server Bridge DHCP Start must be an IPv4 address.");
|
| 436 |
|
}
|
| 437 |
|
if (($pconfig['serverbridge_dhcp_end'] && !is_ipaddrv4($pconfig['serverbridge_dhcp_end']))) {
|
| 438 |
|
$input_errors[] = gettext("Server Bridge DHCP End must be an IPv4 address.");
|
| 439 |
|
}
|
| 440 |
|
if (ip_greater_than($pconfig['serverbridge_dhcp_start'], $pconfig['serverbridge_dhcp_end'])) {
|
| 441 |
|
$input_errors[] = gettext("The Server Bridge DHCP range is invalid (start higher than end).");
|
| 442 |
|
}
|
| 443 |
|
}
|
| 444 |
|
|
| 445 |
|
/* UDP Fast I/O and Exit Notify are not compatible with TCP, so toss the
|
| 446 |
|
* option out when submitted since it can't be set this way
|
| 447 |
|
* legitimately. This also avoids having to perform any more trickery on
|
| 448 |
|
* the stored option to not preserve the value when changing modes. */
|
| 449 |
|
if (strtolower(substr($pconfig['protocol'], 0, 3)) != "udp") {
|
| 450 |
|
if ($pconfig['udp_fast_io']) {
|
| 451 |
|
unset($pconfig['udp_fast_io']);
|
| 452 |
|
}
|
| 453 |
|
if ($pconfig['exit_notify']) {
|
| 454 |
|
unset($pconfig['exit_notify']);
|
| 455 |
|
}
|
| 456 |
|
} else {
|
| 457 |
|
if (!array_key_exists($pconfig['exit_notify'], $openvpn_exit_notify_server)) {
|
| 458 |
|
$input_errors[] = gettext("The Exit Notify value is invalid.");
|
| 459 |
|
}
|
| 460 |
|
}
|
| 461 |
|
|
| 462 |
|
if (!empty($pconfig['sndrcvbuf']) && !array_key_exists($pconfig['sndrcvbuf'], openvpn_get_buffer_values())) {
|
| 463 |
|
$input_errors[] = gettext("The supplied Send/Receive Buffer size is invalid.");
|
| 464 |
|
}
|
| 465 |
|
|
| 466 |
|
if (!empty($pconfig['ping_method']) && !array_key_exists($pconfig['ping_method'], $openvpn_ping_method)) {
|
| 467 |
|
$input_errors[] = gettext("The supplied Ping Method is invalid.");
|
| 468 |
|
}
|
| 469 |
|
if (!empty($pconfig['ping_action']) && !array_key_exists($pconfig['ping_action'], $openvpn_ping_action)) {
|
| 470 |
|
$input_errors[] = gettext("The supplied Ping Action is invalid.");
|
| 471 |
|
}
|
| 472 |
|
if (!empty($pconfig['keepalive_interval']) && !is_numericint($pconfig['keepalive_interval'])) {
|
| 473 |
|
$input_errors[] = gettext("The supplied Keepalive Interval value is invalid.");
|
| 474 |
|
}
|
| 475 |
|
if (!empty($pconfig['keepalive_timeout']) && !is_numericint($pconfig['keepalive_timeout'])) {
|
| 476 |
|
$input_errors[] = gettext("The supplied Keepalive Timeout value is invalid.");
|
| 477 |
|
}
|
| 478 |
|
if (!empty($pconfig['ping_seconds']) && !is_numericint($pconfig['ping_seconds'])) {
|
| 479 |
|
$input_errors[] = gettext("The supplied Ping Seconds value is invalid.");
|
| 480 |
|
}
|
| 481 |
|
if (!empty($pconfig['ping_action_seconds']) && !is_numericint($pconfig['ping_action_seconds'])) {
|
| 482 |
|
$input_errors[] = gettext("The supplied Ping Restart or Exit Seconds value is invalid.");
|
| 483 |
|
}
|
| 484 |
|
if (!empty($pconfig['inactive_seconds']) && !is_numericint($pconfig['inactive_seconds'])) {
|
| 485 |
|
$input_errors[] = gettext("The supplied Inactive Seconds value is invalid.");
|
| 486 |
|
}
|
| 487 |
|
if (!empty($pconfig['ocspurl']) && !is_URL($pconfig['ocspurl'])) {
|
| 488 |
|
$input_errors[] = gettext("OCSP URL must be a valid URL address.");
|
| 489 |
|
}
|
| 490 |
|
if (!empty($pconfig['verbosity_level']) &&
|
| 491 |
|
!array_key_exists($pconfig['verbosity_level'], $openvpn_verbosity_level)) {
|
| 492 |
|
$input_errors[] = gettext("The selected Verbosity Level is not valid.");
|
| 493 |
|
}
|
| 494 |
|
|
| 495 |
|
do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
|
| 496 |
|
|
| 497 |
|
if (!$input_errors) {
|
| 498 |
|
|
| 499 |
|
$server = array();
|
| 500 |
|
|
| 501 |
|
if (isset($id) && $a_server[$id] &&
|
| 502 |
|
$pconfig['dev_mode'] <> $a_server[$id]['dev_mode']) {
|
| 503 |
|
/*
|
| 504 |
|
* delete old interface so a new TUN or TAP interface
|
| 505 |
|
* can be created.
|
| 506 |
|
*/
|
| 507 |
|
openvpn_delete('server', $a_server[$id]);
|
| 508 |
|
}
|
| 509 |
|
|
| 510 |
|
if ($vpnid) {
|
| 511 |
|
$server['vpnid'] = $vpnid;
|
| 512 |
|
} else {
|
| 513 |
|
$server['vpnid'] = openvpn_vpnid_next();
|
| 514 |
|
}
|
| 515 |
|
|
| 516 |
|
if ($_POST['disable'] == "yes") {
|
| 517 |
|
$server['disable'] = true;
|
| 518 |
|
}
|
| 519 |
|
$server['mode'] = $pconfig['mode'];
|
| 520 |
|
if (!empty($pconfig['authmode']) && (($pconfig['mode'] == "server_user") || ($pconfig['mode'] == "server_tls_user"))) {
|
| 521 |
|
$server['authmode'] = implode(",", $pconfig['authmode']);
|
| 522 |
|
}
|
| 523 |
|
$server['protocol'] = $pconfig['protocol'];
|
| 524 |
|
$server['dev_mode'] = $pconfig['dev_mode'];
|
| 525 |
|
list($server['interface'], $server['ipaddr']) = explode ("|", $pconfig['interface']);
|
| 526 |
|
$server['local_port'] = $pconfig['local_port'];
|
| 527 |
|
$server['description'] = $pconfig['description'];
|
| 528 |
|
$server['custom_options'] = str_replace("\r\n", "\n", $pconfig['custom_options']);
|
| 529 |
|
|
| 530 |
|
if ($tls_mode) {
|
| 531 |
|
if ($pconfig['tlsauth_enable']) {
|
| 532 |
|
if ($pconfig['autotls_enable']) {
|
| 533 |
|
$pconfig['tls'] = openvpn_create_key();
|
| 534 |
|
}
|
| 535 |
|
$server['tls'] = base64_encode($pconfig['tls']);
|
| 536 |
|
$server['tls_type'] = $pconfig['tls_type'];
|
| 537 |
|
$server['tlsauth_keydir'] = $pconfig['tlsauth_keydir'];
|
| 538 |
|
}
|
| 539 |
|
$server['caref'] = $pconfig['caref'];
|
| 540 |
|
$server['crlref'] = $pconfig['crlref'];
|
| 541 |
|
if ($pconfig['ocspcheck']) {
|
| 542 |
|
$server['ocspcheck'] = "yes";
|
| 543 |
|
}
|
| 544 |
|
$server['ocspurl'] = $pconfig['ocspurl'];
|
| 545 |
|
$server['certref'] = $pconfig['certref'];
|
| 546 |
|
$server['dh_length'] = $pconfig['dh_length'];
|
| 547 |
|
$server['ecdh_curve'] = $pconfig['ecdh_curve'];
|
| 548 |
|
$server['cert_depth'] = $pconfig['cert_depth'];
|
| 549 |
|
if ($pconfig['mode'] == "server_tls_user") {
|
| 550 |
|
$server['strictusercn'] = $pconfig['strictusercn'];
|
| 551 |
|
}
|
| 552 |
|
$server['remote_cert_tls'] = $pconfig['remote_cert_tls'];
|
| 553 |
|
} else {
|
| 554 |
|
$server['shared_key'] = base64_encode($pconfig['shared_key']);
|
| 555 |
|
}
|
| 556 |
|
|
| 557 |
|
$server['data_ciphers_fallback'] = $pconfig['data_ciphers_fallback'];
|
| 558 |
|
$server['digest'] = $pconfig['digest'];
|
| 559 |
|
$server['engine'] = $pconfig['engine'];
|
| 560 |
|
|
| 561 |
|
$server['tunnel_network'] = trim($pconfig['tunnel_network']);
|
| 562 |
|
$server['tunnel_networkv6'] = trim($pconfig['tunnel_networkv6']);
|
| 563 |
|
$server['remote_network'] = $pconfig['remote_network'];
|
| 564 |
|
$server['remote_networkv6'] = $pconfig['remote_networkv6'];
|
| 565 |
|
$server['gwredir'] = $pconfig['gwredir'];
|
| 566 |
|
$server['gwredir6'] = $pconfig['gwredir6'];
|
| 567 |
|
$server['local_network'] = $pconfig['local_network'];
|
| 568 |
|
$server['local_networkv6'] = $pconfig['local_networkv6'];
|
| 569 |
|
$server['maxclients'] = $pconfig['maxclients'];
|
| 570 |
|
$server['allow_compression'] = $pconfig['allow_compression'];
|
| 571 |
|
$server['compression'] = $pconfig['compression'];
|
| 572 |
|
$server['compression_push'] = $pconfig['compression_push'];
|
| 573 |
|
$server['passtos'] = $pconfig['passtos'];
|
| 574 |
|
$server['client2client'] = $pconfig['client2client'];
|
| 575 |
|
|
| 576 |
|
$server['dynamic_ip'] = $pconfig['dynamic_ip'];
|
| 577 |
|
$server['topology'] = $pconfig['topology'];
|
| 578 |
|
|
| 579 |
|
$server['serverbridge_dhcp'] = $pconfig['serverbridge_dhcp'];
|
| 580 |
|
$server['serverbridge_interface'] = $pconfig['serverbridge_interface'];
|
| 581 |
|
$server['serverbridge_routegateway'] = $pconfig['serverbridge_routegateway'];
|
| 582 |
|
$server['serverbridge_dhcp_start'] = $pconfig['serverbridge_dhcp_start'];
|
| 583 |
|
$server['serverbridge_dhcp_end'] = $pconfig['serverbridge_dhcp_end'];
|
| 584 |
|
|
| 585 |
|
if ($pconfig['dns_domain_enable']) {
|
| 586 |
|
$server['dns_domain'] = $pconfig['dns_domain'];
|
| 587 |
|
}
|
| 588 |
|
|
| 589 |
|
if ($pconfig['dns_server_enable']) {
|
| 590 |
|
$server['dns_server1'] = $pconfig['dns_server1'];
|
| 591 |
|
$server['dns_server2'] = $pconfig['dns_server2'];
|
| 592 |
|
$server['dns_server3'] = $pconfig['dns_server3'];
|
| 593 |
|
$server['dns_server4'] = $pconfig['dns_server4'];
|
| 594 |
|
}
|
| 595 |
|
|
| 596 |
|
if ($pconfig['push_blockoutsidedns']) {
|
| 597 |
|
$server['push_blockoutsidedns'] = $pconfig['push_blockoutsidedns'];
|
| 598 |
|
}
|
| 599 |
|
|
| 600 |
|
$server['username_as_common_name'] = ($pconfig['username_as_common_name'] == 'yes') ? "enabled" : "disabled";
|
| 601 |
|
|
| 602 |
|
if ($pconfig['udp_fast_io']) {
|
| 603 |
|
$server['udp_fast_io'] = $pconfig['udp_fast_io'];
|
| 604 |
|
}
|
| 605 |
|
if ($pconfig['exit_notify']) {
|
| 606 |
|
$server['exit_notify'] = $pconfig['exit_notify'];
|
| 607 |
|
}
|
| 608 |
|
$server['sndrcvbuf'] = $pconfig['sndrcvbuf'];
|
| 609 |
|
if ($pconfig['push_register_dns']) {
|
| 610 |
|
$server['push_register_dns'] = $pconfig['push_register_dns'];
|
| 611 |
|
}
|
| 612 |
|
|
| 613 |
|
if ($pconfig['ntp_server_enable']) {
|
| 614 |
|
$server['ntp_server1'] = $pconfig['ntp_server1'];
|
| 615 |
|
$server['ntp_server2'] = $pconfig['ntp_server2'];
|
| 616 |
|
}
|
| 617 |
|
|
| 618 |
|
$server['netbios_enable'] = $pconfig['netbios_enable'];
|
| 619 |
|
$server['netbios_ntype'] = $pconfig['netbios_ntype'];
|
| 620 |
|
$server['netbios_scope'] = $pconfig['netbios_scope'];
|
| 621 |
|
|
| 622 |
|
$server['create_gw'] = $pconfig['create_gw'];
|
| 623 |
|
$server['verbosity_level'] = $pconfig['verbosity_level'];
|
| 624 |
|
|
| 625 |
|
if ($pconfig['netbios_enable']) {
|
| 626 |
|
|
| 627 |
|
if ($pconfig['wins_server_enable']) {
|
| 628 |
|
$server['wins_server1'] = $pconfig['wins_server1'];
|
| 629 |
|
$server['wins_server2'] = $pconfig['wins_server2'];
|
| 630 |
|
}
|
| 631 |
|
|
| 632 |
|
if ($pconfig['dns_server_enable']) {
|
| 633 |
|
$server['nbdd_server1'] = $pconfig['nbdd_server1'];
|
| 634 |
|
}
|
| 635 |
|
}
|
| 636 |
|
|
| 637 |
|
if ($_POST['duplicate_cn'] == "yes") {
|
| 638 |
|
$server['duplicate_cn'] = true;
|
| 639 |
|
}
|
| 640 |
|
|
| 641 |
|
if (!empty($pconfig['data_ciphers'])) {
|
| 642 |
|
$server['data_ciphers'] = implode(",", $pconfig['data_ciphers']);
|
| 643 |
|
}
|
| 644 |
|
|
| 645 |
|
$server['ncp_enable'] = $pconfig['ncp_enable'];
|
| 646 |
|
|
| 647 |
|
$server['ping_method'] = $pconfig['ping_method'];
|
| 648 |
|
$server['keepalive_interval'] = $pconfig['keepalive_interval'];
|
| 649 |
|
$server['keepalive_timeout'] = $pconfig['keepalive_timeout'];
|
| 650 |
|
$server['ping_seconds'] = $pconfig['ping_seconds'];
|
| 651 |
|
$server['ping_push'] = $pconfig['ping_push'];
|
| 652 |
|
$server['ping_action'] = $pconfig['ping_action'];
|
| 653 |
|
$server['ping_action_seconds'] = $pconfig['ping_action_seconds'];
|
| 654 |
|
$server['ping_action_push'] = $pconfig['ping_action_push'];
|
| 655 |
|
$server['inactive_seconds'] = $pconfig['inactive_seconds'];
|
| 656 |
|
|
| 657 |
|
if (isset($id) && $a_server[$id]) {
|
| 658 |
|
$a_server[$id] = $server;
|
| 659 |
|
$wc_msg = sprintf(gettext('Updated OpenVPN server on %1$s:%2$s %3$s'), convert_friendly_interface_to_friendly_descr($server['interface']), $server['local_port'], $server['description']);
|
| 660 |
|
} else {
|
| 661 |
|
$a_server[] = $server;
|
| 662 |
|
$wc_msg = sprintf(gettext('Added OpenVPN server on %1$s:%2$s %3$s'), convert_friendly_interface_to_friendly_descr($server['interface']), $server['local_port'], $server['description']);
|
| 663 |
|
}
|
| 664 |
|
|
| 665 |
|
write_config($wc_msg);
|
| 666 |
|
openvpn_resync('server', $server);
|
| 667 |
|
openvpn_resync_csc_all();
|
| 668 |
|
|
| 669 |
|
header("Location: vpn_openvpn_server.php");
|
| 670 |
|
exit;
|
| 671 |
|
}
|
| 672 |
|
|
| 673 |
|
if (!empty($pconfig['data_ciphers'])) {
|
| 674 |
|
$pconfig['data_ciphers'] = implode(",", $pconfig['data_ciphers']);
|
| 675 |
|
}
|
| 676 |
|
|
| 677 |
|
if (!empty($pconfig['authmode'])) {
|
| 678 |
|
$pconfig['authmode'] = implode(",", $pconfig['authmode']);
|
| 679 |
|
}
|
|
107 |
$rv = saveOpenVPNServer($_POST['vpnid'], $id, $_POST);
|
|
108 |
$pconfig = $rv['pconfig'];
|
|
109 |
$input_errors = $rv['input_errors'];
|
| 680 |
110 |
}
|
| 681 |
111 |
|
| 682 |
112 |
$pgtitle = array(gettext("VPN"), gettext("OpenVPN"), gettext("Servers"));
|
Move OPenVPN server save functionality to include file