/etc/inc/openvpn.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/etc/inc/openvpn.inc @ d1d0a1ad

1	5b237745	Scott Ullrich	<?php
2	b1ad443d	Scott Ullrich
3			/* $Id$ */
4			/*
5			$RCSfile$
6	33ab8aa5	Scott Ullrich
7			Copyright (C) 2008 Scott Ullrich <sullrich@gmail.com>
8			All rights reserved.
9
10	b1ad443d	Scott Ullrich	Copyright (C) 2006 Fernando Lemos
11			All rights reserved.
12
13	33ab8aa5	Scott Ullrich	This file was rewritten from scratch by Fernando Lemos but
14			MIGHT contain code previously written by:
15
16	b1ad443d	Scott Ullrich	Copyright (C) 2005 Peter Allgeyer <allgeyer_AT_web.de>
17			All rights reserved.
18
19			Copyright (C) 2004 Peter Curran (peter@closeconsultants.com).
20			All rights reserved.
21
22			Redistribution and use in source and binary forms, with or without
23			modification, are permitted provided that the following conditions are met:
24
25			1. Redistributions of source code must retain the above copyright notices,
26			this list of conditions and the following disclaimer.
27
28			2. Redistributions in binary form must reproduce the above copyright
29			notices, this list of conditions and the following disclaimer in the
30			documentation and/or other materials provided with the distribution.
31
32			THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
33			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
34			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
35			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
36			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
37			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
38			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
39			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
40			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
41			POSSIBILITY OF SUCH DAMAGE.
42	523855b0	Scott Ullrich
43			DISABLE_PHP_LINT_CHECKING
44
45			pfSense_BUILDER_BINARIES: /usr/local/sbin/openvpn /usr/bin/openssl /sbin/ifconfig
46			pfSense_MODULE: openvpn
47	b1ad443d	Scott Ullrich
48	523855b0	Scott Ullrich	*/
49	8dc3ef67	Scott Ullrich	require_once('config.inc');
50	32a7a1f6	Ermal Lu?i	require_once("certs.inc");
51	36df0acc	Scott Ullrich	require_once('pfsense-utils.inc');
52	c61e4626	Ermal Lu?i	require_once("auth.inc");
53	8dc3ef67	Scott Ullrich
54	8411b218	Matthew Grooms	$openvpn_prots = array("UDP", "TCP");
55	702a4702	Scott Ullrich
56	691fbf14	Ermal Lu?i	$openvpn_dev_mode = array("tun", "tap");
57
58	3c11bd3c	Matthew Grooms	/*
59			* The User Auth mode below is disabled because
60			* OpenVPN erroneously requires that we provide
61			* a CA configuration parameter. In this mode,
62			* clients don't send a certificate so there is
63			* no need for a CA. If we require that admins
64			* provide one in the pfSense UI due to a bogus
65			* requirement imposed by OpenVPN, it could be
66			* considered very confusing ( I know I was ).
67			*
68			* -mgrooms
69			*/
70
71	fe787fc7	Matthew Grooms	$openvpn_dh_lengths = array(
72			1024, 2048, 4096 );
73
74	3c11bd3c	Matthew Grooms	$openvpn_server_modes = array(
75	4aa02281	Carlos Eduardo Ramos	'p2p_tls' => gettext("Peer to Peer ( SSL/TLS )"),
76			'p2p_shared_key' => gettext("Peer to Peer ( Shared Key )"),
77			'server_tls' => gettext("Remote Access ( SSL/TLS )"),
78			'server_user' => gettext("Remote Access ( User Auth )"),
79			'server_tls_user' => gettext("Remote Access ( SSL/TLS + User Auth )"));
80	3c11bd3c	Matthew Grooms
81			$openvpn_client_modes = array(
82	4aa02281	Carlos Eduardo Ramos	'p2p_tls' => gettext("Peer to Peer ( SSL/TLS )"),
83			'p2p_shared_key' => gettext("Peer to Peer ( Shared Key )") );
84	3c11bd3c	Matthew Grooms
85			function openvpn_create_key() {
86
87			$fp = popen("/usr/local/sbin/openvpn --genkey --secret /dev/stdout 2>/dev/null", "r");
88			if (!$fp)
89			return false;
90
91			$rslt = stream_get_contents($fp);
92			pclose($fp);
93
94			return $rslt;
95			}
96	d799787e	Matthew Grooms
97	8411b218	Matthew Grooms	function openvpn_create_dhparams($bits) {
98	34bc1324	Matthew Grooms
99	3c11bd3c	Matthew Grooms	$fp = popen("/usr/bin/openssl dhparam {$bits} 2>/dev/null", "r");
100	34bc1324	Matthew Grooms	if (!$fp)
101			return false;
102
103			$rslt = stream_get_contents($fp);
104			pclose($fp);
105
106			return $rslt;
107			}
108
109	d799787e	Matthew Grooms	function openvpn_vpnid_used($vpnid) {
110	8be2d6d3	Ermal Luçi	global $config;
111
112	d799787e	Matthew Grooms	if (is_array($config['openvpn']['openvpn-server']))
113	dc408939	Matthew Grooms	foreach ($config['openvpn']['openvpn-server'] as & $settings)
114	f432e364	Matthew Grooms	if ($vpnid == $settings['vpnid'])
115	d799787e	Matthew Grooms	return true;
116
117			if (is_array($config['openvpn']['openvpn-client']))
118	dc408939	Matthew Grooms	foreach ($config['openvpn']['openvpn-client'] as & $settings)
119	f432e364	Matthew Grooms	if ($vpnid == $settings['vpnid'])
120	d799787e	Matthew Grooms	return true;
121	04a6e900	Ermal Luçi
122	d799787e	Matthew Grooms	return false;
123			}
124
125			function openvpn_vpnid_next() {
126
127			$vpnid = 1;
128			while(openvpn_vpnid_used($vpnid))
129			$vpnid++;
130
131			return $vpnid;
132			}
133
134	f432e364	Matthew Grooms	function openvpn_port_used($prot, $port) {
135			global $config;
136
137			if (is_array($config['openvpn']['openvpn-server']))
138	dc408939	Matthew Grooms	foreach ($config['openvpn']['openvpn-server'] as & $settings)
139	f432e364	Matthew Grooms	if ($port == $settings['local_port'] &&
140	d9489532	Chris Buechler	$prot == $settings['protocol'] && !isset($settings['disable']))
141	f432e364	Matthew Grooms	return $settings['vpnid'];
142
143			if (is_array($config['openvpn']['openvpn-client']))
144	dc408939	Matthew Grooms	foreach ($config['openvpn']['openvpn-client'] as & $settings)
145	f432e364	Matthew Grooms	if ($port == $settings['local_port'] &&
146	d9489532	Chris Buechler	$prot == $settings['protocol'] && !isset($settings['disable']))
147	f432e364	Matthew Grooms	return $settings['vpnid'];
148
149			return 0;
150			}
151
152			function openvpn_port_next($prot) {
153
154			$port = 1194;
155			while(openvpn_port_used($prot, $port))
156			$port++;
157
158			return $port;
159			}
160
161	d799787e	Matthew Grooms	function openvpn_get_cipherlist() {
162
163			$ciphers = array();
164	5a7cc1f9	Ermal	$cipher_out = shell_exec('/usr/local/sbin/openvpn --show-ciphers \| /usr/bin/grep "default key" \| /usr/bin/awk \'{print $1, "(" $2 "-" $3 ")";}\'');
165	d799787e	Matthew Grooms	$cipher_lines = explode("\n", trim($cipher_out));
166			sort($cipher_lines);
167			foreach ($cipher_lines as $line) {
168			$words = explode(' ', $line);
169			$ciphers[$words[0]] = "{$words[0]} {$words[1]}";
170	8be2d6d3	Ermal Luçi	}
171	4aa02281	Carlos Eduardo Ramos	$ciphers["none"] = gettext("None (No Encryption)");
172	d799787e	Matthew Grooms	return $ciphers;
173			}
174
175	582c58ae	jim-p	function openvpn_get_engines() {
176			$openssl_engines = array('none' => 'No Hardware Crypto Acceleration');
177			exec("/usr/bin/openssl engine", $openssl_engine_output);
178			foreach ($openssl_engine_output as $oeo) {
179			$linematch = array();
180			preg_match("/$(.)$\s(.)/", $oeo, $linematch);
181			if ($linematch[1] != "dynamic")
182			$openssl_engines[$linematch[1]] = $linematch[2];
183			}
184			return $openssl_engines;
185			}
186
187			function openvpn_validate_engine($engine) {
188			$engines = openvpn_get_engines();
189			return array_key_exists($engine, $engines);
190			}
191
192	d799787e	Matthew Grooms	function openvpn_validate_host($value, $name) {
193			$value = trim($value);
194	3e2bd5de	Ermal Lu?i	if (empty($value) \|\| (!is_domain($value) && !is_ipaddr($value)))
195	4aa02281	Carlos Eduardo Ramos	return sprintf(gettext("The field '%s' must contain a valid IP address or domain name."), $name);
196	d799787e	Matthew Grooms	return false;
197	8dc3ef67	Scott Ullrich	}
198
199			function openvpn_validate_port($value, $name) {
200			$value = trim($value);
201	3e2bd5de	Ermal Lu?i	if (empty($value) \|\| !is_numeric($value) \|\| $value < 0 \|\| ($value > 65535))
202	4aa02281	Carlos Eduardo Ramos	return sprintf(gettext("The field '%s' must contain a valid port, ranging from 0 to 65535."), $name);
203	b398bbca	Martin Fuchs	return false;
204	8dc3ef67	Scott Ullrich	}
205
206			function openvpn_validate_cidr($value, $name) {
207			$value = trim($value);
208			if (!empty($value)) {
209			list($ip, $mask) = explode('/', $value);
210			if (!is_ipaddr($ip) or !is_numeric($mask) or ($mask > 32) or ($mask < 0))
211	4aa02281	Carlos Eduardo Ramos	return sprintf(gettext("The field '%s' must contain a valid CIDR range."), $name);
212	8dc3ef67	Scott Ullrich	}
213			return false;
214	afb07cf1	Scott Ullrich	}
215
216	d799787e	Matthew Grooms	function openvpn_add_dhcpopts(& $settings, & $conf) {
217	afb07cf1	Scott Ullrich
218	d799787e	Matthew Grooms	if (!empty($settings['dns_domain']))
219			$conf .= "push \"dhcp-option DOMAIN {$settings['dns_domain']}\"\n";
220	add2e3f7	Scott Ullrich
221	d799787e	Matthew Grooms	if (!empty($settings['dns_server1']))
222			$conf .= "push \"dhcp-option DNS {$settings['dns_server1']}\"\n";
223			if (!empty($settings['dns_server2']))
224			$conf .= "push \"dhcp-option DNS {$settings['dns_server2']}\"\n";
225			if (!empty($settings['dns_server3']))
226			$conf .= "push \"dhcp-option DNS {$settings['dns_server3']}\"\n";
227			if (!empty($settings['dns_server4']))
228			$conf .= "push \"dhcp-option DNS {$settings['dns_server4']}\"\n";
229	f9927473	Scott Ullrich
230	d799787e	Matthew Grooms	if (!empty($settings['ntp_server1']))
231	c7f70dbc	Chris Buechler	$conf .= "push \"dhcp-option NTP {$settings['ntp_server1']}\"\n";
232	d799787e	Matthew Grooms	if (!empty($settings['ntp_server2']))
233	c7f70dbc	Chris Buechler	$conf .= "push \"dhcp-option NTP {$settings['ntp_server2']}\"\n";
234	f9927473	Scott Ullrich
235	d799787e	Matthew Grooms	if ($settings['netbios_enable']) {
236	add2e3f7	Scott Ullrich
237	095a95ae	Matthew Grooms	if (!empty($settings['dhcp_nbttype']) && ($settings['dhcp_nbttype'] != 0))
238			$conf .= "push \"dhcp-option NBT {$settings['dhcp_nbttype']}\"\n";
239			if (!empty($settings['dhcp_nbtscope']))
240	d799787e	Matthew Grooms	$conf .= "push \"dhcp-option NBS {$settings['dhcp_nbtscope']}\"\n";
241	8dc3ef67	Scott Ullrich
242	d799787e	Matthew Grooms	if (!empty($settings['wins_server1']))
243			$conf .= "push \"dhcp-option WINS {$settings['wins_server1']}\"\n";
244			if (!empty($settings['wins_server2']))
245			$conf .= "push \"dhcp-option WINS {$settings['wins_server2']}\"\n";
246	add2e3f7	Scott Ullrich
247	d799787e	Matthew Grooms	if (!empty($settings['nbdd_server1']))
248			$conf .= "push \"dhcp-option NBDD {$settings['nbdd_server1']}\"\n";
249			}
250	8dc3ef67	Scott Ullrich
251	d799787e	Matthew Grooms	if ($settings['gwredir'])
252			$conf .= "push \"redirect-gateway def1\"\n";
253			}
254	24012690	Scott Ullrich
255	d799787e	Matthew Grooms	function openvpn_add_custom(& $settings, & $conf) {
256	add2e3f7	Scott Ullrich
257	d799787e	Matthew Grooms	if ($settings['custom_options']) {
258	8dc3ef67	Scott Ullrich
259	d799787e	Matthew Grooms	$options = explode(';', $settings['custom_options']);
260
261			if (is_array($options)) {
262			foreach ($options as $option)
263			$conf .= "$option\n";
264			} else
265			$conf .= "{$settings['custom_options']}\n";
266	add2e3f7	Scott Ullrich	}
267			}
268
269	691fbf14	Ermal Lu?i	function openvpn_add_keyfile(& $data, & $conf, $mode_id, $directive, $opt = "") {
270	d799787e	Matthew Grooms	global $g;
271	add2e3f7	Scott Ullrich
272	d799787e	Matthew Grooms	$fpath = $g['varetc_path']."/openvpn/{$mode_id}.{$directive}";
273			file_put_contents($fpath, base64_decode($data));
274	f9ac3784	Ermal Lu?i	//chown($fpath, 'nobody');
275			//chgrp($fpath, 'nobody');
276	6f27412f	Ermal Lu?i	@chmod($fpath, 0600);
277	d799787e	Matthew Grooms
278	691fbf14	Ermal Lu?i	$conf .= "{$directive} {$fpath} {$opt}\n";
279	4eefa6e8	Scott Ullrich	}
280
281	fc05822b	jim-p	function openvpn_reconfigure($mode, $settings) {
282	add2e3f7	Scott Ullrich	global $g, $config;
283	afb07cf1	Scott Ullrich
284	93a0a028	Ermal Luçi	if (empty($settings))
285			return;
286	a1cab2c7	Ermal	if (isset($settings['disable']))
287	4eefa6e8	Scott Ullrich	return;
288
289	fdd725f0	Ermal Luçi	/*
290	d799787e	Matthew Grooms	* NOTE: Deleting tap devices causes spontaneous reboots. Instead,
291			* we use a vpnid number which is allocated for a particular client
292			* or server configuration. ( see openvpn_vpnid_next() )
293	fdd725f0	Ermal Luçi	*/
294	8874c692	Ermal Luçi
295	d799787e	Matthew Grooms	$vpnid = $settings['vpnid'];
296			$mode_id = $mode.$vpnid;
297	8874c692	Ermal Luçi
298	4936ff53	jim-p	if (isset($settings['dev_mode']))
299			$tunname = "{$settings['dev_mode']}{$vpnid}";
300	bd7ca506	jim-p	else { /* defaults to tun */
301			$tunname = "tun{$vpnid}";
302	4936ff53	jim-p	$settings['dev_mode'] = "tun";
303	691fbf14	Ermal Lu?i	}
304
305	bd7ca506	jim-p	if ($mode == "server")
306			$devname = "ovpns{$vpnid}";
307			else
308			$devname = "ovpnc{$vpnid}";
309	8874c692	Ermal Luçi
310	bd7ca506	jim-p	/* is our device already configured */
311			if (mwexec("/sbin/ifconfig {$devname}")) {
312	dc408939	Matthew Grooms
313	bd7ca506	jim-p	/* create the tap device if required */
314			if (!file_exists("/dev/{$tunname}"))
315			exec("/sbin/ifconfig {$tunname} create");
316	98872d89	Ermal Luçi
317	bd7ca506	jim-p	/* rename the device */
318			mwexec("/sbin/ifconfig {$tunname} name {$devname}");
319	095a95ae	Matthew Grooms
320	bd7ca506	jim-p	/* add the device to the openvpn group */
321			mwexec("/sbin/ifconfig {$devname} group openvpn");
322	dc408939	Matthew Grooms	}
323	d799787e	Matthew Grooms
324	dc408939	Matthew Grooms	$pfile = $g['varrun_path'] . "/openvpn_{$mode_id}.pid";
325	c0cf27aa	Scott Ullrich	$proto = ($settings['protocol'] == 'UDP' ? 'udp' : "tcp-{$mode}");
326	4936ff53	jim-p	$dev_mode = $settings['dev_mode'];
327	c0cf27aa	Scott Ullrich	$cipher = $settings['crypto'];
328	d799787e	Matthew Grooms
329			$interface = $settings['interface'];
330	67b0902f	pierrepomes	$ipaddr = $settings['ipaddr'];
331	97ffc513	Seth Mos	$ipaddrv6 = $settings['ipaddrv6'];
332	d799787e	Matthew Grooms
333	67b0902f	pierrepomes	// If a specific ip address (VIP) is requested, use it.
334			// Otherwise, if a specific interface is requested, use it
335			// If "any" interface was selected, local directive will be ommited.
336	97ffc513	Seth Mos	if (is_ipaddrv4($ipaddr)) {
337	67b0902f	pierrepomes	$iface_ip=$ipaddr;
338	97ffc513	Seth Mos	} elseif (is_ipaddrv6($ipaddrv6)) {
339			$iface_ipv6=$ipaddrv6;
340	3d06e8f0	pierrepomes	} else {
341	67b0902f	pierrepomes	if ((!empty($interface)) && (strcmp($interface, "any"))) {
342	507af8dd	pierrepomes	$iface_ip=get_interface_ip($interface);
343	67b0902f	pierrepomes	}
344	97ffc513	Seth Mos	if ((!empty($interface)) && (strcmp($interface, "any"))) {
345			$iface_ipv6=get_interface_ipv6($interface);
346			}
347	3d06e8f0	pierrepomes	}
348	d799787e	Matthew Grooms
349	bd7ca506	jim-p	$conf = "dev {$devname}\n";
350	4936ff53	jim-p	$conf .= "dev-type {$settings['dev_mode']}\n";
351	97ffc513	Seth Mos	switch($settings['dev_mode']) {
352			case "tun":
353			$conf .= "tun-ipv6\n";
354			break;
355			}
356	bd7ca506	jim-p	$conf .= "dev-node /dev/{$tunname}\n";
357	3c11bd3c	Matthew Grooms	$conf .= "writepid {$pfile}\n";
358			$conf .= "#user nobody\n";
359			$conf .= "#group nobody\n";
360	d1014c18	Chris Buechler	$conf .= "script-security 3\n";
361	3c11bd3c	Matthew Grooms	$conf .= "daemon\n";
362			$conf .= "keepalive 10 60\n";
363			$conf .= "ping-timer-rem\n";
364			$conf .= "persist-tun\n";
365			$conf .= "persist-key\n";
366			$conf .= "proto {$proto}\n";
367			$conf .= "cipher {$cipher}\n";
368	8d964cea	Ermal	$conf .= "up /usr/local/sbin/ovpn-linkup\n";
369			$conf .= "down /usr/local/sbin/ovpn-linkdown\n";
370	3c11bd3c	Matthew Grooms
371	97ffc513	Seth Mos	if (is_ipaddrv4($iface_ip)) {
372	48a458d2	pierrepomes	$conf .= "local {$iface_ip}\n";
373	67b0902f	pierrepomes	}
374	97ffc513	Seth Mos	if (is_ipaddrv6($iface_ipv6)) {
375			// $conf .= "local {$iface_ipv6}\n";
376			}
377	d799787e	Matthew Grooms
378	582c58ae	jim-p	if (openvpn_validate_engine($settings['engine']) && ($settings['engine'] != "none"))
379			$conf .= "engine {$settings['engine']}\n";
380
381	67b0902f	pierrepomes	// server specific settings
382	8dc3ef67	Scott Ullrich	if ($mode == 'server') {
383	d799787e	Matthew Grooms
384	5dc6c910	jim-p	list($ip, $cidr) = explode('/', $settings['tunnel_network']);
385	97ffc513	Seth Mos	list($ipv6, $prefix) = explode('/', $settings['tunnel_networkv6']);
386	5dc6c910	jim-p	$mask = gen_subnet_mask($cidr);
387	8dc3ef67	Scott Ullrich
388	3c11bd3c	Matthew Grooms	// configure tls modes
389			switch($settings['mode']) {
390			case 'p2p_tls':
391			case 'server_tls':
392	e62e2f8b	Ermal Lu?i	case 'server_user':
393	3c11bd3c	Matthew Grooms	case 'server_tls_user':
394	d799787e	Matthew Grooms	$conf .= "tls-server\n";
395	3c11bd3c	Matthew Grooms	break;
396	8dc3ef67	Scott Ullrich	}
397	d799787e	Matthew Grooms
398	3c11bd3c	Matthew Grooms	// configure p2p/server modes
399			switch($settings['mode']) {
400	6c9cf466	jim-p	case 'p2p_tls':
401	5dc6c910	jim-p	// If the CIDR is less than a /30, OpenVPN will complain if you try to
402			// use the server directive. It works for a single client without it.
403			// See ticket #1417
404			if ($cidr < 30) {
405			$conf .= "server {$ip} {$mask}\n";
406			$conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n";
407			}
408	3c11bd3c	Matthew Grooms	case 'p2p_shared_key':
409	96033063	Erik Fonnesbeck	$baselong = ip2long32($ip) & ip2long($mask);
410			$ip1 = long2ip32($baselong + 1);
411			$ip2 = long2ip32($baselong + 2);
412	3c11bd3c	Matthew Grooms	$conf .= "ifconfig $ip1 $ip2\n";
413			break;
414			case 'server_tls':
415			case 'server_user':
416			case 'server_tls_user':
417			$conf .= "server {$ip} {$mask}\n";
418	97ffc513	Seth Mos	if(is_ipaddr($ipv6))
419			$conf .= "server-ipv6 {$ipv6}/{$prefix}\n";
420	3c11bd3c	Matthew Grooms	$conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n";
421			break;
422	8dc3ef67	Scott Ullrich	}
423
424	3c11bd3c	Matthew Grooms	// configure user auth modes
425			switch($settings['mode']) {
426			case 'server_user':
427			$conf .= "client-cert-not-required\n";
428			case 'server_tls_user':
429			$conf .= "username-as-common-name\n";
430	8a47c190	Ermal Lu?i	if (!empty($settings['authmode'])) {
431			$authcfgs = explode(",", $settings['authmode']);
432			$sed = "\$authmodes=array(";
433			$firstsed = 0;
434			foreach ($authcfgs as $authcfg) {
435			if ($firstsed > 0)
436			$sed .= ",";
437			$firstsed = 1;
438			$sed .= "\"{$authcfg}\"";
439			}
440	8901958c	jim-p	$sed .= ");\\\n";
441	53d41b68	Erik Fonnesbeck	if ($settings['strictusercn'])
442	befad728	Ermal	$sed .= "\$strictusercn = true;";
443	1bab0df1	jim-p	$sed .= " \$modeid = \"{$mode_id}\";";
444	8a47c190	Ermal Lu?i	mwexec("/bin/cat /etc/inc/openvpn.auth-user.php \| /usr/bin/sed 's/\/\/<template>/{$sed}/g' > {$g['varetc_path']}/openvpn/{$mode_id}.php");
445			mwexec("/bin/chmod a+x {$g['varetc_path']}/openvpn/{$mode_id}.php");
446			$conf .= "auth-user-pass-verify {$g['varetc_path']}/openvpn/{$mode_id}.php via-env\n";
447	e8a58de4	Ermal Lu?i	}
448	3c11bd3c	Matthew Grooms	break;
449	8dc3ef67	Scott Ullrich	}
450
451	63084885	Matthew Grooms	// The local port to listen on
452	d799787e	Matthew Grooms	$conf .= "lport {$settings['local_port']}\n";
453	c0cf27aa	Scott Ullrich
454	63084885	Matthew Grooms	// The management port to listen on
455	71ca2cb2	Ermal	// Use unix socket to overcome the problem on any type of server
456			$conf .= "management {$g['varetc_path']}/openvpn/{$mode_id}.sock unix\n";
457			//$conf .= "management 127.0.0.1 {$settings['local_port']}\n";
458	63084885	Matthew Grooms
459	3c11bd3c	Matthew Grooms	if ($settings['maxclients'])
460	d799787e	Matthew Grooms	$conf .= "max-clients {$settings['maxclients']}\n";
461
462	3c11bd3c	Matthew Grooms	// Can we push routes
463			if ($settings['local_network']) {
464			list($ip, $mask) = explode('/', $settings['local_network']);
465			$mask = gen_subnet_mask($mask);
466			$conf .= "push \"route $ip $mask\"\n";
467			}
468	787de45a	Seth Mos	if ($settings['local_networkv6']) {
469			list($ipv6, $prefix) = explode('/', $settings['local_networkv6']);
470			$conf .= "push \"route-ipv6 $ipv6/$prefix\"\n";
471			}
472	3c11bd3c	Matthew Grooms
473			switch($settings['mode']) {
474			case 'server_tls':
475			case 'server_user':
476			case 'server_tls_user':
477	5d8cd81a	jim-p	// Configure client dhcp options
478	3c11bd3c	Matthew Grooms	openvpn_add_dhcpopts($settings, $conf);
479	5d8cd81a	jim-p	if ($settings['client2client'])
480			$conf .= "client-to-client\n";
481	3c11bd3c	Matthew Grooms	break;
482			}
483	bca35cff	jim-p	if (isset($settings['duplicate_cn']))
484			$conf .= "duplicate-cn\n";
485	d799787e	Matthew Grooms	}
486
487	3c11bd3c	Matthew Grooms	// client specific settings
488	d799787e	Matthew Grooms
489	3c11bd3c	Matthew Grooms	if ($mode == 'client') {
490	d799787e	Matthew Grooms
491	3c11bd3c	Matthew Grooms	// configure p2p mode
492			switch($settings['mode']) {
493			case 'p2p_tls':
494			$conf .= "tls-client\n";
495			case 'shared_key':
496			$conf .= "client\n";
497			break;
498			}
499	d799787e	Matthew Grooms
500	e3924384	jim-p	// If there is no bind option at all (ip and/or port), add "nobind" directive
501			// Otherwise, use the local port if defined, failing that, use lport 0 to
502			// ensure a random source port.
503			if ((empty($iface_ip)) && (!$settings['local_port']))
504			$conf .= "nobind\n";
505			elseif ($settings['local_port'])
506			$conf .= "lport {$settings['local_port']}\n";
507			else
508			$conf .= "lport 0\n";
509	5708241f	jim-p
510	4b887ef4	jim-p	// Use unix socket to overcome the problem on any type of server
511			$conf .= "management {$g['varetc_path']}/openvpn/{$mode_id}.sock unix\n";
512	48a458d2	pierrepomes
513	3c11bd3c	Matthew Grooms	// The remote server
514			$conf .= "remote {$settings['server_addr']} {$settings['server_port']}\n";
515
516	d799787e	Matthew Grooms	if (!empty($settings['use_shaper']))
517			$conf .= "shaper {$settings['use_shaper']}\n";
518	ee506044	Scott Ullrich
519	d799787e	Matthew Grooms	if (!empty($settings['tunnel_network'])) {
520			list($ip, $mask) = explode('/', $settings['tunnel_network']);
521	8dc3ef67	Scott Ullrich	$mask = gen_subnet_mask($mask);
522	96033063	Erik Fonnesbeck	$baselong = ip2long32($ip) & ip2long($mask);
523			$ip1 = long2ip32($baselong + 1);
524			$ip2 = long2ip32($baselong + 2);
525	d799787e	Matthew Grooms	$conf .= "ifconfig $ip2 $ip1\n";
526	8dc3ef67	Scott Ullrich	}
527	d799787e	Matthew Grooms
528	762a24a3	Ermal Lu?i	if ($settings['proxy_addr']) {
529			$conf .= "http-proxy {$settings['proxy_addr']} {$settings['proxy_port']}";
530			if ($settings['proxy_authtype'] != "none") {
531			$conf .= " {$g['varetc_path']}/openvpn/{$mode_id}.pas {$settings['proxy_authtype']}";
532			$proxypas = "{$settings['proxy_user']}\n";
533			$proxypas .= "{$settings['proxy_passwd']}\n";
534			file_put_contents("{$g['varetc_path']}/openvpn/{$mode_id}.pas", $proxypas);
535			}
536			$conf .= " \n";
537			}
538	8dc3ef67	Scott Ullrich	}
539
540	3c11bd3c	Matthew Grooms	// Add a remote network route if set
541			if ($settings['remote_network']) {
542	8dc3ef67	Scott Ullrich	list($ip, $mask) = explode('/', $settings['remote_network']);
543			$mask = gen_subnet_mask($mask);
544	d799787e	Matthew Grooms	$conf .= "route $ip $mask\n";
545	8dc3ef67	Scott Ullrich	}
546	afb07cf1	Scott Ullrich
547	d799787e	Matthew Grooms	// Write the settings for the keys
548	3c11bd3c	Matthew Grooms	switch($settings['mode']) {
549			case 'p2p_shared_key':
550			openvpn_add_keyfile($settings['shared_key'], $conf, $mode_id, "secret");
551			break;
552			case 'p2p_tls':
553			case 'server_tls':
554			case 'server_tls_user':
555	e62e2f8b	Ermal Lu?i	case 'server_user':
556	3c11bd3c	Matthew Grooms	$ca = lookup_ca($settings['caref']);
557			openvpn_add_keyfile($ca['crt'], $conf, $mode_id, "ca");
558			$cert = lookup_cert($settings['certref']);
559			openvpn_add_keyfile($cert['crt'], $conf, $mode_id, "cert");
560			openvpn_add_keyfile($cert['prv'], $conf, $mode_id, "key");
561			if ($mode == 'server')
562	fe787fc7	Matthew Grooms	$conf .= "dh {$g['etc_path']}/dh-parameters.{$settings['dh_length']}\n";
563	6db02381	jim-p	if (!empty($settings['crlref'])) {
564			$crl = lookup_crl($settings['crlref']);
565	cfcc6994	jim-p	crl_update($crl);
566	6db02381	jim-p	openvpn_add_keyfile($crl['text'], $conf, $mode_id, "crl-verify");
567			}
568	db746ce2	Ermal Lu?i	if ($settings['tls']) {
569	756720e2	Pierre POMES	if ($mode == "server")
570	db746ce2	Ermal Lu?i	$tlsopt = 0;
571			else
572			$tlsopt = 1;
573			openvpn_add_keyfile($settings['tls'], $conf, $mode_id, "tls-auth", $tlsopt);
574			}
575	3c11bd3c	Matthew Grooms	break;
576	8dc3ef67	Scott Ullrich	}
577
578	1cb0b40a	Matthew Grooms	if ($settings['compression'])
579	d799787e	Matthew Grooms	$conf .= "comp-lzo\n";
580
581			if ($settings['passtos'])
582			$conf .= "passtos\n";
583
584			if ($settings['resolve_retry'])
585			$conf .= "resolv-retry infinite\n";
586
587			if ($settings['dynamic_ip']) {
588			$conf .= "persist-remote-ip\n";
589			$conf .= "float\n";
590	8dc3ef67	Scott Ullrich	}
591	afb07cf1	Scott Ullrich
592	d799787e	Matthew Grooms	openvpn_add_custom($settings, $conf);
593
594			$fpath = $g['varetc_path']."/openvpn/{$mode_id}.conf";
595			file_put_contents($fpath, $conf);
596	f9ac3784	Ermal Lu?i	//chown($fpath, 'nobody');
597			//chgrp($fpath, 'nobody');
598	6f27412f	Ermal Lu?i	@chmod("{$g['varetc_path']}/openvpn/{$mode_id}.conf", 0600);
599			@chmod("{$g['varetc_path']}/openvpn/{$mode_id}.key", 0600);
600			@chmod("{$g['varetc_path']}/openvpn/{$mode_id}.tls-auth", 0600);
601			@chmod("{$g['varetc_path']}/openvpn/{$mode_id}.conf", 0600);
602	d799787e	Matthew Grooms	}
603
604	fc05822b	jim-p	function openvpn_restart($mode, $settings) {
605	d799787e	Matthew Grooms	global $g, $config;
606
607			$vpnid = $settings['vpnid'];
608			$mode_id = $mode.$vpnid;
609
610	76369bfc	Matthew Grooms	/* kill the process if running */
611	705c8ec9	Matthew Grooms	$pfile = $g['varrun_path']."/openvpn_{$mode_id}.pid";
612	76369bfc	Matthew Grooms	if (file_exists($pfile)) {
613	705c8ec9	Matthew Grooms
614	76369bfc	Matthew Grooms	/* read the pid file */
615			$pid = rtrim(file_get_contents($pfile));
616			unlink($pfile);
617	705c8ec9	Matthew Grooms
618	76369bfc	Matthew Grooms	/* send a term signal to the process */
619			posix_kill($pid, SIGTERM);
620
621			/* wait until the process exits */
622			while(posix_kill($pid, 0))
623			usleep(250000);
624			}
625	d799787e	Matthew Grooms
626	a1cab2c7	Ermal	if (isset($settings['disable']))
627	d799787e	Matthew Grooms	return;
628
629	705c8ec9	Matthew Grooms	/* start the new process */
630	d799787e	Matthew Grooms	$fpath = $g['varetc_path']."/openvpn/{$mode_id}.conf";
631	5a7cc1f9	Ermal	mwexec_bg("/usr/local/sbin/openvpn --config {$fpath}");
632	847cd48d	Ermal
633			if (!$g['booting'])
634			send_event("filter reload");
635	afb07cf1	Scott Ullrich	}
636
637	dc408939	Matthew Grooms	function openvpn_delete($mode, & $settings) {
638	d799787e	Matthew Grooms	global $g, $config;
639
640			$vpnid = $settings['vpnid'];
641			$mode_id = $mode.$vpnid;
642
643	095a95ae	Matthew Grooms	$tunname = "tun{$vpnid}";
644			if ($mode == "server")
645			$devname = "ovpns{$vpnid}";
646			else
647			$devname = "ovpnc{$vpnid}";
648	dc408939	Matthew Grooms
649	76369bfc	Matthew Grooms	/* kill the process if running */
650	dc408939	Matthew Grooms	$pfile = "{$g['varrun_path']}/openvpn_{$mode_id}.pid";
651	76369bfc	Matthew Grooms	if (file_exists($pfile)) {
652	dc408939	Matthew Grooms
653	76369bfc	Matthew Grooms	/* read the pid file */
654			$pid = trim(file_get_contents($pfile));
655			unlink($pfile);
656
657			/* send a term signal to the process */
658			posix_kill($pid, SIGTERM);
659			}
660	705c8ec9	Matthew Grooms
661	095a95ae	Matthew Grooms	/* remove the device from the openvpn group */
662			mwexec("/sbin/ifconfig {$devname} -group openvpn");
663
664	dc408939	Matthew Grooms	/* restore the original adapter name */
665			mwexec("/sbin/ifconfig {$devname} name {$tunname}");
666
667			/* remove the configuration files */
668			mwexec("/bin/rm {$g['varetc_path']}/openvpn/{$mode_id}.*");
669	d799787e	Matthew Grooms	}
670	afb07cf1	Scott Ullrich
671	dc408939	Matthew Grooms	function openvpn_resync_csc(& $settings) {
672	8dc3ef67	Scott Ullrich	global $g, $config;
673
674	ea28182c	Matthew Grooms	$fpath = $g['varetc_path']."/openvpn-csc/".$settings['common_name'];
675	8dc3ef67	Scott Ullrich
676	a1cab2c7	Ermal	if (isset($settings['disable'])) {
677	d799787e	Matthew Grooms	unlink_if_exists($fpath);
678	c876662c	Scott Ullrich	return;
679			}
680	d799787e	Matthew Grooms
681	8dc3ef67	Scott Ullrich	$conf = '';
682	d799787e	Matthew Grooms	if ($settings['block'])
683			$conf .= "disable\n";
684
685			if ($settings['push_reset'])
686			$conf .= "push-reset\n";
687
688			if (!empty($settings['tunnel_network'])) {
689			list($ip, $mask) = explode('/', $settings['tunnel_network']);
690	96033063	Erik Fonnesbeck	$baselong = ip2long32($ip) & gen_subnet_mask_long($mask);
691			$ip1 = long2ip32($baselong + 1);
692			$ip2 = long2ip32($baselong + 2);
693	d799787e	Matthew Grooms	$conf .= "ifconfig-push {$ip1} {$ip2}\n";
694	8dc3ef67	Scott Ullrich	}
695	6d031071	Martin Fuchs
696	d799787e	Matthew Grooms	openvpn_add_dhcpopts($settings, $conf);
697	8dc3ef67	Scott Ullrich
698	d799787e	Matthew Grooms	if ($settings['gwredir'])
699			$conf .= "push \"redirect-gateway def1\"\n";
700	6d031071	Martin Fuchs
701	d799787e	Matthew Grooms	openvpn_add_custom($settings, $conf);
702	8dc3ef67	Scott Ullrich
703	d799787e	Matthew Grooms	file_put_contents($fpath, $conf);
704			chown($fpath, 'nobody');
705			chgrp($fpath, 'nobody');
706			}
707	8dc3ef67	Scott Ullrich
708	dc408939	Matthew Grooms	function openvpn_delete_csc(& $settings) {
709	add2e3f7	Scott Ullrich	global $g, $config;
710	3c2e5528	Scott Ullrich
711	ea28182c	Matthew Grooms	$fpath = $g['varetc_path']."/openvpn-csc/".$settings['common_name'];
712	d799787e	Matthew Grooms	unlink_if_exists($fpath);
713	267ab13f	Ermal Luçi	}
714	afb07cf1	Scott Ullrich
715	24012690	Scott Ullrich	// Resync the configuration and restart the VPN
716	fc05822b	jim-p	function openvpn_resync($mode, $settings) {
717	dc408939	Matthew Grooms	openvpn_reconfigure($mode, $settings);
718			openvpn_restart($mode, $settings);
719	afb07cf1	Scott Ullrich	}
720
721	add2e3f7	Scott Ullrich	// Resync and restart all VPNs
722	c7f60193	Ermal	function openvpn_resync_all($interface = "") {
723	d799787e	Matthew Grooms	global $g, $config;
724	267ab13f	Ermal Luçi
725	3cb54b54	Matthew Grooms	// delay our setup until the system
726			// has a chance to init our paths
727			if (!file_exists($g['varetc_path']."/openvpn") \|\|
728			!file_exists($g['varetc_path']."/openvpn-csc"))
729			return;
730
731	34bc1324	Matthew Grooms	if (!is_array($config['openvpn']))
732			$config['openvpn'] = array();
733
734	15b414e6	Matthew Grooms	/*
735	34bc1324	Matthew Grooms	if (!$config['openvpn']['dh-parameters']) {
736			echo "Configuring OpenVPN Parameters ...\n";
737	035e4289	Matthew Grooms	$dh_parameters = openvpn_create_dhparams(1024);
738	34bc1324	Matthew Grooms	$dh_parameters = base64_encode($dh_parameters);
739			$config['openvpn']['dh-parameters'] = $dh_parameters;
740	c67dd94e	Bill Marquette	write_config("OpenVPN DH parameters");
741	34bc1324	Matthew Grooms	}
742
743			$path_ovdh = $g['varetc_path']."/openvpn/dh-parameters";
744			if (!file_exists($path_ovdh)) {
745			$dh_parameters = $config['openvpn']['dh-parameters'];
746			$dh_parameters = base64_decode($dh_parameters);
747			file_put_contents($path_ovdh, $dh_parameters);
748			}
749	15b414e6	Matthew Grooms	*/
750	739c9efd	Ermal	if ($interface <> "")
751	a82e6d37	Chris Buechler	log_error("Resyncing OpenVPN instances for interface " . convert_friendly_interface_to_friendly_descr($interface) . ".");
752	739c9efd	Ermal	else
753	a82e6d37	Chris Buechler	log_error("Resyncing OpenVPN instances.");
754	34bc1324	Matthew Grooms
755	c7f60193	Ermal	if (is_array($config['openvpn']['openvpn-server'])) {
756			foreach ($config['openvpn']['openvpn-server'] as & $settings) {
757	739c9efd	Ermal	if ($interface <> "" && $interface != $settings['interface'])
758	c7f60193	Ermal	continue;
759	dc408939	Matthew Grooms	openvpn_resync('server', $settings);
760	c7f60193	Ermal	}
761			}
762	5b237745	Scott Ullrich
763	c7f60193	Ermal	if (is_array($config['openvpn']['openvpn-client'])) {
764			foreach ($config['openvpn']['openvpn-client'] as & $settings) {
765	739c9efd	Ermal	if ($interface <> "" && $interface != $settings['interface'])
766	c7f60193	Ermal	continue;
767	dc408939	Matthew Grooms	openvpn_resync('client', $settings);
768	c7f60193	Ermal	}
769			}
770	afb07cf1	Scott Ullrich
771	d799787e	Matthew Grooms	if (is_array($config['openvpn']['openvpn-csc']))
772	dc408939	Matthew Grooms	foreach ($config['openvpn']['openvpn-csc'] as & $settings)
773			openvpn_resync_csc($settings);
774	afb07cf1	Scott Ullrich
775	5b237745	Scott Ullrich	}
776	702a4702	Scott Ullrich
777	53663f57	jim-p	function openvpn_get_active_servers() {
778	71ca2cb2	Ermal	global $config, $g;
779
780	53663f57	jim-p	$servers = array();
781			if (is_array($config['openvpn']['openvpn-server'])) {
782			foreach ($config['openvpn']['openvpn-server'] as & $settings) {
783
784			$prot = $settings['protocol'];
785			$port = $settings['local_port'];
786
787			$server = array();
788			$server['port'] = $settings['local_port'];
789	41be629f	jim-p	$server['mode'] = $settings['mode'];
790	53663f57	jim-p	if ($settings['description'])
791			$server['name'] = "{$settings['description']} {$prot}:{$port}";
792			else
793			$server['name'] = "Server {$prot}:{$port}";
794			$server['conns'] = array();
795
796	71ca2cb2	Ermal	$vpnid = $settings['vpnid'];
797			$mode_id = "server{$vpnid}";
798			$server['mgmt'] = $mode_id;
799			$tcpsrv = "unix://{$g['varetc_path']}/openvpn/{$mode_id}.sock";
800	53663f57	jim-p	$errval;
801			$errstr;
802
803			/* open a tcp connection to the management port of each server */
804			$fp = @stream_socket_client($tcpsrv, $errval, $errstr, 1);
805			if ($fp) {
806	19e3d450	Ermal	stream_set_timeout($fp, 1);
807	53663f57	jim-p
808			/* send our status request */
809			fputs($fp, "status 2\n");
810
811			/* recv all response lines */
812			while (!feof($fp)) {
813
814			/* read the next line */
815			$line = fgets($fp, 1024);
816
817	b0140675	Ermal	$info = stream_get_meta_data($fp);
818			if ($info['timed_out'])
819			break;
820
821	53663f57	jim-p	/* parse header list line */
822			if (strstr($line, "HEADER"))
823			continue;
824
825			/* parse end of output line */
826	a8abc4b3	jim-p	if (strstr($line, "END") \|\| strstr($line, "ERROR"))
827	53663f57	jim-p	break;
828
829			/* parse client list line */
830			if (strstr($line, "CLIENT_LIST")) {
831			$list = explode(",", $line);
832			$conn = array();
833			$conn['common_name'] = $list[1];
834			$conn['remote_host'] = $list[2];
835			$conn['virtual_addr'] = $list[3];
836			$conn['bytes_recv'] = $list[4];
837			$conn['bytes_sent'] = $list[5];
838			$conn['connect_time'] = $list[6];
839			$server['conns'][] = $conn;
840			}
841			}
842
843			/* cleanup */
844			fclose($fp);
845			} else {
846			$conn = array();
847			$conn['common_name'] = "[error]";
848			$conn['remote_host'] = "Management Daemon Unreachable";
849			$conn['virtual_addr'] = "";
850			$conn['bytes_recv'] = 0;
851			$conn['bytes_sent'] = 0;
852			$conn['connect_time'] = 0;
853			$server['conns'][] = $conn;
854			}
855
856			$servers[] = $server;
857			}
858			}
859			return $servers;
860			}
861
862			function openvpn_get_active_clients() {
863	71ca2cb2	Ermal	global $config, $g;
864
865	53663f57	jim-p	$clients = array();
866			if (is_array($config['openvpn']['openvpn-client'])) {
867			foreach ($config['openvpn']['openvpn-client'] as & $settings) {
868
869			$prot = $settings['protocol'];
870			$port = $settings['local_port'];
871
872			$client = array();
873			$client['port'] = $settings['local_port'];
874			if ($settings['description'])
875			$client['name'] = "{$settings['description']} {$prot}:{$port}";
876			else
877			$client['name'] = "Client {$prot}:{$port}";
878
879	71ca2cb2	Ermal	$vpnid = $settings['vpnid'];
880			$mode_id = "client{$vpnid}";
881			$client['mgmt'] = $mode_id;
882			$tcpcli = "unix://{$g['varetc_path']}/openvpn/{$mode_id}.sock";
883	53663f57	jim-p	$errval;
884			$errstr;
885
886			$client['status']="down";
887
888			/* open a tcp connection to the management port of each cli */
889			$fp = @stream_socket_client($tcpcli, $errval, $errstr, 1);
890			if ($fp) {
891	19e3d450	Ermal	stream_set_timeout($fp, 1);
892	53663f57	jim-p	/* send our status request */
893			fputs($fp, "state 1\n");
894
895			/* recv all response lines */
896			while (!feof($fp)) {
897			/* read the next line */
898			$line = fgets($fp, 1024);
899	b0140675	Ermal
900			$info = stream_get_meta_data($fp);
901			if ($info['timed_out'])
902			break;
903
904	53663f57	jim-p	/* Get the client state */
905			if (strstr($line,"CONNECTED")) {
906			$client['status']="up";
907			$list = explode(",", $line);
908
909			$client['connect_time'] = date("D M j G:i:s Y", $list[0]);
910			$client['virtual_addr'] = $list[3];
911			$client['remote_host'] = $list[4];
912			}
913			/* parse end of output line */
914	a8abc4b3	jim-p	if (strstr($line, "END") \|\| strstr($line, "ERROR"))
915	53663f57	jim-p	break;
916			}
917
918			/* If up, get read/write stats */
919			if (strcmp($client['status'], "up") == 0) {
920			fputs($fp, "status 2\n");
921			/* recv all response lines */
922			while (!feof($fp)) {
923			/* read the next line */
924			$line = fgets($fp, 1024);
925
926	b0140675	Ermal	$info = stream_get_meta_data($fp);
927			if ($info['timed_out'])
928			break;
929
930	53663f57	jim-p	if (strstr($line,"TCP/UDP read bytes")) {
931			$list = explode(",", $line);
932			$client['bytes_recv'] = $list[1];
933			}
934
935			if (strstr($line,"TCP/UDP write bytes")) {
936			$list = explode(",", $line);
937			$client['bytes_sent'] = $list[1];
938			}
939
940			/* parse end of output line */
941			if (strstr($line, "END"))
942			break;
943			}
944			}
945
946			fclose($fp);
947
948			} else {
949			$DisplayNote=true;
950			$client['remote_host'] = "No Management Daemon";
951			$client['virtual_addr'] = "See Note Below";
952			$client['bytes_recv'] = 0;
953			$client['bytes_sent'] = 0;
954			$client['connect_time'] = 0;
955			}
956
957			$clients[] = $client;
958			}
959			}
960			return $clients;
961			}
962	8e022a76	jim-p
963			function openvpn_refresh_crls() {
964			global $g, $config;
965
966			if (!file_exists($g['varetc_path']."/openvpn"))
967			return;
968
969			if (is_array($config['openvpn']['openvpn-server'])) {
970			foreach ($config['openvpn']['openvpn-server'] as $settings) {
971			if (empty($settings))
972			continue;
973			if (isset($settings['disable']))
974			continue;
975			// Write the settings for the keys
976			switch($settings['mode']) {
977			case 'p2p_tls':
978			case 'server_tls':
979			case 'server_tls_user':
980			case 'server_user':
981			if (!empty($settings['crlref'])) {
982			$crl = lookup_crl($settings['crlref']);
983	728003c8	jim-p	crl_update($crl);
984	8e022a76	jim-p	$fpath = $g['varetc_path']."/openvpn/server{$settings['vpnid']}.crl-verify";
985			file_put_contents($fpath, base64_decode($crl['text']));
986			@chmod($fpath, 0644);
987			}
988			break;
989			}
990			}
991			}
992			}
993
994	756720e2	Pierre POMES	?>

Project

General

Profile

pfSense