/etc/inc/openvpn.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/etc/inc/openvpn.inc @ f56a60e7

1	5b237745	Scott Ullrich	<?php
2	b1ad443d	Scott Ullrich
3			/* $Id$ */
4			/*
5			$RCSfile$
6	33ab8aa5	Scott Ullrich
7			Copyright (C) 2008 Scott Ullrich <sullrich@gmail.com>
8			All rights reserved.
9
10	b1ad443d	Scott Ullrich	Copyright (C) 2006 Fernando Lemos
11			All rights reserved.
12
13	33ab8aa5	Scott Ullrich	This file was rewritten from scratch by Fernando Lemos but
14			MIGHT contain code previously written by:
15
16	b1ad443d	Scott Ullrich	Copyright (C) 2005 Peter Allgeyer <allgeyer_AT_web.de>
17			All rights reserved.
18
19			Copyright (C) 2004 Peter Curran (peter@closeconsultants.com).
20			All rights reserved.
21
22			Redistribution and use in source and binary forms, with or without
23			modification, are permitted provided that the following conditions are met:
24
25			1. Redistributions of source code must retain the above copyright notices,
26			this list of conditions and the following disclaimer.
27
28			2. Redistributions in binary form must reproduce the above copyright
29			notices, this list of conditions and the following disclaimer in the
30			documentation and/or other materials provided with the distribution.
31
32			THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
33			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
34			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
35			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
36			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
37			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
38			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
39			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
40			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
41			POSSIBILITY OF SUCH DAMAGE.
42	523855b0	Scott Ullrich
43			DISABLE_PHP_LINT_CHECKING
44
45			pfSense_BUILDER_BINARIES: /usr/local/sbin/openvpn /usr/bin/openssl /sbin/ifconfig
46			pfSense_MODULE: openvpn
47	b1ad443d	Scott Ullrich
48	523855b0	Scott Ullrich	*/
49	8dc3ef67	Scott Ullrich	require_once('config.inc');
50	32a7a1f6	Ermal Lu?i	require_once("certs.inc");
51	36df0acc	Scott Ullrich	require_once('pfsense-utils.inc');
52	c61e4626	Ermal Lu?i	require_once("auth.inc");
53	8dc3ef67	Scott Ullrich
54	8411b218	Matthew Grooms	$openvpn_prots = array("UDP", "TCP");
55	702a4702	Scott Ullrich
56	691fbf14	Ermal Lu?i	$openvpn_dev_mode = array("tun", "tap");
57
58	3c11bd3c	Matthew Grooms	/*
59			* The User Auth mode below is disabled because
60			* OpenVPN erroneously requires that we provide
61			* a CA configuration parameter. In this mode,
62			* clients don't send a certificate so there is
63			* no need for a CA. If we require that admins
64			* provide one in the pfSense UI due to a bogus
65			* requirement imposed by OpenVPN, it could be
66			* considered very confusing ( I know I was ).
67			*
68			* -mgrooms
69			*/
70
71	fe787fc7	Matthew Grooms	$openvpn_dh_lengths = array(
72			1024, 2048, 4096 );
73
74	77ed2f4c	jim-p	$openvpn_cert_depths = array(
75			1 => "One (Client+Server)",
76			2 => "Two (Client+Intermediate+Server)",
77			3 => "Three (Client+2xIntermediate+Server)",
78			4 => "Four (Client+3xIntermediate+Server)",
79			5 => "Five (Client+4xIntermediate+Server)"
80			);
81
82	3c11bd3c	Matthew Grooms	$openvpn_server_modes = array(
83			'p2p_tls' => "Peer to Peer ( SSL/TLS )",
84			'p2p_shared_key' => "Peer to Peer ( Shared Key )",
85			'server_tls' => "Remote Access ( SSL/TLS )",
86	54b9de56	Ermal Lu?i	'server_user' => "Remote Access ( User Auth )",
87	3c11bd3c	Matthew Grooms	'server_tls_user' => "Remote Access ( SSL/TLS + User Auth )");
88
89			$openvpn_client_modes = array(
90			'p2p_tls' => "Peer to Peer ( SSL/TLS )",
91			'p2p_shared_key' => "Peer to Peer ( Shared Key )" );
92
93			function openvpn_create_key() {
94
95			$fp = popen("/usr/local/sbin/openvpn --genkey --secret /dev/stdout 2>/dev/null", "r");
96			if (!$fp)
97			return false;
98
99			$rslt = stream_get_contents($fp);
100			pclose($fp);
101
102			return $rslt;
103			}
104	d799787e	Matthew Grooms
105	8411b218	Matthew Grooms	function openvpn_create_dhparams($bits) {
106	34bc1324	Matthew Grooms
107	3c11bd3c	Matthew Grooms	$fp = popen("/usr/bin/openssl dhparam {$bits} 2>/dev/null", "r");
108	34bc1324	Matthew Grooms	if (!$fp)
109			return false;
110
111			$rslt = stream_get_contents($fp);
112			pclose($fp);
113
114			return $rslt;
115			}
116
117	d799787e	Matthew Grooms	function openvpn_vpnid_used($vpnid) {
118	8be2d6d3	Ermal Luçi	global $config;
119
120	d799787e	Matthew Grooms	if (is_array($config['openvpn']['openvpn-server']))
121	dc408939	Matthew Grooms	foreach ($config['openvpn']['openvpn-server'] as & $settings)
122	f432e364	Matthew Grooms	if ($vpnid == $settings['vpnid'])
123	d799787e	Matthew Grooms	return true;
124
125			if (is_array($config['openvpn']['openvpn-client']))
126	dc408939	Matthew Grooms	foreach ($config['openvpn']['openvpn-client'] as & $settings)
127	f432e364	Matthew Grooms	if ($vpnid == $settings['vpnid'])
128	d799787e	Matthew Grooms	return true;
129	04a6e900	Ermal Luçi
130	d799787e	Matthew Grooms	return false;
131			}
132
133			function openvpn_vpnid_next() {
134
135			$vpnid = 1;
136			while(openvpn_vpnid_used($vpnid))
137			$vpnid++;
138
139			return $vpnid;
140			}
141
142	f432e364	Matthew Grooms	function openvpn_port_used($prot, $port) {
143			global $config;
144
145			if (is_array($config['openvpn']['openvpn-server']))
146	dc408939	Matthew Grooms	foreach ($config['openvpn']['openvpn-server'] as & $settings)
147	f432e364	Matthew Grooms	if ($port == $settings['local_port'] &&
148	d9489532	Chris Buechler	$prot == $settings['protocol'] && !isset($settings['disable']))
149	f432e364	Matthew Grooms	return $settings['vpnid'];
150
151			if (is_array($config['openvpn']['openvpn-client']))
152	dc408939	Matthew Grooms	foreach ($config['openvpn']['openvpn-client'] as & $settings)
153	f432e364	Matthew Grooms	if ($port == $settings['local_port'] &&
154	d9489532	Chris Buechler	$prot == $settings['protocol'] && !isset($settings['disable']))
155	f432e364	Matthew Grooms	return $settings['vpnid'];
156
157			return 0;
158			}
159
160			function openvpn_port_next($prot) {
161
162			$port = 1194;
163			while(openvpn_port_used($prot, $port))
164			$port++;
165
166			return $port;
167			}
168
169	d799787e	Matthew Grooms	function openvpn_get_cipherlist() {
170
171			$ciphers = array();
172	5a7cc1f9	Ermal	$cipher_out = shell_exec('/usr/local/sbin/openvpn --show-ciphers \| /usr/bin/grep "default key" \| /usr/bin/awk \'{print $1, "(" $2 "-" $3 ")";}\'');
173	d799787e	Matthew Grooms	$cipher_lines = explode("\n", trim($cipher_out));
174			sort($cipher_lines);
175			foreach ($cipher_lines as $line) {
176			$words = explode(' ', $line);
177			$ciphers[$words[0]] = "{$words[0]} {$words[1]}";
178	8be2d6d3	Ermal Luçi	}
179	2635222d	jim-p	$ciphers["none"] = "None (No Encryption)";
180	d799787e	Matthew Grooms	return $ciphers;
181			}
182
183	582c58ae	jim-p	function openvpn_get_engines() {
184			$openssl_engines = array('none' => 'No Hardware Crypto Acceleration');
185			exec("/usr/bin/openssl engine", $openssl_engine_output);
186			foreach ($openssl_engine_output as $oeo) {
187			$linematch = array();
188			preg_match("/$(.)$\s(.)/", $oeo, $linematch);
189			if ($linematch[1] != "dynamic")
190			$openssl_engines[$linematch[1]] = $linematch[2];
191			}
192			return $openssl_engines;
193			}
194
195			function openvpn_validate_engine($engine) {
196			$engines = openvpn_get_engines();
197			return array_key_exists($engine, $engines);
198			}
199
200	d799787e	Matthew Grooms	function openvpn_validate_host($value, $name) {
201			$value = trim($value);
202	3e2bd5de	Ermal Lu?i	if (empty($value) \|\| (!is_domain($value) && !is_ipaddr($value)))
203	d799787e	Matthew Grooms	return "The field '$name' must contain a valid IP address or domain name.";
204			return false;
205	8dc3ef67	Scott Ullrich	}
206
207			function openvpn_validate_port($value, $name) {
208			$value = trim($value);
209	3e2bd5de	Ermal Lu?i	if (empty($value) \|\| !is_numeric($value) \|\| $value < 0 \|\| ($value > 65535))
210	8dc3ef67	Scott Ullrich	return "The field '$name' must contain a valid port, ranging from 0 to 65535.";
211	b398bbca	Martin Fuchs	return false;
212	8dc3ef67	Scott Ullrich	}
213
214			function openvpn_validate_cidr($value, $name) {
215			$value = trim($value);
216			if (!empty($value)) {
217			list($ip, $mask) = explode('/', $value);
218			if (!is_ipaddr($ip) or !is_numeric($mask) or ($mask > 32) or ($mask < 0))
219			return "The field '$name' must contain a valid CIDR range.";
220			}
221			return false;
222	afb07cf1	Scott Ullrich	}
223
224	d799787e	Matthew Grooms	function openvpn_add_dhcpopts(& $settings, & $conf) {
225	afb07cf1	Scott Ullrich
226	d799787e	Matthew Grooms	if (!empty($settings['dns_domain']))
227			$conf .= "push \"dhcp-option DOMAIN {$settings['dns_domain']}\"\n";
228	add2e3f7	Scott Ullrich
229	d799787e	Matthew Grooms	if (!empty($settings['dns_server1']))
230			$conf .= "push \"dhcp-option DNS {$settings['dns_server1']}\"\n";
231			if (!empty($settings['dns_server2']))
232			$conf .= "push \"dhcp-option DNS {$settings['dns_server2']}\"\n";
233			if (!empty($settings['dns_server3']))
234			$conf .= "push \"dhcp-option DNS {$settings['dns_server3']}\"\n";
235			if (!empty($settings['dns_server4']))
236			$conf .= "push \"dhcp-option DNS {$settings['dns_server4']}\"\n";
237	f9927473	Scott Ullrich
238	d799787e	Matthew Grooms	if (!empty($settings['ntp_server1']))
239	c7f70dbc	Chris Buechler	$conf .= "push \"dhcp-option NTP {$settings['ntp_server1']}\"\n";
240	d799787e	Matthew Grooms	if (!empty($settings['ntp_server2']))
241	c7f70dbc	Chris Buechler	$conf .= "push \"dhcp-option NTP {$settings['ntp_server2']}\"\n";
242	f9927473	Scott Ullrich
243	d799787e	Matthew Grooms	if ($settings['netbios_enable']) {
244	add2e3f7	Scott Ullrich
245	095a95ae	Matthew Grooms	if (!empty($settings['dhcp_nbttype']) && ($settings['dhcp_nbttype'] != 0))
246			$conf .= "push \"dhcp-option NBT {$settings['dhcp_nbttype']}\"\n";
247			if (!empty($settings['dhcp_nbtscope']))
248	d799787e	Matthew Grooms	$conf .= "push \"dhcp-option NBS {$settings['dhcp_nbtscope']}\"\n";
249	8dc3ef67	Scott Ullrich
250	d799787e	Matthew Grooms	if (!empty($settings['wins_server1']))
251			$conf .= "push \"dhcp-option WINS {$settings['wins_server1']}\"\n";
252			if (!empty($settings['wins_server2']))
253			$conf .= "push \"dhcp-option WINS {$settings['wins_server2']}\"\n";
254	add2e3f7	Scott Ullrich
255	d799787e	Matthew Grooms	if (!empty($settings['nbdd_server1']))
256			$conf .= "push \"dhcp-option NBDD {$settings['nbdd_server1']}\"\n";
257			}
258	8dc3ef67	Scott Ullrich
259	d799787e	Matthew Grooms	if ($settings['gwredir'])
260			$conf .= "push \"redirect-gateway def1\"\n";
261			}
262	24012690	Scott Ullrich
263	d799787e	Matthew Grooms	function openvpn_add_custom(& $settings, & $conf) {
264	add2e3f7	Scott Ullrich
265	d799787e	Matthew Grooms	if ($settings['custom_options']) {
266	8dc3ef67	Scott Ullrich
267	d799787e	Matthew Grooms	$options = explode(';', $settings['custom_options']);
268
269			if (is_array($options)) {
270			foreach ($options as $option)
271			$conf .= "$option\n";
272			} else
273			$conf .= "{$settings['custom_options']}\n";
274	add2e3f7	Scott Ullrich	}
275			}
276
277	691fbf14	Ermal Lu?i	function openvpn_add_keyfile(& $data, & $conf, $mode_id, $directive, $opt = "") {
278	d799787e	Matthew Grooms	global $g;
279	add2e3f7	Scott Ullrich
280	d799787e	Matthew Grooms	$fpath = $g['varetc_path']."/openvpn/{$mode_id}.{$directive}";
281			file_put_contents($fpath, base64_decode($data));
282	f9ac3784	Ermal Lu?i	//chown($fpath, 'nobody');
283			//chgrp($fpath, 'nobody');
284	6f27412f	Ermal Lu?i	@chmod($fpath, 0600);
285	d799787e	Matthew Grooms
286	691fbf14	Ermal Lu?i	$conf .= "{$directive} {$fpath} {$opt}\n";
287	4eefa6e8	Scott Ullrich	}
288
289	fc05822b	jim-p	function openvpn_reconfigure($mode, $settings) {
290	add2e3f7	Scott Ullrich	global $g, $config;
291	afb07cf1	Scott Ullrich
292	93a0a028	Ermal Luçi	if (empty($settings))
293			return;
294	a1cab2c7	Ermal	if (isset($settings['disable']))
295	4eefa6e8	Scott Ullrich	return;
296
297	fdd725f0	Ermal Luçi	/*
298	d799787e	Matthew Grooms	* NOTE: Deleting tap devices causes spontaneous reboots. Instead,
299			* we use a vpnid number which is allocated for a particular client
300			* or server configuration. ( see openvpn_vpnid_next() )
301	fdd725f0	Ermal Luçi	*/
302	8874c692	Ermal Luçi
303	d799787e	Matthew Grooms	$vpnid = $settings['vpnid'];
304			$mode_id = $mode.$vpnid;
305	8874c692	Ermal Luçi
306	4936ff53	jim-p	if (isset($settings['dev_mode']))
307			$tunname = "{$settings['dev_mode']}{$vpnid}";
308	bd7ca506	jim-p	else { /* defaults to tun */
309			$tunname = "tun{$vpnid}";
310	4936ff53	jim-p	$settings['dev_mode'] = "tun";
311	691fbf14	Ermal Lu?i	}
312
313	bd7ca506	jim-p	if ($mode == "server")
314			$devname = "ovpns{$vpnid}";
315			else
316			$devname = "ovpnc{$vpnid}";
317	8874c692	Ermal Luçi
318	bd7ca506	jim-p	/* is our device already configured */
319			if (mwexec("/sbin/ifconfig {$devname}")) {
320	dc408939	Matthew Grooms
321	bd7ca506	jim-p	/* create the tap device if required */
322			if (!file_exists("/dev/{$tunname}"))
323			exec("/sbin/ifconfig {$tunname} create");
324	98872d89	Ermal Luçi
325	bd7ca506	jim-p	/* rename the device */
326			mwexec("/sbin/ifconfig {$tunname} name {$devname}");
327	095a95ae	Matthew Grooms
328	bd7ca506	jim-p	/* add the device to the openvpn group */
329			mwexec("/sbin/ifconfig {$devname} group openvpn");
330	dc408939	Matthew Grooms	}
331	d799787e	Matthew Grooms
332	dc408939	Matthew Grooms	$pfile = $g['varrun_path'] . "/openvpn_{$mode_id}.pid";
333	c0cf27aa	Scott Ullrich	$proto = ($settings['protocol'] == 'UDP' ? 'udp' : "tcp-{$mode}");
334	4936ff53	jim-p	$dev_mode = $settings['dev_mode'];
335	c0cf27aa	Scott Ullrich	$cipher = $settings['crypto'];
336	d799787e	Matthew Grooms
337			$interface = $settings['interface'];
338	67b0902f	pierrepomes	$ipaddr = $settings['ipaddr'];
339	d799787e	Matthew Grooms
340	67b0902f	pierrepomes	// If a specific ip address (VIP) is requested, use it.
341			// Otherwise, if a specific interface is requested, use it
342			// If "any" interface was selected, local directive will be ommited.
343			if (!empty($ipaddr)) {
344			$iface_ip=$ipaddr;
345	3d06e8f0	pierrepomes	} else {
346	67b0902f	pierrepomes	if ((!empty($interface)) && (strcmp($interface, "any"))) {
347	507af8dd	pierrepomes	$iface_ip=get_interface_ip($interface);
348	67b0902f	pierrepomes	}
349	3d06e8f0	pierrepomes	}
350	d799787e	Matthew Grooms
351	bd7ca506	jim-p	$conf = "dev {$devname}\n";
352	4936ff53	jim-p	$conf .= "dev-type {$settings['dev_mode']}\n";
353	bd7ca506	jim-p	$conf .= "dev-node /dev/{$tunname}\n";
354	3c11bd3c	Matthew Grooms	$conf .= "writepid {$pfile}\n";
355			$conf .= "#user nobody\n";
356			$conf .= "#group nobody\n";
357	d1014c18	Chris Buechler	$conf .= "script-security 3\n";
358	3c11bd3c	Matthew Grooms	$conf .= "daemon\n";
359			$conf .= "keepalive 10 60\n";
360			$conf .= "ping-timer-rem\n";
361			$conf .= "persist-tun\n";
362			$conf .= "persist-key\n";
363			$conf .= "proto {$proto}\n";
364			$conf .= "cipher {$cipher}\n";
365	8d964cea	Ermal	$conf .= "up /usr/local/sbin/ovpn-linkup\n";
366			$conf .= "down /usr/local/sbin/ovpn-linkdown\n";
367	3c11bd3c	Matthew Grooms
368	67b0902f	pierrepomes	if (!empty($iface_ip)) {
369	48a458d2	pierrepomes	$conf .= "local {$iface_ip}\n";
370	67b0902f	pierrepomes	}
371	d799787e	Matthew Grooms
372	582c58ae	jim-p	if (openvpn_validate_engine($settings['engine']) && ($settings['engine'] != "none"))
373			$conf .= "engine {$settings['engine']}\n";
374
375	67b0902f	pierrepomes	// server specific settings
376	8dc3ef67	Scott Ullrich	if ($mode == 'server') {
377	d799787e	Matthew Grooms
378	5dc6c910	jim-p	list($ip, $cidr) = explode('/', $settings['tunnel_network']);
379			$mask = gen_subnet_mask($cidr);
380	8dc3ef67	Scott Ullrich
381	3c11bd3c	Matthew Grooms	// configure tls modes
382			switch($settings['mode']) {
383			case 'p2p_tls':
384			case 'server_tls':
385	e62e2f8b	Ermal Lu?i	case 'server_user':
386	3c11bd3c	Matthew Grooms	case 'server_tls_user':
387	d799787e	Matthew Grooms	$conf .= "tls-server\n";
388	3c11bd3c	Matthew Grooms	break;
389	8dc3ef67	Scott Ullrich	}
390	d799787e	Matthew Grooms
391	3c11bd3c	Matthew Grooms	// configure p2p/server modes
392			switch($settings['mode']) {
393	6c9cf466	jim-p	case 'p2p_tls':
394	5dc6c910	jim-p	// If the CIDR is less than a /30, OpenVPN will complain if you try to
395			// use the server directive. It works for a single client without it.
396			// See ticket #1417
397			if ($cidr < 30) {
398			$conf .= "server {$ip} {$mask}\n";
399			$conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n";
400			}
401	3c11bd3c	Matthew Grooms	case 'p2p_shared_key':
402	96033063	Erik Fonnesbeck	$baselong = ip2long32($ip) & ip2long($mask);
403			$ip1 = long2ip32($baselong + 1);
404			$ip2 = long2ip32($baselong + 2);
405	3c11bd3c	Matthew Grooms	$conf .= "ifconfig $ip1 $ip2\n";
406			break;
407			case 'server_tls':
408			case 'server_user':
409			case 'server_tls_user':
410			$conf .= "server {$ip} {$mask}\n";
411			$conf .= "client-config-dir {$g['varetc_path']}/openvpn-csc\n";
412			break;
413	8dc3ef67	Scott Ullrich	}
414
415	3c11bd3c	Matthew Grooms	// configure user auth modes
416			switch($settings['mode']) {
417			case 'server_user':
418			$conf .= "client-cert-not-required\n";
419			case 'server_tls_user':
420			$conf .= "username-as-common-name\n";
421	8a47c190	Ermal Lu?i	if (!empty($settings['authmode'])) {
422			$authcfgs = explode(",", $settings['authmode']);
423			$sed = "\$authmodes=array(";
424			$firstsed = 0;
425			foreach ($authcfgs as $authcfg) {
426			if ($firstsed > 0)
427			$sed .= ",";
428			$firstsed = 1;
429			$sed .= "\"{$authcfg}\"";
430			}
431	8901958c	jim-p	$sed .= ");\\\n";
432	53d41b68	Erik Fonnesbeck	if ($settings['strictusercn'])
433	befad728	Ermal	$sed .= "\$strictusercn = true;";
434	1bab0df1	jim-p	$sed .= " \$modeid = \"{$mode_id}\";";
435	8a47c190	Ermal Lu?i	mwexec("/bin/cat /etc/inc/openvpn.auth-user.php \| /usr/bin/sed 's/\/\/<template>/{$sed}/g' > {$g['varetc_path']}/openvpn/{$mode_id}.php");
436			mwexec("/bin/chmod a+x {$g['varetc_path']}/openvpn/{$mode_id}.php");
437			$conf .= "auth-user-pass-verify {$g['varetc_path']}/openvpn/{$mode_id}.php via-env\n";
438	e8a58de4	Ermal Lu?i	}
439	3c11bd3c	Matthew Grooms	break;
440	8dc3ef67	Scott Ullrich	}
441	ea9a4cc8	jim-p	if (!isset($settings['cert_depth']) && (strstr($settings['mode'], 'tls')))
442			$settings['cert_depth'] = 1;
443	77ed2f4c	jim-p	if (is_numeric($settings['cert_depth'])) {
444			$sed = "";
445			$cert = lookup_cert($settings['certref']);
446			$servercn = cert_get_cn($cert['crt']);
447			$sed .= "\$server_cn = \"{$servercn}\";\\\n";
448			$sed .= "\$allowed_depth = {$settings['cert_depth']};\\\n";
449			mwexec("/bin/cat /etc/inc/openvpn.tls-verify.php \| /usr/bin/sed 's/\/\/<template>/{$sed}/g' > {$g['varetc_path']}/openvpn/{$mode_id}.tls-verify.php");
450			mwexec("/bin/chmod a+x {$g['varetc_path']}/openvpn/{$mode_id}.tls-verify.php");
451			$conf .= "tls-verify {$g['varetc_path']}/openvpn/{$mode_id}.tls-verify.php\n";
452			}
453	8dc3ef67	Scott Ullrich
454	63084885	Matthew Grooms	// The local port to listen on
455	d799787e	Matthew Grooms	$conf .= "lport {$settings['local_port']}\n";
456	c0cf27aa	Scott Ullrich
457	63084885	Matthew Grooms	// The management port to listen on
458	71ca2cb2	Ermal	// Use unix socket to overcome the problem on any type of server
459			$conf .= "management {$g['varetc_path']}/openvpn/{$mode_id}.sock unix\n";
460			//$conf .= "management 127.0.0.1 {$settings['local_port']}\n";
461	63084885	Matthew Grooms
462	3c11bd3c	Matthew Grooms	if ($settings['maxclients'])
463	d799787e	Matthew Grooms	$conf .= "max-clients {$settings['maxclients']}\n";
464
465	3c11bd3c	Matthew Grooms	// Can we push routes
466			if ($settings['local_network']) {
467			list($ip, $mask) = explode('/', $settings['local_network']);
468			$mask = gen_subnet_mask($mask);
469			$conf .= "push \"route $ip $mask\"\n";
470			}
471
472			switch($settings['mode']) {
473			case 'server_tls':
474			case 'server_user':
475			case 'server_tls_user':
476	5d8cd81a	jim-p	// Configure client dhcp options
477	3c11bd3c	Matthew Grooms	openvpn_add_dhcpopts($settings, $conf);
478	5d8cd81a	jim-p	if ($settings['client2client'])
479			$conf .= "client-to-client\n";
480	3c11bd3c	Matthew Grooms	break;
481			}
482	bca35cff	jim-p	if (isset($settings['duplicate_cn']))
483			$conf .= "duplicate-cn\n";
484	d799787e	Matthew Grooms	}
485
486	3c11bd3c	Matthew Grooms	// client specific settings
487	d799787e	Matthew Grooms
488	3c11bd3c	Matthew Grooms	if ($mode == 'client') {
489	d799787e	Matthew Grooms
490	3c11bd3c	Matthew Grooms	// configure p2p mode
491			switch($settings['mode']) {
492			case 'p2p_tls':
493			$conf .= "tls-client\n";
494			case 'shared_key':
495			$conf .= "client\n";
496			break;
497			}
498	d799787e	Matthew Grooms
499	e3924384	jim-p	// If there is no bind option at all (ip and/or port), add "nobind" directive
500			// Otherwise, use the local port if defined, failing that, use lport 0 to
501			// ensure a random source port.
502			if ((empty($iface_ip)) && (!$settings['local_port']))
503			$conf .= "nobind\n";
504			elseif ($settings['local_port'])
505			$conf .= "lport {$settings['local_port']}\n";
506			else
507			$conf .= "lport 0\n";
508	5708241f	jim-p
509	4b887ef4	jim-p	// Use unix socket to overcome the problem on any type of server
510			$conf .= "management {$g['varetc_path']}/openvpn/{$mode_id}.sock unix\n";
511	48a458d2	pierrepomes
512	3c11bd3c	Matthew Grooms	// The remote server
513			$conf .= "remote {$settings['server_addr']} {$settings['server_port']}\n";
514
515	d799787e	Matthew Grooms	if (!empty($settings['use_shaper']))
516			$conf .= "shaper {$settings['use_shaper']}\n";
517	ee506044	Scott Ullrich
518	d799787e	Matthew Grooms	if (!empty($settings['tunnel_network'])) {
519			list($ip, $mask) = explode('/', $settings['tunnel_network']);
520	8dc3ef67	Scott Ullrich	$mask = gen_subnet_mask($mask);
521	96033063	Erik Fonnesbeck	$baselong = ip2long32($ip) & ip2long($mask);
522			$ip1 = long2ip32($baselong + 1);
523			$ip2 = long2ip32($baselong + 2);
524	d799787e	Matthew Grooms	$conf .= "ifconfig $ip2 $ip1\n";
525	8dc3ef67	Scott Ullrich	}
526	d799787e	Matthew Grooms
527	762a24a3	Ermal Lu?i	if ($settings['proxy_addr']) {
528			$conf .= "http-proxy {$settings['proxy_addr']} {$settings['proxy_port']}";
529			if ($settings['proxy_authtype'] != "none") {
530			$conf .= " {$g['varetc_path']}/openvpn/{$mode_id}.pas {$settings['proxy_authtype']}";
531			$proxypas = "{$settings['proxy_user']}\n";
532			$proxypas .= "{$settings['proxy_passwd']}\n";
533			file_put_contents("{$g['varetc_path']}/openvpn/{$mode_id}.pas", $proxypas);
534			}
535			$conf .= " \n";
536			}
537	8dc3ef67	Scott Ullrich	}
538
539	cec917b5	jim-p	// Add a remote network route if set, and only for p2p modes.
540			if ((substr($settings['mode'], 0, 3) == "p2p") && is_subnet($settings['remote_network'])) {
541	8dc3ef67	Scott Ullrich	list($ip, $mask) = explode('/', $settings['remote_network']);
542			$mask = gen_subnet_mask($mask);
543	d799787e	Matthew Grooms	$conf .= "route $ip $mask\n";
544	8dc3ef67	Scott Ullrich	}
545	afb07cf1	Scott Ullrich
546	d799787e	Matthew Grooms	// Write the settings for the keys
547	3c11bd3c	Matthew Grooms	switch($settings['mode']) {
548			case 'p2p_shared_key':
549			openvpn_add_keyfile($settings['shared_key'], $conf, $mode_id, "secret");
550			break;
551			case 'p2p_tls':
552			case 'server_tls':
553			case 'server_tls_user':
554	e62e2f8b	Ermal Lu?i	case 'server_user':
555	3c11bd3c	Matthew Grooms	$ca = lookup_ca($settings['caref']);
556			openvpn_add_keyfile($ca['crt'], $conf, $mode_id, "ca");
557			$cert = lookup_cert($settings['certref']);
558			openvpn_add_keyfile($cert['crt'], $conf, $mode_id, "cert");
559			openvpn_add_keyfile($cert['prv'], $conf, $mode_id, "key");
560			if ($mode == 'server')
561	fe787fc7	Matthew Grooms	$conf .= "dh {$g['etc_path']}/dh-parameters.{$settings['dh_length']}\n";
562	6db02381	jim-p	if (!empty($settings['crlref'])) {
563			$crl = lookup_crl($settings['crlref']);
564	2ce206b0	jim-p	crl_update($crl);
565	6db02381	jim-p	openvpn_add_keyfile($crl['text'], $conf, $mode_id, "crl-verify");
566			}
567	db746ce2	Ermal Lu?i	if ($settings['tls']) {
568	756720e2	Pierre POMES	if ($mode == "server")
569	db746ce2	Ermal Lu?i	$tlsopt = 0;
570			else
571			$tlsopt = 1;
572			openvpn_add_keyfile($settings['tls'], $conf, $mode_id, "tls-auth", $tlsopt);
573			}
574	3c11bd3c	Matthew Grooms	break;
575	8dc3ef67	Scott Ullrich	}
576
577	1cb0b40a	Matthew Grooms	if ($settings['compression'])
578	d799787e	Matthew Grooms	$conf .= "comp-lzo\n";
579
580			if ($settings['passtos'])
581			$conf .= "passtos\n";
582
583			if ($settings['resolve_retry'])
584			$conf .= "resolv-retry infinite\n";
585
586			if ($settings['dynamic_ip']) {
587			$conf .= "persist-remote-ip\n";
588			$conf .= "float\n";
589	8dc3ef67	Scott Ullrich	}
590	afb07cf1	Scott Ullrich
591	d799787e	Matthew Grooms	openvpn_add_custom($settings, $conf);
592
593			$fpath = $g['varetc_path']."/openvpn/{$mode_id}.conf";
594			file_put_contents($fpath, $conf);
595	f9ac3784	Ermal Lu?i	//chown($fpath, 'nobody');
596			//chgrp($fpath, 'nobody');
597	6f27412f	Ermal Lu?i	@chmod("{$g['varetc_path']}/openvpn/{$mode_id}.conf", 0600);
598			@chmod("{$g['varetc_path']}/openvpn/{$mode_id}.key", 0600);
599			@chmod("{$g['varetc_path']}/openvpn/{$mode_id}.tls-auth", 0600);
600			@chmod("{$g['varetc_path']}/openvpn/{$mode_id}.conf", 0600);
601	d799787e	Matthew Grooms	}
602
603	fc05822b	jim-p	function openvpn_restart($mode, $settings) {
604	d799787e	Matthew Grooms	global $g, $config;
605
606			$vpnid = $settings['vpnid'];
607			$mode_id = $mode.$vpnid;
608
609	76369bfc	Matthew Grooms	/* kill the process if running */
610	705c8ec9	Matthew Grooms	$pfile = $g['varrun_path']."/openvpn_{$mode_id}.pid";
611	76369bfc	Matthew Grooms	if (file_exists($pfile)) {
612	705c8ec9	Matthew Grooms
613	76369bfc	Matthew Grooms	/* read the pid file */
614			$pid = rtrim(file_get_contents($pfile));
615			unlink($pfile);
616	705c8ec9	Matthew Grooms
617	76369bfc	Matthew Grooms	/* send a term signal to the process */
618			posix_kill($pid, SIGTERM);
619
620			/* wait until the process exits */
621			while(posix_kill($pid, 0))
622			usleep(250000);
623			}
624	d799787e	Matthew Grooms
625	a1cab2c7	Ermal	if (isset($settings['disable']))
626	d799787e	Matthew Grooms	return;
627
628	a4271d12	jim-p	/* Do not start if we are a CARP backup on this vip! */
629	30274157	jim-p	if ((substr($settings['interface'], 0, 3) == "vip") && (get_carp_interface_status($settings['interface']) == "BACKUP"))
630	a4271d12	jim-p	return;
631
632	705c8ec9	Matthew Grooms	/* start the new process */
633	d799787e	Matthew Grooms	$fpath = $g['varetc_path']."/openvpn/{$mode_id}.conf";
634	5a7cc1f9	Ermal	mwexec_bg("/usr/local/sbin/openvpn --config {$fpath}");
635	847cd48d	Ermal
636			if (!$g['booting'])
637			send_event("filter reload");
638	afb07cf1	Scott Ullrich	}
639
640	dc408939	Matthew Grooms	function openvpn_delete($mode, & $settings) {
641	d799787e	Matthew Grooms	global $g, $config;
642
643			$vpnid = $settings['vpnid'];
644			$mode_id = $mode.$vpnid;
645
646	095a95ae	Matthew Grooms	$tunname = "tun{$vpnid}";
647			if ($mode == "server")
648			$devname = "ovpns{$vpnid}";
649			else
650			$devname = "ovpnc{$vpnid}";
651	dc408939	Matthew Grooms
652	76369bfc	Matthew Grooms	/* kill the process if running */
653	dc408939	Matthew Grooms	$pfile = "{$g['varrun_path']}/openvpn_{$mode_id}.pid";
654	76369bfc	Matthew Grooms	if (file_exists($pfile)) {
655	dc408939	Matthew Grooms
656	76369bfc	Matthew Grooms	/* read the pid file */
657			$pid = trim(file_get_contents($pfile));
658			unlink($pfile);
659
660			/* send a term signal to the process */
661			posix_kill($pid, SIGTERM);
662			}
663	705c8ec9	Matthew Grooms
664	095a95ae	Matthew Grooms	/* remove the device from the openvpn group */
665			mwexec("/sbin/ifconfig {$devname} -group openvpn");
666
667	dc408939	Matthew Grooms	/* restore the original adapter name */
668			mwexec("/sbin/ifconfig {$devname} name {$tunname}");
669
670			/* remove the configuration files */
671			mwexec("/bin/rm {$g['varetc_path']}/openvpn/{$mode_id}.*");
672	d799787e	Matthew Grooms	}
673	afb07cf1	Scott Ullrich
674	dc408939	Matthew Grooms	function openvpn_resync_csc(& $settings) {
675	8dc3ef67	Scott Ullrich	global $g, $config;
676
677	ea28182c	Matthew Grooms	$fpath = $g['varetc_path']."/openvpn-csc/".$settings['common_name'];
678	8dc3ef67	Scott Ullrich
679	a1cab2c7	Ermal	if (isset($settings['disable'])) {
680	d799787e	Matthew Grooms	unlink_if_exists($fpath);
681	c876662c	Scott Ullrich	return;
682			}
683	d799787e	Matthew Grooms
684	8dc3ef67	Scott Ullrich	$conf = '';
685	d799787e	Matthew Grooms	if ($settings['block'])
686			$conf .= "disable\n";
687
688			if ($settings['push_reset'])
689			$conf .= "push-reset\n";
690
691			if (!empty($settings['tunnel_network'])) {
692			list($ip, $mask) = explode('/', $settings['tunnel_network']);
693	96033063	Erik Fonnesbeck	$baselong = ip2long32($ip) & gen_subnet_mask_long($mask);
694	035c5573	jim-p	$serverip = long2ip32($baselong + 1);
695			$clientip = long2ip32($baselong + 2);
696			/* Because this is being pushed, the order from the client's point of view. */
697			$conf .= "ifconfig-push {$clientip} {$serverip}\n";
698	8dc3ef67	Scott Ullrich	}
699	6d031071	Martin Fuchs
700	d799787e	Matthew Grooms	openvpn_add_dhcpopts($settings, $conf);
701	8dc3ef67	Scott Ullrich
702	d799787e	Matthew Grooms	if ($settings['gwredir'])
703			$conf .= "push \"redirect-gateway def1\"\n";
704	6d031071	Martin Fuchs
705	d799787e	Matthew Grooms	openvpn_add_custom($settings, $conf);
706	8dc3ef67	Scott Ullrich
707	d799787e	Matthew Grooms	file_put_contents($fpath, $conf);
708			chown($fpath, 'nobody');
709			chgrp($fpath, 'nobody');
710			}
711	8dc3ef67	Scott Ullrich
712	dc408939	Matthew Grooms	function openvpn_delete_csc(& $settings) {
713	add2e3f7	Scott Ullrich	global $g, $config;
714	3c2e5528	Scott Ullrich
715	ea28182c	Matthew Grooms	$fpath = $g['varetc_path']."/openvpn-csc/".$settings['common_name'];
716	d799787e	Matthew Grooms	unlink_if_exists($fpath);
717	267ab13f	Ermal Luçi	}
718	afb07cf1	Scott Ullrich
719	24012690	Scott Ullrich	// Resync the configuration and restart the VPN
720	fc05822b	jim-p	function openvpn_resync($mode, $settings) {
721	dc408939	Matthew Grooms	openvpn_reconfigure($mode, $settings);
722			openvpn_restart($mode, $settings);
723	afb07cf1	Scott Ullrich	}
724
725	add2e3f7	Scott Ullrich	// Resync and restart all VPNs
726	c7f60193	Ermal	function openvpn_resync_all($interface = "") {
727	d799787e	Matthew Grooms	global $g, $config;
728	267ab13f	Ermal Luçi
729	3cb54b54	Matthew Grooms	// delay our setup until the system
730			// has a chance to init our paths
731			if (!file_exists($g['varetc_path']."/openvpn") \|\|
732			!file_exists($g['varetc_path']."/openvpn-csc"))
733			return;
734
735	34bc1324	Matthew Grooms	if (!is_array($config['openvpn']))
736			$config['openvpn'] = array();
737
738	15b414e6	Matthew Grooms	/*
739	34bc1324	Matthew Grooms	if (!$config['openvpn']['dh-parameters']) {
740			echo "Configuring OpenVPN Parameters ...\n";
741	035e4289	Matthew Grooms	$dh_parameters = openvpn_create_dhparams(1024);
742	34bc1324	Matthew Grooms	$dh_parameters = base64_encode($dh_parameters);
743			$config['openvpn']['dh-parameters'] = $dh_parameters;
744	c67dd94e	Bill Marquette	write_config("OpenVPN DH parameters");
745	34bc1324	Matthew Grooms	}
746
747			$path_ovdh = $g['varetc_path']."/openvpn/dh-parameters";
748			if (!file_exists($path_ovdh)) {
749			$dh_parameters = $config['openvpn']['dh-parameters'];
750			$dh_parameters = base64_decode($dh_parameters);
751			file_put_contents($path_ovdh, $dh_parameters);
752			}
753	15b414e6	Matthew Grooms	*/
754	739c9efd	Ermal	if ($interface <> "")
755	a82e6d37	Chris Buechler	log_error("Resyncing OpenVPN instances for interface " . convert_friendly_interface_to_friendly_descr($interface) . ".");
756	739c9efd	Ermal	else
757	a82e6d37	Chris Buechler	log_error("Resyncing OpenVPN instances.");
758	34bc1324	Matthew Grooms
759	c7f60193	Ermal	if (is_array($config['openvpn']['openvpn-server'])) {
760			foreach ($config['openvpn']['openvpn-server'] as & $settings) {
761	739c9efd	Ermal	if ($interface <> "" && $interface != $settings['interface'])
762	c7f60193	Ermal	continue;
763	dc408939	Matthew Grooms	openvpn_resync('server', $settings);
764	c7f60193	Ermal	}
765			}
766	5b237745	Scott Ullrich
767	c7f60193	Ermal	if (is_array($config['openvpn']['openvpn-client'])) {
768			foreach ($config['openvpn']['openvpn-client'] as & $settings) {
769	739c9efd	Ermal	if ($interface <> "" && $interface != $settings['interface'])
770	c7f60193	Ermal	continue;
771	dc408939	Matthew Grooms	openvpn_resync('client', $settings);
772	c7f60193	Ermal	}
773			}
774	afb07cf1	Scott Ullrich
775	d799787e	Matthew Grooms	if (is_array($config['openvpn']['openvpn-csc']))
776	dc408939	Matthew Grooms	foreach ($config['openvpn']['openvpn-csc'] as & $settings)
777			openvpn_resync_csc($settings);
778	afb07cf1	Scott Ullrich
779	5b237745	Scott Ullrich	}
780	702a4702	Scott Ullrich
781	1f2f6024	jim-p	function openvpn_get_active_servers($type="multipoint") {
782	71ca2cb2	Ermal	global $config, $g;
783
784	53663f57	jim-p	$servers = array();
785			if (is_array($config['openvpn']['openvpn-server'])) {
786			foreach ($config['openvpn']['openvpn-server'] as & $settings) {
787	6d013706	Ermal	if (empty($settings) \|\| isset($settings['disable']))
788			continue;
789
790	53663f57	jim-p	$prot = $settings['protocol'];
791			$port = $settings['local_port'];
792
793			$server = array();
794	f27d726c	jim-p	$server['port'] = ($settings['local_port']) ? $settings['local_port'] : 1194;
795	41be629f	jim-p	$server['mode'] = $settings['mode'];
796	53663f57	jim-p	if ($settings['description'])
797			$server['name'] = "{$settings['description']} {$prot}:{$port}";
798			else
799			$server['name'] = "Server {$prot}:{$port}";
800			$server['conns'] = array();
801
802	71ca2cb2	Ermal	$vpnid = $settings['vpnid'];
803	f27d726c	jim-p	$mode_id = "server{$vpnid}";
804	71ca2cb2	Ermal	$server['mgmt'] = $mode_id;
805	f27d726c	jim-p	$socket = "unix://{$g['varetc_path']}/openvpn/{$mode_id}.sock";
806	1f2f6024	jim-p	list($tn, $sm) = explode('/', $settings['tunnel_network']);
807
808			if ((($server['mode'] == "p2p_shared_key") \|\| ($sm >= 30) ) && ($type == "p2p"))
809	f27d726c	jim-p	$servers[] = openvpn_get_client_status($server, $socket);
810	1f2f6024	jim-p	elseif (($server['mode'] != "p2p_shared_key") && ($type == "multipoint") && ($sm < 30))
811	f27d726c	jim-p	$servers[] = openvpn_get_server_status($server, $socket);
812	1f2f6024	jim-p
813	f27d726c	jim-p	}
814			}
815			return $servers;
816			}
817	b0140675	Ermal
818	f27d726c	jim-p	function openvpn_get_server_status($server, $socket) {
819			$errval;
820			$errstr;
821			$fp = @stream_socket_client($socket, $errval, $errstr, 1);
822			if ($fp) {
823			stream_set_timeout($fp, 1);
824
825			/* send our status request */
826			fputs($fp, "status 2\n");
827
828			/* recv all response lines */
829			while (!feof($fp)) {
830
831			/* read the next line */
832			$line = fgets($fp, 1024);
833
834			$info = stream_get_meta_data($fp);
835			if ($info['timed_out'])
836			break;
837
838			/* parse header list line */
839			if (strstr($line, "HEADER"))
840			continue;
841
842			/* parse end of output line */
843			if (strstr($line, "END") \|\| strstr($line, "ERROR"))
844			break;
845
846			/* parse client list line */
847			if (strstr($line, "CLIENT_LIST")) {
848			$list = explode(",", $line);
849	53663f57	jim-p	$conn = array();
850	f27d726c	jim-p	$conn['common_name'] = $list[1];
851			$conn['remote_host'] = $list[2];
852			$conn['virtual_addr'] = $list[3];
853			$conn['bytes_recv'] = $list[4];
854			$conn['bytes_sent'] = $list[5];
855			$conn['connect_time'] = $list[6];
856	53663f57	jim-p	$server['conns'][] = $conn;
857			}
858			}
859	f27d726c	jim-p
860			/* cleanup */
861			fclose($fp);
862			} else {
863			$conn = array();
864			$conn['common_name'] = "[error]";
865			$conn['remote_host'] = "Management Daemon Unreachable";
866			$conn['virtual_addr'] = "";
867			$conn['bytes_recv'] = 0;
868			$conn['bytes_sent'] = 0;
869			$conn['connect_time'] = 0;
870			$server['conns'][] = $conn;
871	53663f57	jim-p	}
872	f27d726c	jim-p	return $server;
873	53663f57	jim-p	}
874
875			function openvpn_get_active_clients() {
876	71ca2cb2	Ermal	global $config, $g;
877
878	53663f57	jim-p	$clients = array();
879			if (is_array($config['openvpn']['openvpn-client'])) {
880			foreach ($config['openvpn']['openvpn-client'] as & $settings) {
881
882	6d013706	Ermal	if (empty($settings) \|\| isset($settings['disable']))
883			continue;
884
885	53663f57	jim-p	$prot = $settings['protocol'];
886	f27d726c	jim-p	$port = ($settings['local_port']) ? ":{$settings['local_port']}" : "";
887	53663f57	jim-p
888			$client = array();
889			$client['port'] = $settings['local_port'];
890			if ($settings['description'])
891	f27d726c	jim-p	$client['name'] = "{$settings['description']} {$prot}{$port}";
892	53663f57	jim-p	else
893	f27d726c	jim-p	$client['name'] = "Client {$prot}{$port}";
894	53663f57	jim-p
895	71ca2cb2	Ermal	$vpnid = $settings['vpnid'];
896	f27d726c	jim-p	$mode_id = "client{$vpnid}";
897	71ca2cb2	Ermal	$client['mgmt'] = $mode_id;
898	f27d726c	jim-p	$socket = "unix://{$g['varetc_path']}/openvpn/{$mode_id}.sock";
899	53663f57	jim-p	$client['status']="down";
900	f27d726c	jim-p
901			$clients[] = openvpn_get_client_status($client, $socket);
902			}
903			}
904			return $clients;
905			}
906
907			function openvpn_get_client_status($client, $socket) {
908			$errval;
909			$errstr;
910			$fp = @stream_socket_client($socket, $errval, $errstr, 1);
911			if ($fp) {
912			stream_set_timeout($fp, 1);
913			/* send our status request */
914			fputs($fp, "state 1\n");
915
916			/* recv all response lines */
917			while (!feof($fp)) {
918			/* read the next line */
919			$line = fgets($fp, 1024);
920
921			$info = stream_get_meta_data($fp);
922			if ($info['timed_out'])
923			break;
924
925			/* Get the client state */
926			if (strstr($line,"CONNECTED")) {
927			$client['status']="up";
928			$list = explode(",", $line);
929
930			$client['connect_time'] = date("D M j G:i:s Y", $list[0]);
931			$client['virtual_addr'] = $list[3];
932			$client['remote_host'] = $list[4];
933			}
934	1f2f6024	jim-p	if (strstr($line,"CONNECTING")) {
935			$client['status']="connecting";
936			}
937			if (strstr($line,"ASSIGN_IP")) {
938			$client['status']="waiting";
939			$list = explode(",", $line);
940
941			$client['connect_time'] = date("D M j G:i:s Y", $list[0]);
942			$client['virtual_addr'] = $list[3];
943			}
944			if (strstr($line,"RECONNECTING")) {
945			$client['status']="reconnecting";
946			$list = explode(",", $line);
947
948			$client['connect_time'] = date("D M j G:i:s Y", $list[0]);
949			$client['status'] .= "; " . $list[2];
950			}
951	f27d726c	jim-p	/* parse end of output line */
952			if (strstr($line, "END") \|\| strstr($line, "ERROR"))
953			break;
954			}
955
956			/* If up, get read/write stats */
957			if (strcmp($client['status'], "up") == 0) {
958			fputs($fp, "status 2\n");
959			/* recv all response lines */
960			while (!feof($fp)) {
961			/* read the next line */
962			$line = fgets($fp, 1024);
963
964			$info = stream_get_meta_data($fp);
965			if ($info['timed_out'])
966			break;
967
968			if (strstr($line,"TCP/UDP read bytes")) {
969			$list = explode(",", $line);
970			$client['bytes_recv'] = $list[1];
971	53663f57	jim-p	}
972	f27d726c	jim-p
973			if (strstr($line,"TCP/UDP write bytes")) {
974			$list = explode(",", $line);
975			$client['bytes_sent'] = $list[1];
976	53663f57	jim-p	}
977	f27d726c	jim-p
978			/* parse end of output line */
979			if (strstr($line, "END"))
980			break;
981	53663f57	jim-p	}
982			}
983	f27d726c	jim-p
984			fclose($fp);
985
986			} else {
987			$DisplayNote=true;
988			$client['remote_host'] = "No Management Daemon";
989			$client['virtual_addr'] = "See Note Below";
990			$client['bytes_recv'] = 0;
991			$client['bytes_sent'] = 0;
992			$client['connect_time'] = 0;
993	53663f57	jim-p	}
994	f27d726c	jim-p	return $client;
995	53663f57	jim-p	}
996	8e022a76	jim-p
997			function openvpn_refresh_crls() {
998			global $g, $config;
999
1000			if (!file_exists($g['varetc_path']."/openvpn"))
1001			return;
1002
1003			if (is_array($config['openvpn']['openvpn-server'])) {
1004			foreach ($config['openvpn']['openvpn-server'] as $settings) {
1005			if (empty($settings))
1006			continue;
1007			if (isset($settings['disable']))
1008			continue;
1009			// Write the settings for the keys
1010			switch($settings['mode']) {
1011			case 'p2p_tls':
1012			case 'server_tls':
1013			case 'server_tls_user':
1014			case 'server_user':
1015			if (!empty($settings['crlref'])) {
1016			$crl = lookup_crl($settings['crlref']);
1017	728003c8	jim-p	crl_update($crl);
1018	8e022a76	jim-p	$fpath = $g['varetc_path']."/openvpn/server{$settings['vpnid']}.crl-verify";
1019			file_put_contents($fpath, base64_decode($crl['text']));
1020			@chmod($fpath, 0644);
1021			}
1022			break;
1023			}
1024			}
1025			}
1026			}
1027
1028	4d0c032c	Ermal	?>

Project

General

Profile

pfSense