Commit efb06220 authored by Franco Fichtner's avatar Franco Fichtner

vpn: merge three OpenVPN changes from master

Since the changes are splattered over several commits already
taken apart by other cherry-picks, just sync the files that
have not had their changes moved to stable/16.7 yet.

o Adapt to cipher output changes in OpenVPN 2.1.12
o Improve plugin probing for virtual interface
o Added missing IPv6 Tunnel Network for CSC
parent 82bc5b81
...@@ -82,6 +82,7 @@ function openvpn_create_key() ...@@ -82,6 +82,7 @@ function openvpn_create_key()
function openvpn_vpnid_used($vpnid) function openvpn_vpnid_used($vpnid)
{ {
global $config; global $config;
if (isset($config['openvpn']['openvpn-server'])) { if (isset($config['openvpn']['openvpn-server'])) {
foreach ($config['openvpn']['openvpn-server'] as &$settings) { foreach ($config['openvpn']['openvpn-server'] as &$settings) {
if ($vpnid == $settings['vpnid']) { if ($vpnid == $settings['vpnid']) {
...@@ -99,7 +100,7 @@ function openvpn_vpnid_used($vpnid) ...@@ -99,7 +100,7 @@ function openvpn_vpnid_used($vpnid)
} }
return false; return false;
} }
function openvpn_vpnid_next() function openvpn_vpnid_next()
{ {
...@@ -165,13 +166,14 @@ function openvpn_port_next($prot, $interface = "wan") ...@@ -165,13 +166,14 @@ function openvpn_port_next($prot, $interface = "wan")
function openvpn_get_cipherlist() function openvpn_get_cipherlist()
{ {
$ciphers = array(); $ciphers = array();
$cipher_out = shell_exec('/usr/local/sbin/openvpn --show-ciphers | /usr/bin/grep "default key" | /usr/bin/awk \'{print $1, "(" $2 "-" $3 ")";}\''); exec('/usr/local/sbin/openvpn --show-ciphers', $lines);
$cipher_lines = explode("\n", trim($cipher_out)); foreach ($lines as $line) {
sort($cipher_lines); if (strstr($line, '(') !== false) {
foreach ($cipher_lines as $line) { $cipher = explode(' ', $line)[0];
$words = explode(' ', $line); $ciphers[$cipher] = $line;
$ciphers[$words[0]] = "{$words[0]} {$words[1]}"; }
} }
ksort($ciphers);
$ciphers["none"] = gettext("None (No Encryption)"); $ciphers["none"] = gettext("None (No Encryption)");
return $ciphers; return $ciphers;
} }
...@@ -179,13 +181,15 @@ function openvpn_get_cipherlist() ...@@ -179,13 +181,15 @@ function openvpn_get_cipherlist()
function openvpn_get_digestlist() function openvpn_get_digestlist()
{ {
$digests = array(); $digests = array();
$digest_out = shell_exec('/usr/local/sbin/openvpn --show-digests | /usr/bin/grep "digest size" | /usr/bin/awk \'{print $1, "(" $2 "-" $3 ")";}\''); exec('/usr/local/sbin/openvpn --show-digests', $lines);
$digest_lines = explode("\n", trim($digest_out)); foreach ($lines as $line) {
sort($digest_lines); if (strstr($line, 'digest size') !== false) {
foreach ($digest_lines as $line) { $digest = explode(' ', $line)[0];
$words = explode(' ', $line); $bits = explode(' ', explode('bit', $line)[0])[1];
$digests[$words[0]] = "{$words[0]} {$words[1]}"; $digests[$digest] = $digest . " (".$bits."-bit)";
}
} }
ksort($digests);
$digests["none"] = gettext("None (No Authentication)"); $digests["none"] = gettext("None (No Authentication)");
return $digests; return $digests;
} }
...@@ -936,6 +940,15 @@ function openvpn_resync_csc_conf($settings, $server) ...@@ -936,6 +940,15 @@ function openvpn_resync_csc_conf($settings, $server)
$conf .= "ifconfig-push {$clientip} " . gen_subnet_mask($mask) . "\n"; $conf .= "ifconfig-push {$clientip} " . gen_subnet_mask($mask) . "\n";
} }
} }
if (!empty($settings['tunnel_networkv6'])) {
list($ipv6, $prefix) = explode('/', $settings['tunnel_networkv6']);
list($ipv6_1, $ipv6_2) = openvpn_get_interface_ipv6($ipv6, $prefix);
if ($server['dev_mode'] == 'tun' && empty($server['topology_subnet'])) {
$conf .= "ifconfig-ipv6-push {$ipv6_2} {$ipv6_1}\n";
} else {
$conf .= "ifconfig-ipv6-push {$ipv6_2} {$prefix}\n";
}
}
if (!empty($settings['local_network'])) { if (!empty($settings['local_network'])) {
$conf .= openvpn_gen_routes($settings['local_network'], "ipv4", true); $conf .= openvpn_gen_routes($settings['local_network'], "ipv4", true);
......
...@@ -73,15 +73,21 @@ function if_openvpn_interfaces() ...@@ -73,15 +73,21 @@ function if_openvpn_interfaces()
$interfaces = array(); $interfaces = array();
/* add openvpn interfaces */ foreach (array('server', 'client') as $mode) {
if (isset($config['openvpn']['openvpn-server']) || isset($config['openvpn']['openvpn-client'])) { if (isset($config['openvpn']["openvpn-{$mode}"])) {
$oic = array("enable" => true); foreach ($config['openvpn']["openvpn-{$mode}"] as &$settings) {
$oic['if'] = "openvpn"; if (!isset($settings['disable'])) {
$oic['descr'] = 'OpenVPN'; $oic = array('enable' => true);
$oic['type'] = "none"; $oic['if'] = 'openvpn';
$oic['virtual'] = true; $oic['descr'] = 'OpenVPN';
$oic['networks'] = array(); $oic['type'] = 'none';
$interfaces['openvpn'] = $oic; $oic['virtual'] = true;
$oic['networks'] = array();
$interfaces['openvpn'] = $oic;
break 2;
}
}
}
} }
return $interfaces; return $interfaces;
......
...@@ -302,7 +302,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -302,7 +302,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
} }
} }
// attributes containing some kind of logic // attributes containing some kind of logic
if ($vpnid) { if ($vpnid) {
$client['vpnid'] = $vpnid; $client['vpnid'] = $vpnid;
} else { } else {
......
...@@ -35,7 +35,7 @@ require_once("plugins.inc"); ...@@ -35,7 +35,7 @@ require_once("plugins.inc");
// define all fields used in this form // define all fields used in this form
$all_form_fields = "custom_options,disable,common_name,block,description $all_form_fields = "custom_options,disable,common_name,block,description
,tunnel_network,local_network,local_networkv6,remote_network ,tunnel_network,tunnel_networkv6,local_network,local_networkv6,remote_network
,remote_networkv6,gwredir,push_reset,dns_domain,dns_server1 ,remote_networkv6,gwredir,push_reset,dns_domain,dns_server1
,dns_server2,dns_server3,dns_server4,ntp_server1,ntp_server2 ,dns_server2,dns_server3,dns_server4,ntp_server1,ntp_server2
,netbios_enable,netbios_ntype,netbios_scope,wins_server1 ,netbios_enable,netbios_ntype,netbios_scope,wins_server1
...@@ -131,6 +131,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { ...@@ -131,6 +131,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'IPv4 Tunnel Network')) { if ($result = openvpn_validate_cidr($pconfig['tunnel_network'], 'IPv4 Tunnel Network')) {
$input_errors[] = $result; $input_errors[] = $result;
} }
if ($result = openvpn_validate_cidr($pconfig['tunnel_networkv6'], 'IPv6 Tunnel Network', false, "ipv6")) {
$input_errors[] = $result;
}
if ($result = openvpn_validate_cidr($pconfig['local_network'], 'IPv4 Local Network', true, "ipv4")) { if ($result = openvpn_validate_cidr($pconfig['local_network'], 'IPv4 Local Network', true, "ipv4")) {
$input_errors[] = $result; $input_errors[] = $result;
} }
...@@ -466,6 +469,21 @@ if ($act!="new" && $act!="edit") { ...@@ -466,6 +469,21 @@ if ($act!="new" && $act!="edit") {
</div> </div>
</td> </td>
</tr> </tr>
<tr>
<td><a id="help_for_tunnel_networkv6" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IPv6 Tunnel Network"); ?></td>
<td>
<input name="tunnel_networkv6" type="text" value="<?=$pconfig['tunnel_networkv6'];?>" />
<div class="hidden" for="help_for_tunnel_networkv6">
<?=gettext("This is the IPv6 virtual network used for private " .
"communications between this server and client " .
"hosts expressed using CIDR (eg. fe80::/64). " .
"The first network address will be assigned to " .
"the server virtual interface. The remaining " .
"network addresses can optionally be assigned " .
"to connecting clients. (see Address Pool)"); ?>
</div>
</td>
</tr>
<tr id="local_optsv4"> <tr id="local_optsv4">
<td><a id="help_for_local_network" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IPv4 Local Network"); ?></td> <td><a id="help_for_local_network" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("IPv4 Local Network"); ?></td>
<td> <td>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment