webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

Hinzugefügt:

Browse Source 
* OpenVPN GUI Alpha7
Geändert:
  * XAMPP von 1.5.3 --> 1.5.3a


git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@152 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8
This commit is contained in:
ms
2006-06-02 15:59:39 +00:00
parent 0d0521b60c
commit 6e13d0a5c5
23 changed files with 4877 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
config/ovpn/caconfig Normal file
View File

0
config/ovpn/certs/index.txt Normal file
View File

1
config/ovpn/certs/serial Normal file
View File

@@ -0,0 +1 @@
01

103
config/ovpn/openssl/ovpn.cnf Normal file
View File

@@ -0,0 +1,103 @@
HOME = .
RANDFILE = /var/ipcop/ovpn/ca/.rnd
oid_section = new_oids
[ new_oids ]
[ ca ]
default_ca = openvpn
[ openvpn ]
dir = /var/ipcop/ovpn
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/certs/index.txt
new_certs_dir = $dir/certs
certificate = $dir/ca/cacert.pem
serial = $dir/certs/serial
crl = $dir/crl.pem
private_key = $dir/ca/cakey.pem
RANDFILE = $dir/ca/.rand
x509_extensions = usr_cert
default_days = 999999
default_crl_days= 30
default_md = md5
preserve = no
policy = policy_match
email_in_dn = no
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = nombstr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default =
localityName = Locality Name (eg, city)
#localityName_default =
0.organizationName = Organization Name (eg, company)
0.organizationName_default = My Company Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
basicConstraints=CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true
[ crl_ext ]
authorityKeyIdentifier=keyid:always,issuer:always
[ engine ]
default = openssl

0
config/ovpn/ovpnconfig Normal file
View File

0
config/ovpn/settings Normal file
View File

16
config/ovpn/verify Normal file
View File

@@ -0,0 +1,16 @@
#!/bin/sh
if [ $1 -eq 0 ]; then
name2=`echo $2`
name3=${name2##*/}
name4=${name3##*CN=}
clientdisabled=`/bin/grep -iwc off,.*,$name4 /var/ipcop/ovpn/ovpnconfig`
if [ "$clientdisabled" = "1" ]; then
exit 1
fi
exit 0
fi
exit 0

2
doc/packages-list.txt
View File

@@ -215,6 +215,6 @@
* vim-6.3
* vlan.1.9
* wget-1.10.2
* xampp-linux-1.5.3
* xampp-linux-1.5.3a
* xinetd-2.3.14
* zlib-1.2.3

43
html/cgi-bin/connections.cgi
View File

@@ -74,6 +74,48 @@ push(@network, '127.0.0.1');
push(@masklen, '255.255.255.255' );
push(@colour, ${Header::colourfw} );
# Add OpenVPN net and RED/BLUE/ORANGE entry (when appropriate)
if (-e "${General::swroot}/ovpn/settings") {
my %ovpnsettings = ();
&General::readhash("${General::swroot}/ovpn/settings", \%ovpnsettings);
my @tempovpnsubnet = split("\/",$ovpnsettings{'DOVPN_SUBNET'});
# add OpenVPN net
push(@network, $tempovpnsubnet[0]);
push(@masklen, $tempovpnsubnet[1]);
push(@colour, ${Header::colourovpn} );
push(@ports, '0' );
push(@protocols, '' );
if ( ($ovpnsettings{'ENABLED'} eq 'on') && open(IP, "${General::swroot}/red/local-ipaddress") ) {
# add RED:port / proto
my $redip = <IP>;
close(IP);
chomp $redip;
push(@network, $redip );
push(@masklen, '255.255.255.255' );
push(@colour, ${Header::colourovpn} );
push(@ports, $ovpnsettings{'DDEST_PORT'} );
push(@protocols, $ovpnsettings{'DPROTOCOL'} );
}
if ( ($ovpnsettings{'ENABLED_BLUE'} eq 'on') && $netsettings{'BLUE_DEV'} ) {
# add BLUE:port / proto
push(@network, $netsettings{'BLUE_ADDRESS'} );
push(@masklen, '255.255.255.255' );
push(@colour, ${Header::colourovpn} );
push(@ports, $ovpnsettings{'DDEST_PORT'} );
push(@protocols, $ovpnsettings{'DPROTOCOL'} );
}
if ( ($ovpnsettings{'ENABLED_ORANGE'} eq 'on') && $netsettings{'ORANGE_DEV'} ) {
# add ORANGE:port / proto
push(@network, $netsettings{'ORANGE_ADDRESS'} );
push(@masklen, '255.255.255.255' );
push(@colour, ${Header::colourovpn} );
push(@ports, $ovpnsettings{'DDEST_PORT'} );
push(@protocols, $ovpnsettings{'DPROTOCOL'} );
}
}
# Add Orange Network
if ($netsettings{'ORANGE_DEV'}) {
push(@network, $netsettings{'ORANGE_NETADDRESS'});
@@ -370,6 +412,7 @@ print <<END
<td align='center' bgcolor='${Header::colourblue}'><b><font color='#FFFFFF'>$Lang::tr{'wireless'}</font></b></td>
<td align='center' bgcolor='${Header::colourfw}'><b><font color='#FFFFFF'>IPFire</font></b></td>
<td align='center' bgcolor='${Header::colourvpn}'><b><font color='#FFFFFF'>$Lang::tr{'vpn'}</font></b></td>
<td align='center' bgcolor='${Header::colourovpn}'><b><font color='#FFFFFF'>$Lang::tr{'OpenVPN'}</font></b></td>
</tr>
</table>
<br />

6
html/cgi-bin/logs.cgi/log.dat
View File

@@ -59,6 +59,7 @@ my %sections = (
'kernel' => '(kernel)',
'ipsec' => '(ipsec_[\w_]+|pluto\[.*\])',
'snort' => '(snort)',
'openvpn' => '(openvpnserver)\[.*\]',
'installpackage' => '(installpackage\[.*\])'
);
@@ -74,6 +75,7 @@ my %trsections = (
'auth' => "$Lang::tr{'loginlogout'}",
'kernel' => "$Lang::tr{'kernel'}",
'ipsec' => 'IPSec',
'openvpn' => 'OpenVPN',
'snort' => 'Snort',
'installpackage' => "$Lang::tr{'update transcript'}"
);
@@ -350,8 +352,8 @@ print <<END
<table width='100%'>
<tr>
<td width='10%' align='center' class='boldbase'><b>$Lang::tr{'time'}</b></td>
<td width='15%' align='center' class='boldbase'><b>$Lang::tr{'section'}</b></td>
<td width='75%'>&nbsp;</td>
<td width='10%' align='center' class='boldbase'><b>$Lang::tr{'section'}</b></td>
<td width='80%'>&nbsp;</td>
</tr>
END
;

778
html/cgi-bin/ovpnfunc.pl Normal file
View File

@@ -0,0 +1,778 @@
#!/usr/bin/perl -w
package Ovpnfunc;
use Archive::Zip qw(:ERROR_CODES :CONSTANTS);
use Net::DNS;
use File::Copy;
use File::Temp qw/ tempfile tempdir /;
use strict;
require '/var/ipfire/general-functions.pl';
my %netsettings=();
my $errormessage = '';
my $errormessage2 = '';
my @subnets; # array of anonymous hashes {cn, from, to}
my @subnets2; # array of anonymous hashes {cn, from, to}
my %overlaps; # hash {cn} of anonymous arrays of subnets
my ($subnet, $from, $to, $i, $j);
&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
sub haveOrangeNet
{
if ($netsettings{'CONFIG_TYPE'} == 1) {return 1;}
if ($netsettings{'CONFIG_TYPE'} == 3) {return 1;}
if ($netsettings{'CONFIG_TYPE'} == 5) {return 1;}
if ($netsettings{'CONFIG_TYPE'} == 7) {return 1;}
return 0;
}
sub haveBlueNet
{
if ($netsettings{'CONFIG_TYPE'} == 4) {return 1;}
if ($netsettings{'CONFIG_TYPE'} == 5) {return 1;}
if ($netsettings{'CONFIG_TYPE'} == 6) {return 1;}
if ($netsettings{'CONFIG_TYPE'} == 7) {return 1;}
return 0;
}
sub sizeformat{
my $bytesize = $_[0];
my $i = 0;
while(abs($bytesize) >= 1024){
$bytesize=$bytesize/1024;
$i++;
last if($i==6);
}
my @units = ("Bytes","KB","MB","GB","TB","PB","EB");
my $newsize=(int($bytesize*100 +0.5))/100;
return("$newsize $units[$i]");
}
sub valid_dns_host {
my $hostname = $_[0];
unless ($hostname) { return "No hostname"};
my $res = new Net::DNS::Resolver;
my $query = $res->search("$hostname");
if ($query) {
foreach my $rr ($query->answer) {
## Potential bug - we are only looking at A records:
return 0 if $rr->type eq "A";
}
} else {
return $res->errorstring;
}
}
sub cleanssldatabase
{
if (open(FILE, ">${General::swroot}/ovpn/certs/serial")) {
print FILE "01";
close FILE;
}
if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt")) {
print FILE "";
close FILE;
}
unlink ("${General::swroot}/ovpn/certs/index.txt.old");
unlink ("${General::swroot}/ovpn/certs/serial.old");
unlink ("${General::swroot}/ovpn/certs/01.pem");
}
sub newcleanssldatabase
{
if (! -s "${General::swroot}/ovpn/certs/serial" ) {
open(FILE, ">${General::swroot}(ovpn/certs/serial");
print FILE "01";
close FILE;
}
if (! -s ">${General::swroot}/ovpn/certs/index.txt") {
system ("touch ${General::swroot}/ovpn/certs/index.txt");
}
unlink ("${General::swroot}/ovpn/certs/index.txt.old");
unlink ("${General::swroot}/ovpn/certs/serial.old");
}
sub deletebackupcert
{
if (open(FILE, "${General::swroot}/ovpn/certs/serial.old")) {
my $hexvalue = <FILE>;
chomp $hexvalue;
close FILE;
unlink ("${General::swroot}/ovpn/certs/$hexvalue.pem");
}
}
sub checkportfw {
my $KEY2 = $_[0]; # key2
my $SRC_PORT = $_[1]; # src_port
my $PROTOCOL = $_[2]; # protocol
my $SRC_IP = $_[3]; # sourceip
my $pfwfilename = "${General::swroot}/portfw/config";
open(FILE, $pfwfilename) or die 'Unable to open config file.';
my @pfwcurrent = <FILE>;
close(FILE);
my $pfwkey1 = 0; # used for finding last sequence number used
foreach my $pfwline (@pfwcurrent)
{
my @pfwtemp = split(/\,/,$pfwline);
chomp ($pfwtemp[8]);
if ($KEY2 eq "0"){ # if key2 is 0 then it is a portfw addition
if ( $SRC_PORT eq $pfwtemp[3] &&
$PROTOCOL eq $pfwtemp[2] &&
$SRC_IP eq $pfwtemp[7])
{
$errormessage = "$Lang::tr{'source port in use'} $SRC_PORT";
}
# Check if key2 = 0, if it is then it is a port forward entry and we want the sequence number
if ( $pfwtemp[1] eq "0") {
$pfwkey1=$pfwtemp[0];
}
# Darren Critchley - Duplicate or overlapping Port range check
if ($pfwtemp[1] eq "0" &&
$PROTOCOL eq $pfwtemp[2] &&
$SRC_IP eq $pfwtemp[7] &&
$errormessage eq '')
{
&portchecks($SRC_PORT, $pfwtemp[5]);
# &portchecks($pfwtemp[3], $pfwtemp[5]);
# &portchecks($pfwtemp[3], $SRC_IP);
}
}
}
# $errormessage="$KEY2 $SRC_PORT $PROTOCOL $SRC_IP";
return $errormessage;
}
sub checkportoverlap
{
my $portrange1 = $_[0]; # New port range
my $portrange2 = $_[1]; # existing port range
my @tempr1 = split(/\:/,$portrange1);
my @tempr2 = split(/\:/,$portrange2);
unless (&checkportinc($tempr1[0], $portrange2)){ return 0;}
unless (&checkportinc($tempr1[1], $portrange2)){ return 0;}
unless (&checkportinc($tempr2[0], $portrange1)){ return 0;}
unless (&checkportinc($tempr2[1], $portrange1)){ return 0;}
return 1; # Everything checks out!
}
# Darren Critchley - we want to make sure that a port entry is not within an already existing range
sub checkportinc
{
my $port1 = $_[0]; # Port
my $portrange2 = $_[1]; # Port range
my @tempr1 = split(/\:/,$portrange2);
if ($port1 < $tempr1[0] || $port1 > $tempr1[1]) {
return 1;
} else {
return 0;
}
}
# Darren Critchley - Duplicate or overlapping Port range check
sub portchecks
{
my $p1 = $_[0]; # New port range
my $p2 = $_[1]; # existing port range
# $_ = $_[0];
our ($prtrange1, $prtrange2);
$prtrange1 = 0;
# if (m/:/ && $prtrange1 == 1) { # comparing two port ranges
# unless (&checkportoverlap($p1,$p2)) {
# $errormessage = "$Lang::tr{'source port overlaps'} $p1";
# }
# }
if (m/:/ && $prtrange1 == 0 && $errormessage eq '') { # compare one port to a range
unless (&checkportinc($p2,$p1)) {
$errormessage = "$Lang::tr{'srcprt within existing'} $p1";
}
}
$prtrange1 = 1;
if (! m/:/ && $prtrange1 == 1 && $errormessage eq '') { # compare one port to a range
unless (&checkportinc($p1,$p2)) {
$errormessage = "$Lang::tr{'srcprt range overlaps'} $p2";
}
}
return;
}
# Darren Critchley - certain ports are reserved for ipfire
# TCP 67,68,81,222,445
# UDP 67,68
# Params passed in -> port, rangeyn, protocol
sub disallowreserved
{
# port 67 and 68 same for tcp and udp, don't bother putting in an array
my $msg = "";
my @tcp_reserved = (81,222,445);
my $prt = $_[0]; # the port or range
my $ryn = $_[1]; # tells us whether or not it is a port range
my $prot = $_[2]; # protocol
my $srcdst = $_[3]; # source or destination
if ($ryn) { # disect port range
if ($srcdst eq "src") {
$msg = "$Lang::tr{'rsvd src port overlap'}";
} else {
$msg = "$Lang::tr{'rsvd dst port overlap'}";
}
my @tmprng = split(/\:/,$prt);
unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage="$msg 67"; return; }
unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage="$msg 68"; return; }
if ($prot eq "tcp") {
foreach my $prange (@tcp_reserved) {
unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage="$msg $prange"; return; }
}
}
} else {
if ($srcdst eq "src") {
$msg = "$Lang::tr{'reserved src port'}";
} else {
$msg = "$Lang::tr{'reserved dst port'}";
}
if ($prt == 67) { $errormessage="$msg 67"; return; }
if ($prt == 68) { $errormessage="$msg 68"; return; }
if ($prot eq "tcp") {
foreach my $prange (@tcp_reserved) {
if ($prange == $prt) {
$errormessage = "$msg $prange";
return $errormessage; }
}
}
}
return $errormessage;
}
sub writeserverconf {
my %sovpnsettings = ();
&General::readhash("${General::swroot}/ovpn/settings", \%sovpnsettings);
open(CONF, ">${General::swroot}/ovpn/server.conf") or die "Unable to open ${General::swroot}/ovpn/server.conf: $!";
flock CONF, 2;
print CONF "#OpenVPN Server conf\n";
print CONF "\n";
print CONF "daemon openvpnserver\n";
print CONF "writepid /var/run/openvpn.pid\n";
print CONF "#DAN prepare ZERINA for listening on blue and orange\n";
print CONF ";local $sovpnsettings{'VPN_IP'}\n";
print CONF "dev $sovpnsettings{'DDEVICE'}\n";
print CONF "$sovpnsettings{'DDEVICE'}-mtu $sovpnsettings{'DMTU'}\n";
print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
print CONF "tls-server\n";
print CONF "ca /var/ipfire/ovpn/ca/cacert.pem\n";
print CONF "cert /var/ipfire/ovpn/certs/servercert.pem\n";
print CONF "key /var/ipfire/ovpn/certs/serverkey.pem\n";
print CONF "dh /var/ipfire/ovpn/ca/dh1024.pem\n";
my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'});
print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n";
print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n";
if ($sovpnsettings{AD_ROUTE1} ne '') {
my @tempovpnsubnet = split("\/",$sovpnsettings{'AD_ROUTE1'});
print CONF "push \"route $tempovpnsubnet[0] $tempovpnsubnet[1]\"\n";
}
if ($sovpnsettings{AD_ROUTE2} ne '') {
my @tempovpnsubnet = split("\/",$sovpnsettings{'AD_ROUTE2'});
print CONF "push \"route $tempovpnsubnet[0] $tempovpnsubnet[1]\"\n";
}
if ($sovpnsettings{AD_ROUTE3} ne '') {
my @tempovpnsubnet = split("\/",$sovpnsettings{'AD_ROUTE3'});
print CONF "push \"route $tempovpnsubnet[0] $tempovpnsubnet[1]\"\n";
}
if ($sovpnsettings{CLIENT2CLIENT} eq 'on') {
print CONF "client-to-client\n";
}
if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) {
print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n";
}
print CONF "status-version 1\n";
print CONF "status /var/log/ovpnserver.log 30\n";
print CONF "cipher $sovpnsettings{DCIPHER}\n";
if ($sovpnsettings{DCOMPLZO} eq 'on') {
print CONF "comp-lzo\n";
}
if ($sovpnsettings{REDIRECT_GW_DEF1} eq 'on') {
print CONF "push \"redirect-gateway def1\"\n";
}
if ($sovpnsettings{DHCP_DOMAIN} ne '') {
print CONF "push \"dhcp-option DOMAIN $sovpnsettings{DHCP_DOMAIN}\"\n";
}
if ($sovpnsettings{DHCP_DNS} ne '') {
print CONF "push \"dhcp-option DNS $sovpnsettings{DHCP_DNS}\"\n";
}
if ($sovpnsettings{DHCP_WINS} ne '') {
print CONF "push \"dhcp-option WINS $sovpnsettings{DHCP_WINS}\"\n";
}
if ($sovpnsettings{DHCP_WINS} eq '') {
print CONF "max-clients 100\n";
}
if ($sovpnsettings{DHCP_WINS} ne '') {
print CONF "max-clients $sovpnsettings{MAX_CLIENTS}\n";
}
#################################################################################
# Added by Philipp Jenni #
# #
# Contact: philipp.jenni-at-gmx.ch #
# Date: 2006-04-22 #
# Description: Add the FAST-IO Parameter from OpenVPN to der Server.Config. #
# Add the NICE Parameter from OpenVPN to der Server.Config. #
# Add the MTU-DISC Parameter from OpenVPN to der Server.Config. #
# Add the MSSFIX Parameter from OpenVPN to der Server.Config. #
# Add the FRAMGMENT Parameter from OpenVPN to der Server.Config. #
#################################################################################
if ($sovpnsettings{EXTENDED_FASTIO} eq 'on') {
print CONF "fast-io\n";
}
if ($sovpnsettings{EXTENDED_NICE} != 0) {
print CONF "nice $sovpnsettings{EXTENDED_NICE}\n";
}
if ($sovpnsettings{EXTENDED_MTUDISC} eq 'on') {
print CONF "mtu-disc yes\n";
}
if ($sovpnsettings{EXTENDED_MSSFIX} ne '') {
print CONF "mssfix $sovpnsettings{EXTENDED_MSSFIX}\n";
}
if ($sovpnsettings{EXTENDED_FRAGMENT} ne '') {
print CONF "fragment $sovpnsettings{EXTENDED_FRAGMENT}\n";
}
#################################################################################
# End of Inserted Data #
#################################################################################
print CONF "tls-verify /var/ipfire/ovpn/verify\n";
print CONF "crl-verify /var/ipfire/ovpn/crls/cacrl.pem\n";
print CONF "user nobody\n";
print CONF "group nobody\n";
print CONF "persist-key\n";
print CONF "persist-tun\n";
if ($sovpnsettings{LOG_VERB} ne '') {
print CONF "verb $sovpnsettings{LOG_VERB}\n";
} else {
print CONF "verb 3\n";
}
print CONF "\n";
close(CONF);
}
sub writenet2netconf {
my $n2nkey = $_[0];
my $zerinaclient = $_[1];
my %n2nconfighash = ();
my $file = '';
# my $file = '';
my $clientovpn = '';
my @fileholder;
my $tempdir = tempdir( CLEANUP => 1 );
my $zippath = "$tempdir/";
&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%n2nconfighash);
if (! $n2nkey) {
$n2nkey = &General::findhasharraykey (\%n2nconfighash);
foreach my $i (0 .. 25) { $n2nconfighash{$n2nkey}[$i] = "";}
}
my $zipname = "$n2nconfighash{$n2nkey}[1].zip";
my $zippathname = "$zippath$zipname";
if ($n2nconfighash{$n2nkey}[3] eq 'net') {
if ($zerinaclient eq '') {
if ( -d "${General::swroot}/ovpn/n2nconf/$n2nconfighash{$n2nkey}[1]"){
while ($file = glob("${General::swroot}/ovpn/n2nconf/$n2nconfighash{$n2nkey}[1]/*.conf")) {
unlink $file
}
} else {
mkdir("${General::swroot}/ovpn/n2nconf/$n2nconfighash{$n2nkey}[1]", 0770);
}
open(CONF, ">${General::swroot}/ovpn/n2nconf/$n2nconfighash{$n2nkey}[1]/$n2nconfighash{$n2nkey}[1].conf") or die "Unable to open ${General::swroot}/ovpn/n2nconf/$n2nconfighash{$n2nkey}[1]/$n2nconfighash{$n2nkey}[1].conf: $!";
} else {
$clientovpn = "$n2nconfighash{$n2nkey}[1].conf";
open(CONF, ">$tempdir/$clientovpn") or die "Unable to open $tempdir/$clientovpn: $!";
}
flock CONF, 2;
print CONF "dev tun\n";
print CONF "tun-mtu $n2nconfighash{$n2nkey}[17]\n";
print CONF "proto $n2nconfighash{$n2nkey}[14]\n";
print CONF "port $n2nconfighash{$n2nkey}[15]\n";
my @tempovpnsubnet = split("\/",$n2nconfighash{$n2nkey}[13]);
my @ovpnip = split /\./,$tempovpnsubnet[0];
# if ((($zerinaclient eq '') && ($n2nconfighash{$n2nkey}[19] eq 'no'))) {
if ((($zerinaclient eq '') && ($n2nconfighash{$n2nkey}[6] eq 'server'))) {
print CONF "ifconfig $ovpnip[0].$ovpnip[1].$ovpnip[2].1 $ovpnip[0].$ovpnip[1].$ovpnip[2].2\n";
print CONF "remote $n2nconfighash{$n2nkey}[10]\n";
print CONF "tls-server\n";
print CONF "ca /var/ipfire/ovpn/ca/cacert.pem\n";
print CONF "cert /var/ipfire/ovpn/certs/servercert.pem\n";
print CONF "key /var/ipfire/ovpn/certs/serverkey.pem\n";
print CONF "dh /var/ipfire/ovpn/ca/dh1024.pem\n";
my @tempremotesubnet = split("\/",$n2nconfighash{$n2nkey}[11]);
print CONF "route $tempremotesubnet[0] $tempremotesubnet[1]\n";
} else {
print CONF "ifconfig $ovpnip[0].$ovpnip[1].$ovpnip[2].2 $ovpnip[0].$ovpnip[1].$ovpnip[2].1\n";
#print CONF "$zerinaclient ufuk 10=$n2nconfighash{$n2nkey}[10] 18=$n2nconfighash{$n2nkey}[18] 19=$n2nconfighash{$n2nkey}[19] \n";
if ($zerinaclient ne 'true'){
if ($n2nconfighash{$n2nkey}[19] eq 'no'){
print CONF "remote $n2nconfighash{$n2nkey}[10]\n";
} else {
print CONF "remote $n2nconfighash{$n2nkey}[10]\n";
}
} else {
print CONF "remote $n2nconfighash{$n2nkey}[18]\n";
}
print CONF "tls-client\n";
if ($zerinaclient ne 'true'){
print CONF "pkcs12 ${General::swroot}/ovpn/n2nconf/$n2nconfighash{$n2nkey}[1]/$n2nconfighash{$n2nkey}[1].p12\n";
} else {
print CONF "pkcs12 $n2nconfighash{$n2nkey}[1].p12\n";
}
if ($n2nconfighash{$n2nkey}[19] eq 'no'){
my @tempremotesubnet = split("\/",$n2nconfighash{$n2nkey}[8]);
print CONF "route $tempremotesubnet[0] $tempremotesubnet[1]\n";
} else {
my @tempremotesubnet = split("\/",$n2nconfighash{$n2nkey}[11]);
print CONF "route $tempremotesubnet[0] $tempremotesubnet[1]\n";
}
}
if ($n2nconfighash{$n2nkey}[26] > 0 && $n2nconfighash{$n2nkey}[27] > 0) {
print CONF "keepalive $n2nconfighash{$n2nkey}[26] $n2nconfighash{$n2nkey}[27]\n";
} else {
print CONF "keepalive 10 60\n";
}
print CONF "cipher $n2nconfighash{$n2nkey}[20]\n";
if ($n2nconfighash{$n2nkey}[16] eq 'on') {
print CONF "comp-lzo\n";
}
if ($n2nconfighash{$n2nkey}[42] ne '') {
print CONF "verb $n2nconfighash{$n2nkey}[42]\n";
} else {
print CONF "verb 3\n";
}
if ($n2nconfighash{$n2nkey}[19] eq 'no'){
print CONF "#$n2nconfighash{$n2nkey}[11]\n";
} else {
print CONF "#$n2nconfighash{$n2nkey}[8]\n";
}
if ($zerinaclient ne 'true') {
print CONF "daemon OVPN_$n2nconfighash{$n2nkey}[1]\n";
print CONF "#status ${General::swroot}/ovpn/n2nconf/$n2nconfighash{$n2nkey}[1]/$n2nconfighash{$n2nkey}[1].log 2\n";
}
close(CONF);
if ($zerinaclient eq 'true') {
my $zip = Archive::Zip->new();
$zip->addFile( "${General::swroot}/ovpn/certs/$n2nconfighash{$n2nkey}[1].p12", "$n2nconfighash{$n2nkey}[1].p12") or die "Can't add file ${General::swroot}/ovpn/certs/$n2nconfighash{$n2nkey}[1].p12\n";
$zip->addFile( "$tempdir/$clientovpn", $clientovpn) or die "Can't add file $clientovpn\n";
my $status = $zip->writeToFileNamed($zippathname);
open(DLFILE, "<$zippathname") or die "Unable to open $zippathname: $!";
@fileholder = <DLFILE>;
print "Content-Type:application/x-download\n";
print "Content-Disposition:attachment;filename=$zipname\n\n";
print @fileholder;
exit (0);
}
}
}
sub removenet2netconf {
my %n2nconfighash = ();
my $key = $_[0];
my $file = '';
&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%n2nconfighash);
if ($n2nconfighash{$key}[3] eq 'net') {
if ( -d "${General::swroot}/ovpn/n2nconf/$n2nconfighash{$key}[1]"){
while ($file = glob("${General::swroot}/ovpn/n2nconf/$n2nconfighash{$key}[1]/*")) {
unlink $file
}
rmdir("${General::swroot}/ovpn/n2nconf/$n2nconfighash{$key}[1]");
}
}
}
sub emptyserverlog{
if (open(FILE, ">/var/log/ovpnserver.log")) {
flock FILE, 2;
print FILE "";
close FILE;
}
}
sub displayca {
my $key = $_[0];
my %cahash = ();
&General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash);
if ( -f "${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem") {
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
&Header::openbigbox('100%', 'LEFT', '', $errormessage);
&Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:");
my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem`;
$output = &Header::cleanhtml($output,"y");
print "<pre>$output</pre>\n";
&Header::closebox();
print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
&Header::closebigbox();
&Header::closepage();
exit(0);
} else {
$errormessage = $Lang::tr{'invalid key'};
}
}
sub displayroothost {
my $roothost = $_[0];
my $output;
&Header::showhttpheaders();
&Header::openpage($Lang::tr{'vpn configuration main'}, 1, '');
&Header::openbigbox('100%', 'LEFT', '', '');
if ($roothost eq $Lang::tr{'show root certificate'}) {
&Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:");
$output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`;
} else {
&Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:");
$output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`;
}
$output = &Header::cleanhtml($output,"y");
print "<pre>$output</pre>\n";
&Header::closebox();
print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
&Header::closebigbox();
&Header::closepage();
exit(0);
}
sub killconnection {
my $key = $_[0];
my %n2nconfighash = ();
&General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%n2nconfighash);
my $n2nactive = `/bin/ps ax|grep $n2nconfighash{$key}[1].conf|grep -v grep|awk \'{print \$1}\'`;
if ($n2nactive ne ''){
system('/usr/local/bin/openvpnctrl', '-kn2n', $n2nactive);
}
}
sub cidrormask {
my $cidrmask = $_[0];
my $cidrmask2 = $cidrmask;
if ("/$cidrmask" =~ /^\/(\d+)/){#cidr
if ($cidrmask2 = &cidr2mask("/$cidrmask")) {
return $cidrmask2;
} else {
if ($cidrmask =~ /^\d+\.\d+\.\d+\.\d+/){#mask
return $cidrmask;
}
}
} else {
if ($cidrmask =~ /^\d+\.\d+\.\d+\.\d+/){#mask
return $cidrmask;
}
}
}
sub cidr2mask {
my( $cidr ) = @_;
my( $one32 ) = 0xffffffff;
my( @d, $n, $bits );
if ( $cidr eq "/0" ) {
return "0.0.0.0";
}
if ( $cidr !~ /\/(\d+)/ ) {
return undef;
}
$bits = $1;
if ( $bits > 32 ) {
return undef;
}
#-- convert to subnet-style mask
$n = $one32 << (32 - $bits);
$d[3] = $n % 256; $n = int( $n / 256);
$d[2] = $n % 256; $n = int( $n / 256);
$d[1] = $n % 256; $n = int( $n / 256);
$d[0] = $n;
return join '.', @d;
}
# ----------------------------------------------------------------------------
# $cidr = &mask2cidr( $mask )
# ----------------------------------------------------------------------------
sub mask2cidr {
my( $mask ) = @_;
my( @d, $n, $bits );
if ( $mask eq "0.0.0.0" ) {
return "/0";
}
if ( ! &validMask( $mask ) ) {
return undef;
}
@d = split /\./, $mask;
$n = ((((($d[0] * 256) + $d[1]) * 256) + $d[2]) * 256) + $d[3];
$bits = 32;
while ( ($n % 2) == 0 ) {
$n >>= 1;
$bits -= 1;
}
return "/$bits";
}
# ----------------------------------------------------------------------------
# $yesno = &validMask( $mask )
# ----------------------------------------------------------------------------
sub validMask {
my( $mask ) = @_;
my( @d, $n, $str );
@d = split /\./, $mask;
$n = ((((($d[0] * 256) + $d[1]) * 256) + $d[2]) * 256) + $d[3];
$str = sprintf "%b", $n;
return ( $str =~ /^1+0*$/ );
}
sub overlapping {
# read all subnets from AD, convert to integer range, and sort.
foreach $subnet (@subnets2) {
($from, $to) = &subnet2range ($subnet);
push @subnets, { cn => $subnet, from => $from, to => $to };
}
@subnets = sort { $a->{from} <=> $b->{from} } @subnets;
# compare all possible subnets for overlap; depend on sort order.
for ($i=0; $i<=$#subnets; $i++) {
for ($j=$i+1; $j<=$#subnets; $j++) {
last if $subnets[$i]->{to} < $subnets[$j]->{from}; # no possible overlap anymore;
push @{$overlaps{$subnets[$i]->{cn}}}, $subnets[$j]->{cn} if $subnets[$i]->{to} >= $subnets[$j]->{from};
}
}
if (scalar (keys %overlaps)) {
foreach $subnet (sort keys %overlaps) {
#$errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire IPSEC : %s\n", $subnet, join (", ", sort @{$overlaps{$subnet}});
$errormessage = "$subnet : $overlaps{$subnet}[0]";
last;
}
}
return $errormessage;
}
# &subnet2range ($subnet)
# convert subnets to integers in order to compare them later.
# A subnet looks like this: 10.1.2.0/24
# returns beginning and end of subnet as integer
#
sub subnet2range {
my $subnet = shift (@_);
my ($from, $to);
$subnet =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)\/(\d+)$/ || die "bad subnet $subnet\n";
$from = $1*2**24 + $2*2**16 + $3*2**8 + $4;
$to = $from + 2**(32-$5) - 1;
return ($from, $to);
}
sub ovelapplausi {
my $tmpovpnsubnet0 = $_[0];
my $tmpovpnsubnet1 = $_[1];
my %vpnconfighash = ();
my $tmpcidr = '';
my @tmpremotevpnsubnet;
&General::readhasharray("${General::swroot}/vpn/config", \%vpnconfighash);
if (&General::IpInSubnet ( $netsettings{'GREEN_ADDRESS'},
$tmpovpnsubnet0, $tmpovpnsubnet1)) {
$errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Green Network $netsettings{'GREEN_ADDRESS'}";
return $errormessage;
}
if (&haveBlueNet()) {
if (&General::IpInSubnet ( $netsettings{'BLUE_ADDRESS'},
$tmpovpnsubnet0, $tmpovpnsubnet1)) {
$errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Blue Network $netsettings{'BLUE_ADDRESS'}";
return $errormessage;
}
}
if (&haveOrangeNet()) {
if (&General::IpInSubnet ( $netsettings{'ORANGE_ADDRESS'},
$tmpovpnsubnet0, $tmpovpnsubnet1)) {
$errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire Orange Network $netsettings{'ORANGE_ADDRESS'}";
return $errormessage;
}
}
open(ALIASES, "${General::swroot}/ethernet/aliases") or die 'Unable to open aliases file.';
while (<ALIASES>)
{
chomp($_);
my @tempalias = split(/\,/,$_);
if ($tempalias[1] eq 'on') {
if (&General::IpInSubnet ($tempalias[0] ,
$tmpovpnsubnet0, $tmpovpnsubnet1)) {
$errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire alias entry $tempalias[0]";
exit $errormessage;
}
}
}
close(ALIASES);
#check against ipsec connections
foreach my $key (keys %vpnconfighash) {
#$confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'};
#$confighash{$key}[3]#host or net
#$confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'};
#$confighash{$key}[10] = $cgiparams{'REMOTE'};
&emptyarray();
$tmpcidr = &mask2cidr($tmpovpnsubnet1);
push @subnets2, "$tmpovpnsubnet0$tmpcidr";
@tmpremotevpnsubnet = split("\/",$vpnconfighash{$key}[8]);
$tmpcidr = &mask2cidr($tmpremotevpnsubnet[1]);
push @subnets2, "$tmpremotevpnsubnet[0]$tmpcidr";
$errormessage2 = &overlapping();
if ($errormessage2 ne '') {
$errormessage = "$Lang::tr{'ovpn subnet overlap'}IPSCEC Connection=$vpnconfighash{$key}[1] $Lang::tr{'local subnet'} $errormessage2 ";
last;
}
&emptyarray();
if ($vpnconfighash{$key}[3] eq 'net'){
if (&General::IpInSubnet ($vpnconfighash{$key}[10],$tmpovpnsubnet0, $tmpovpnsubnet1)) {
$errormessage = "$Lang::tr{'ovpn subnet overlap'} IPFire IPSEC Connection/IP: $vpnconfighash{$key}[1]/$vpnconfighash{$key}[10]";
last;
}
#check agains ipsec local subent
push @subnets2, "$tmpovpnsubnet0$tmpcidr";
@tmpremotevpnsubnet = split("\/",$vpnconfighash{$key}[11]);
$tmpcidr = &mask2cidr($tmpremotevpnsubnet[1]);
push @subnets2, "$tmpremotevpnsubnet[0]$tmpcidr";
$errormessage2 = &overlapping();
if ($errormessage2 ne '') {
$errormessage = "$Lang::tr{'ovpn subnet overlap'}IPSCEC Connection=$vpnconfighash{$key}[1] $Lang::tr{'remote subnet'} $errormessage2 ";
last;
}
&emptyarray();
push @subnets2, "$tmpovpnsubnet0$tmpcidr";
@tmpremotevpnsubnet = split("\/",$vpnconfighash{$key}[8]);
$tmpcidr = &mask2cidr($tmpremotevpnsubnet[1]);
push @subnets2, "$tmpremotevpnsubnet[0]$tmpcidr";
$errormessage2 = &overlapping();
if ($errormessage2 ne '') {
$errormessage = "$Lang::tr{'ovpn subnet overlap'}IPSCEC Connection=$vpnconfighash{$key}[1] $Lang::tr{'local subnet'} $errormessage2 ";
last;
}
&emptyarray();
}
}
#check against OpenVPN Connections (aware check against itself)
return $errormessage;
}
sub emptyarray {
@subnets2 = ();
@subnets = ();
}

3247
html/cgi-bin/ovpnmain.cgi Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
html/html/images/openvpn.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

100
langs/de/cgi-bin/de.pl
View File

@@ -958,6 +958,106 @@
'you can only define one roadwarrior connection when using pre-shared key authentication' => 'Sie können nur eine Roadwarrior Verbindung definieren, wenn die Pre-shared Schlüsselauthentifizierung verwendet wird.<br/>Entweder haben Sie bereits eine Roadwarrior Verbindung mit Pre-shared Schlüsselauthentifizierung, oder Sie versuchen gerade eine hinzuzufügen.',
'your department' => 'Ihre Abteilung',
'your e-mail' => 'Ihre E-mail Adresse',
'connect' => 'OVPN Start / Verbinden',
'disconnect' => 'OVPN Stop / Trennen',
'add new ovpn' => 'OpenVPN Einstellungen:',
'Remote IP' => 'Entfernte IP / Hostname (DynDNS):',
'comment' => 'Kommentar:',
'alt ovpn' => 'OpenVPN',
'ovpn' => 'OpenVPN',
'ovpn log' => 'OVPN-Log',
'ovpn config' => 'OVPN-Konfiguration',
'ovpnstatus log' => 'OVPN-Status-Log',
'ovpnsys log' => 'OVPN-System-Log',
'current ovpn' => 'Aktive OVPN-Verbindung:',
'Local VPN IP' => 'Internes Netzwerk (GREEN):',
'Remote VPN IP' => 'VPN Subnetz (z.B. 10.0.10.0/255.255.255.0):',
'Ping'=> 'Ping :',
'optional data'=> '3. Optionale Einstellungen:',
'requested data' => '1. Verbindungs Einstellungen:',
'Resolv'=> 'Resolv-Retry:',
'Verbose'=> 'Verbose:',
'MTU'=> 'MTU Size:',
'choose config' => 'Konfiguration auswaehlen',
'generate' => 'Root/Host Zertifikate generieren',
'test' => 'test',
'ovpn dl' => 'OVPN-Konfiguration downloaden',
'key stuff' => '2. Keys und Zertifikate',
'status ovpn' => '4. OpenVPN Status / Konfiguration:',
'manage ovpn' => '5. Tunnel Management:',
'genkey' => 'PSK erzeugen',
'exportkey' => 'PSK exportieren',
'importkey' => 'PSK importieren',
'OpenVPN' => 'OpenVPN',
'o-yes' => 'Aktiv',
'o-no' => 'Inaktiv',
'comp-lzo' => 'LZO-Kompression:',
'error external access' => 'Kann /var/ipcop/xtaccess/config nicht <20>ffnen (external acccess could not be granted)!',
'error config' => 'Kann /var/ipcop/ovpn/config/ZERINA.ovpn nicht <20>ffnen!',
'hint' => 'Tipp:',
'empty' => 'Dieses Feld kann leer bleiben',
'cipher' => 'Verschl<68>sselung:',
'debugme' => 'Noch nicht implementiert',
'Client status and controlc' => 'Client Status und Kontrolle:',
'Act as' => 'Konfiguriert als:',
'openvpn server' => 'OpenVPN Server',
'openvpn client' => 'OpenVPN Client',
'ovpn subnet' => 'OpenVPN Subnetz (z.B. 10.0.10.0/255.255.255.0)',
'gen static key' => 'Statischen Schl<68>ssel erzeugen',
'upload static key' => 'Statischen Schl<68>ssel hochladen',
'ovpn device' => 'OpenVPN Ger<65>t',
'external access rule changed' => 'External access Regel geaendert; Der access controller wird neu gestartet.',
'ovpn subnet is invalid' => 'Das OpenVPN Subnetz ist ung<6E>ltig.',
'invalid mtu input' => 'Ung<6E>ltige MTU',
'start ovpn server' => 'Starte OpenVPN Server',
'stop ovpn server' => 'Stoppe OpenVPN Server',
'restart ovpn server' => 'OpenVPN Server neu starten',
'ovpn server status', => 'OpenVPN Server Status:',
'dl client arch', => 'Client Paket herunterladen (zip)',
'ovpn on red' => 'OpenVPN auf ROT',
'ovpn on blue' => 'OpenVPN auf BLAU',
'ovpn on orange' => 'OpenVPN auf ORANGE',
'ovpn con stat' => 'OpenVPN Verbindungs-Statistik',
'real address' => 'Reale Addresse',
'virtual address' => 'Virtuelle Addresse',
'loged in at' => 'Angemeldet seit',
'bytes sent' => 'Bytes Gesendet',
'bytes received' => 'Bytes Empfangen',
'last activity' => 'Letzte Aktivitaet',
'ovpn subnet overlap' => 'OpenVPN Subnetz <20>berschneidet sich mit : ',
'show crl' => 'Certificate Revocation List anzeigen',
'crl' => 'Certificate Revocation List',
'advanced server' => 'Erweiterte Server Optionen',
'dhcp-options' => 'DHCP push Optionen',
'log-options' => 'Logfile options',
'misc-options' => 'Sonstige Optionen',
'save-adv-options' => 'Erweiterte Optionen speichern',
'cancel-adv-options' => 'Abbrechen',
'invalid input for dhcp domain' => 'Ung<6E>ltige Eingabe f<>r DHCP Domain',
'invalid input for dhcp dns' => 'Ung<6E>ltige Eingabe f<>r DHCP DNS',
'invalid input for dhcp wins' => 'Ung<6E>ltige Eingabe f<>r DHCP WINS',
'invalid input for max clients' => 'Ung<6E>ltige Eingabe f<>r Max Clients',
'invalid input for keepalive 1' => 'Ung<6E>ltige Eingabe f<>r Keepalive ping',
'invalid input for keepalive 2' => 'Ung<6E>ltige Eingabe f<>r Keepalive ping-restart',
'valid till' => 'G<>ig bis',
'ovpn_processprio' => 'Prozesspriorit<69>t',
'ovpn_fastio' => 'Fast-IO',
'ovpn_mtudisc' => 'MTU-Discovery',
'ovpn_mssfix' => 'MSSFIX Gr<47>sse',
'ovpn_fragment' => 'Fragmentgr<67>sse',
'ovpn_processprioEH' => 'Extrem Hoch',
'ovpn_processprioVH' => 'Sehr Hoch',
'ovpn_processprioH' => 'Hoch',
'ovpn_processprioEN' => 'H<>her als Normal',
'ovpn_processprioN' => 'Normal',
'ovpn_processprioLN' => 'Tiefer als Normal',
'ovpn_processprioD' => 'Tief',
'ovpn_processprioVD' => 'Sehr Tief',
'ovpn_processprioED' => 'Extrem Tief',
'server reserved' => 'The connection name server is reserved and not allowed',
'add-route' => 'Additional push route',
'subnet' => 'Subnet',
'route subnet is invalid' => 'Additional push route subnet is invalid',
);

102
langs/en/cgi-bin/en.pl
View File

@@ -989,5 +989,107 @@
'traffics' => 'Utilization-overview:',
'trafficsum' => 'Totals',
'trafficto' => 'To',
'connect' => 'OVPN Start / Connect',
'disconnect' => 'OVPN Stop / Disconnect',
'add new ovpn' => 'OpenVPN Settings:',
'Remote IP' => 'Remote IP / Hostname (DynDNS):',
'comment' => 'Description:',
'alt ovpn' => 'OpenVPN',
'ovpn' => 'OpenVPN',
'ovpn log' => 'OVPN-Log',
'ovpn config' => 'OVPN-Config',
'ovpnstatus log' => 'OVPN-Status-Log',
'ovpnsys log' => 'OVPN-System-Log',
'current ovpn' => 'Active OVPN-Connection:',
'Local VPN IP' => 'Internal Network (GREEN):',
'Remote VPN IP' => 'VPN Subnet (e.g. 10.0.10.0/255.255.255.0):',
'Ping'=> 'Ping :',
'optional data'=> '3. Optional Settings:',
'requested data' => '1. Connection Settings:',
'Resolv'=> 'Resolv-Retry:',
'Verbose'=> 'Verbose:',
'MTU'=> 'MTU Size:',
'choose config' => 'Choose Config',
'generate' => 'Generate Root/Host Zertifikate',
'test' => 'test',
'ovpn dl' => 'OVPN-Config Download',
'key stuff' => '2. Keys and Certificates',
'status ovpn' => '4. OpenVPN Status / Configuration:',
'manage ovpn' => '5. Tunnel Management:',
'genkey' => 'Generate PSK',
'exportkey' => 'Export PSK',
'importkey' => 'Import PSK',
'OpenVPN' => 'OpenVPN',
'o-yes' => 'Activ',
'o-no' => 'Inactiv',
'comp-lzo' => 'LZO-Compression:',
'error external access' => 'Could not open /var/ipcop/xtaccess/config (external acccess could not be granted)!',
'error config' => 'Could not open /var/ipcop/ovpn/config/ZERINA.ovpn !',
'hint' => 'Hint:',
'empty' => 'This field may be left blank',
'cipher' => 'Encryption:',
'debugme' => 'Not yet implemented',
'Client status and controlc' => 'Client status and control:',
'Act as' => 'Act as:',
'openvpn server' => 'OpenVPN Server',
'openvpn client' => 'OpenVPN Client',
'ovpn subnet' => 'OpenVPN Subnet(e.g. 10.0.10.0/255.255.255.0)',
'gen static key' => 'Generate a static Key',
'upload static key' => 'Upload a static Key',
'ovpn device' => 'OpenVPN device',
'external access rule changed' => 'External access rule changed; restarting access controller',
'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.',
'invalid mtu input' => 'Invalid MTU',
'start ovpn server' => 'Start OpenVPN Server',
'stop ovpn server' => 'Stop OpenVPN Server',
'restart ovpn server' => 'Restart OpenVPN Server',
'ovpn server status', => 'Current OpenVPN Server Status:',
'dl client arch', => 'Download Client Package (zip)',
'ovpn on red' => 'OpenVPN on RED',
'ovpn on blue' => 'OpenVPN on BLUE',
'ovpn on orange' => 'OpenVPN on ORANGE',
'ovpn con stat' => 'OpenVPN Connection Statistics',
'real address' => 'Real Address',
'virtual address' => 'Virtual Address',
'loged in at' => 'Logged In At',
'bytes sent' => 'Bytes Sent',
'bytes received' => 'Bytes Received',
'last activity' => 'Last Activity',
'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ',
'show crl' => 'Show Certificate Revocation List',
'crl' => 'Certificate Revocation List',
'advanced server' => 'Advanced Server options',
'dhcp-options' => 'DHCP push options',
'log-options' => 'Logfile options',
'misc-options' => 'Miscellaneous options',
'save-adv-options' => 'Save Advanced options',
'cancel-adv-options' => 'Cancel',
'invalid input for dhcp domain' => 'Invalid input for DHCP Domain',
'invalid input for dhcp dns' => 'Invalid input for DHCP DNS',
'invalid input for dhcp wins' => 'Invalid input for DHCP WINS',
'invalid input for max clients' => 'Invalid input for Max Clients',
'invalid input for keepalive 1' => 'Invalid input for Keepalive ping',
'invalid input for keepalive 2' => 'Invalid input for Keepalive ping-restart',
'invalid input for keepalive 2' => 'Invalid input for Keepalive ping-restart',
'invalid input for keepalive 1:2' => 'Invalid input for Keepalive use at least a ratio of 1:2',
'valid till' => 'Valid till',
'ovpn_processprio' => 'Process priority',
'ovpn_fastio' => 'Fast-IO',
'ovpn_mtudisc' => 'MTU-Discovery',
'ovpn_mssfix' => 'MSSFIX Size',
'ovpn_fragment' => 'Fragmentsize',
'ovpn_processprioEH' => 'Extremely high',
'ovpn_processprioVH' => 'Very high',
'ovpn_processprioH' => 'High',
'ovpn_processprioEN' => 'More highly than normal',
'ovpn_processprioN' => 'Normal',
'ovpn_processprioLN' => 'More deeply than normal',
'ovpn_processprioD' => 'Deeply',
'ovpn_processprioVD' => 'Very deeply',
'ovpn_processprioED' => 'Extremely deeply',
'server reserved' => 'The connection name server is reserved and not allowed',
'add-route' => 'Additional push route',
'subnet' => 'Subnet',
'route subnet is invalid' => 'Additional push route subnet is invalid',
);

12
lfs/openvpn
View File

@@ -58,9 +58,6 @@ download :$(patsubst %,$(DIR_DL)/%,$(objects))
md5 : $(subst %,%_MD5,$(objects))
#dist:
# make-packages.sh postfix $(THISAPP)
###############################################################################
# Downloading, checking, md5sum
###############################################################################
@@ -81,8 +78,15 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && ./configure --enable-pthread --sysconfdir=/var/ipfire/ovpn
cd $(DIR_APP) && ./configure --enable-pthread --sysconfdir=/var/ipfire/ovpn --prefix=/usr
cd $(DIR_APP) && make
cd $(DIR_APP) && make install
cd $(DIR_APP) && cp -Rvf $(DIR_SRC)/config/ovpn /var/ipfire
chown -R nobody:nobody /var/ipfire/ovpn
chown root.nobody /var/log/ovpnserver.log
chmod 755 /var/ipfire/ovpn/verify
chmod 660 /var/log/ovpnserver.log
chmod 700 /var/ipfire/ovpn/certs
chmod 700 /var/ipfire/ovpn/n2nconf
@rm -rf $(DIR_APP)
@$(POSTBUILD)

6
lfs/sysklogd
View File

@@ -85,8 +85,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/sysklogd-1.4.1-owl-syslogd-crunch_list.diff
cd $(DIR_APP) && CFLAGS="$(CFLAGS) -DSYSV -fomit-frame-pointer -Wall -fno-strength-reduce" make -e
cd $(DIR_APP) && CFLAGS="$(CFLAGS) -DSYSV -fomit-frame-pointer -Wall -fno-strength-reduce" make -e install
touch /var/log/{boot.log,dhcpcd.log,messages}
chmod 664 /var/log/{boot.log,dhcpcd.log,messages}
chown 0:105 /var/log/{boot.log,dhcpcd.log,messages}
touch /var/log/{boot.log,dhcpcd.log,messages,ovpnserver.log}
chmod 664 /var/log/{boot.log,dhcpcd.log,messages,ovpnserver.log}
chown 0:105 /var/log/{boot.log,dhcpcd.log,messages,ovpnserver.log}
@rm -rf $(DIR_APP)
@$(POSTBUILD)

6
lfs/xampp
View File

@@ -26,7 +26,7 @@
include Config
VER = 1.5.3
VER = 1.5.3a
THISAPP = xampp-linux-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -48,8 +48,8 @@ xampp-linux-devel-$(VER).tar.gz = $(URL_IPFIRE)/xampp-linux-devel-$(VER).tar.gz
PostGreSQL-AddOn-1.0-pgsql8.1.tar.gz = $(URL_IPFIRE)/PostGreSQL-AddOn-1.0-pgsql8.1.tar.gz
Python-AddOn-1.3.tar.gz = $(URL_IPFIRE)/Python-AddOn-1.3.tar.gz
$(DL_FILE)_MD5 = 649c1fdc76435e3d5315e1ad86f9bace
xampp-linux-devel-$(VER).tar.gz_MD5 = fbdc87b3c1d6ee123173d08310baca7a
$(DL_FILE)_MD5 = 422ab1faa4ab7afb3be8918ab8223b6b
xampp-linux-devel-$(VER).tar.gz_MD5 = 30b4bce92ec389adf61cbf67246efd1f
PostGreSQL-AddOn-1.0-pgsql8.1.tar.gz_MD5 = 63171afe553fd557032407e1ba6af477
Python-AddOn-1.3.tar.gz_MD5 = 5a962ea63c3e502227c8cca30e0ce786

6
src/ROOTFILES.i386
View File

@@ -1355,6 +1355,7 @@ tmp
#usr/local/bin
usr/local/bin/httpscert
usr/local/bin/makegraphs
#usr/local/bin/make-packages.sh
usr/local/bin/readhash
usr/local/bin/setddns.pl
usr/local/bin/setreservedports
@@ -16351,6 +16352,7 @@ usr/sbin/syslogd
var/log/boot.log
var/log/dhcpcd.log
var/log/messages
var/log/ovpnserver.log
var/empty
##
## sysvinit-2.86
@@ -20995,6 +20997,9 @@ home/httpd/cgi-bin/ids.cgi
home/httpd/cgi-bin/index.cgi
home/httpd/cgi-bin/ipinfo.cgi
home/httpd/cgi-bin/fwhits.cgi
home/httpd/cgi-bin/ovpnfunc.pl
home/httpd/cgi-bin/ovpnmain.cgi
home/httpd/html/images/openvpn.gif
#home/httpd/cgi-bin/logs.cgi
home/httpd/cgi-bin/logs.cgi/config.dat
home/httpd/cgi-bin/logs.cgi/firewalllog.dat
@@ -22498,6 +22503,7 @@ usr/local/bin/ipfirereboot
usr/local/bin/ipfirerscfg
usr/local/bin/ipsecctrl
usr/local/bin/logwatch
usr/local/bin/openvpnctrl
usr/local/bin/rebuildhosts
usr/local/bin/restartdhcp
usr/local/bin/restartntpd

5
src/misc-progs/Makefile
View File

@@ -9,7 +9,7 @@ SUID_PROGS = setdmzholes setportfw setfilters setxtaccess restartdhcp restartsno
ipfirebkcfg ipfirerscfg installpackage installfcdsl ipsecctrl \
setaliases ipfirebackup restartntpd \
restartapplejuice setdate rebuildhosts \
restartsyslogd logwatch
restartsyslogd logwatch openvpnctrl
# restartwireless
install : all
@@ -36,6 +36,9 @@ $(PROGS): setuid.o
logwatch: logwatch.c setuid.o ../install+setup/libsmooth/varval.o
$(COMPILE) -I../install+setup/libsmooth/ logwatch.c setuid.o ../install+setup/libsmooth/varval.o -o $@
openvpnctrl: openvpnctrl.c setuid.o ../install+setup/libsmooth/varval.o
$(COMPILE) -I../install+setup/libsmooth/ openvpnctrl.c setuid.o ../install+setup/libsmooth/varval.o -o $@
setaliases: setaliases.c setuid.o ../install+setup/libsmooth/varval.o
$(COMPILE) -I../install+setup/libsmooth/ setaliases.c setuid.o ../install+setup/libsmooth/varval.o -o $@

451
src/misc-progs/openvpnctrl.c Normal file
View File

@@ -0,0 +1,451 @@
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <fcntl.h>
#include "setuid.h"
#include "libsmooth.h"
/*
Version History
1.0.0.0 many things happend before ...
2.0.0.1 2005/06/09 tarralan
add. Version History
add. deleteChainReference(char*)
add. createChainReference(char*)
mod. deleteChain(char*)
mod. flushChain(char*)
add. flushAllChains()
del. deletechains()
add. consts for chain names
del. createchains()
add. createAllChains()
add. ovpnInit()
add. global vars for chain and interface status
add. usage of consts for chain names
mod. reworked createAllChains()
2.0.0.2 2005/06/09 horizont
change the input + forward chain position index based on active interfaces
2.0.0.3 2005/06/09 tarralan
mod. removed const attribute
2.0.0.4 2005/06/12 tarralan
add. debug condition f<>r output
mod. changed definition auf consts
2.0.0.5-7 2005/06/12 tarralan
debugging
2.0.0.8 2005/06/12 tarralan
add. executeCommand()
2.0.0.9-16 2005/06/12 tarralan
debugging
2.0.0.17 2005/06/12 tarralan
mod. createAllChains
2.0.1.1 2005/06/12 tarralan
non-debug build
2.0.1.2 2005/06/13 tarralan
mod. some options renamed
2.0.1.3 2005/06/13 tarralan
mod. startDaemon() to verify if OpenVPN is enabled
mod. createAllChains() to verify if OpenVPN is enabled
mod. command help
2.0.1.4 2005/06/13 tarralan
mod. bug fixed with the -sdo option
2.0.1.5 2005/11/06 Ufuk Altinkaynak
mod. bug fixed no need to read blue and orange dev, when they are not enabled
2.0.1.6 2005/01/03 Ufuk Altinkaynak
mod. bug fixed reported by weizen_42 see http://www.vpnforum.de/viewtopic.php?p=7113#7113
# ZERNINA-VERSION:0.9.0b
# (c) 2005 tarralan + Ufuk Altinkaynak
#
# Ipcop and OpenVPN eas as one two three..
#
*/
#define noovpndebug
// global vars
struct keyvalue *kv = NULL;
FILE *ifacefile = NULL;
char redif[STRING_SIZE];
char blueif[STRING_SIZE];
char orangeif[STRING_SIZE];
char enablered[STRING_SIZE] = "off";
char enableblue[STRING_SIZE] = "off";
char enableorange[STRING_SIZE] = "off";
// consts
char OVPNRED[STRING_SIZE] = "OVPN";
char OVPNBLUE[STRING_SIZE] = "OVPN_BLUE_";
char OVPNORANGE[STRING_SIZE] = "OVPN_ORANGE_";
char WRAPPERVERSION[STRING_SIZE] = "2.0.1.6";
void exithandler(void)
{
if(kv)
freekeyvalues(kv);
if (ifacefile)
fclose(ifacefile);
}
void usage(void)
{
#ifdef ovpndebug
printf("Wrapper for OpenVPN v%s-debug\n", WRAPPERVERSION);
#else
printf("Wrapper for OpenVPN v%s\n", WRAPPERVERSION);
#endif
printf("openvpnctrl <option>\n");
printf(" Valid options are:\n");
printf(" -s --start\n");
printf(" starts OpenVPN (implicitly creates chains and firewall rules)\n");
printf(" -k --kill\n");
printf(" kills/stops OpenVPN\n");
printf(" -r --restart\n");
printf(" restarts OpenVPN (implicitly creates chains and firewall rules)\n");
printf(" -d --display\n");
printf(" displays OpenVPN status to syslog\n");
printf(" -fwr --firewall-rules\n");
printf(" removes current OpenVPN chains and rules and resets them according to the config\n");
printf(" -sdo --start-daemon-only\n");
printf(" starts OpenVPN daemon only (useful for rc.local)\n");
printf(" -ccr --create-chains-and-rules\n");
printf(" creates chains and rules for OpenVPN\n");
printf(" -dcr --delete-chains-and-rules\n");
printf(" removes all chains for OpenVPN\n");
exit(1);
}
void ovpnInit(void) {
// Read OpenVPN configuration
kv = initkeyvalues();
if (!readkeyvalues(kv, CONFIG_ROOT "/ovpn/settings")) {
fprintf(stderr, "Cannot read ovpn settings\n");
exit(1);
}
if (!findkey(kv, "ENABLED", enablered)) {
fprintf(stderr, "Cannot read ENABLED\n");
exit(1);
}
if (!findkey(kv, "ENABLED_BLUE", enableblue)){
fprintf(stderr, "Cannot read ENABLED_BLUE\n");
exit(1);
}
if (!findkey(kv, "ENABLED_ORANGE", enableorange)){
fprintf(stderr, "Cannot read ENABLED_ORANGE\n");
exit(1);
}
freekeyvalues(kv);
// read interface settings
// details for the red int
memset(redif, 0, STRING_SIZE);
if ((ifacefile = fopen(CONFIG_ROOT "/red/iface", "r")))
{
if (fgets(redif, STRING_SIZE, ifacefile))
{
if (redif[strlen(redif) - 1] == '\n')
redif[strlen(redif) - 1] = '\0';
}
fclose (ifacefile);
ifacefile = NULL;
if (!VALID_DEVICE(redif))
{
memset(redif, 0, STRING_SIZE);
}
}
kv=initkeyvalues();
if (!readkeyvalues(kv, CONFIG_ROOT "/ethernet/settings"))
{
fprintf(stderr, "Cannot read ethernet settings\n");
exit(1);
}
if (strcmp(enableblue, "on")==0){
if (!findkey(kv, "BLUE_DEV", blueif)){
fprintf(stderr, "Cannot read BLUE_DEV\n");
exit(1);
}
}
if (strcmp(enableorange, "on")==0){
if (!findkey(kv, "ORANGE_DEV", orangeif)){
fprintf(stderr, "Cannot read ORNAGE_DEV\n");
exit(1);
}
}
freekeyvalues(kv);
}
void executeCommand(char *command) {
#ifdef ovpndebug
printf(strncat(command, "\n", 2));
#endif
safe_system(strncat(command, " >/dev/null 2>&1", 17));
}
void setChainRules(char *chain, char *interface, char *protocol, char *port)
{
char str[STRING_SIZE];
sprintf(str, "/sbin/iptables -A %sINPUT -i %s -p %s --dport %s -j ACCEPT", chain, interface, protocol, port);
executeCommand(str);
sprintf(str, "/sbin/iptables -A %sINPUT -i tun+ -j ACCEPT", chain);
executeCommand(str);
sprintf(str, "/sbin/iptables -A %sFORWARD -i tun+ -j ACCEPT", chain);
executeCommand(str);
}
void flushChain(char *chain) {
char str[STRING_SIZE];
sprintf(str, "/sbin/iptables -F %sINPUT", chain);
executeCommand(str);
sprintf(str, "/sbin/iptables -F %sFORWARD", chain);
executeCommand(str);
safe_system(str);
}
void deleteChainReference(char *chain) {
char str[STRING_SIZE];
sprintf(str, "/sbin/iptables -D INPUT -j %sINPUT", chain);
executeCommand(str);
safe_system(str);
sprintf(str, "/sbin/iptables -D FORWARD -j %sFORWARD", chain);
executeCommand(str);
safe_system(str);
}
void deleteChain(char *chain) {
char str[STRING_SIZE];
sprintf(str, "/sbin/iptables -X %sINPUT", chain);
executeCommand(str);
sprintf(str, "/sbin/iptables -X %sFORWARD", chain);
executeCommand(str);
}
void deleteAllChains(void) {
// not an elegant solution, but to avoid timing problems with undeleted chain references
deleteChainReference(OVPNRED);
deleteChainReference(OVPNBLUE);
deleteChainReference(OVPNORANGE);
flushChain(OVPNRED);
flushChain(OVPNBLUE);
flushChain(OVPNORANGE);
deleteChain(OVPNRED);
deleteChain(OVPNBLUE);
deleteChain(OVPNORANGE);
}
void createChainReference(char *chain) {
char str[STRING_SIZE];
sprintf(str, "/sbin/iptables -I INPUT %s -j %sINPUT", "14", chain);
executeCommand(str);
sprintf(str, "/sbin/iptables -I FORWARD %s -j %sFORWARD", "12", chain);
executeCommand(str);
}
void createChain(char *chain) {
char str[STRING_SIZE];
sprintf(str, "/sbin/iptables -N %sINPUT", chain);
executeCommand(str);
sprintf(str, "/sbin/iptables -N %sFORWARD", chain);
executeCommand(str);
}
void createAllChains(void) {
if (!((strcmp(enablered, "on")==0) || (strcmp(enableblue, "on")==0) || (strcmp(enableorange, "on")==0))){
fprintf(stderr, "OpenVPN is not enabled on any interface\n");
exit(1);
} else {
// create chain and chain references
if (!strcmp(enableorange, "on")) {
if (strlen(orangeif)) {
createChain(OVPNORANGE);
createChainReference(OVPNORANGE);
} else {
fprintf(stderr, "OpenVPN enabled on orange but no orange interface found\n");
//exit(1);
}
}
if (!strcmp(enableblue, "on")) {
if (strlen(blueif)) {
createChain(OVPNBLUE);
createChainReference(OVPNBLUE);
} else {
fprintf(stderr, "OpenVPN enabled on blue but no blue interface found\n");
//exit(1);
}
}
if (!strcmp(enablered, "on")) {
if (strlen(redif)) {
createChain(OVPNRED);
createChainReference(OVPNRED);
} else {
fprintf(stderr, "OpenVPN enabled on red but no red interface found\n");
//exit(1);
}
}
}
}
void setFirewallRules(void) {
char protocol[STRING_SIZE] = "";
char dport[STRING_SIZE] = "";
char dovpnip[STRING_SIZE] = "";
/* check if it makes sence to proceed further */
if (!((strcmp(enablered, "on")==0) || (strcmp(enableblue, "on")==0) || (strcmp(enableorange, "on")==0))){
fprintf(stderr, "Config error, at least one device must be enabled\n");
exit(1);
}
kv = initkeyvalues();
if (!readkeyvalues(kv, CONFIG_ROOT "/ovpn/settings"))
{
fprintf(stderr, "Cannot read ovpn settings\n");
exit(1);
}
/* we got one device, so lets proceed further */
if (!findkey(kv, "DDEST_PORT", dport)){
fprintf(stderr, "Cannot read DDEST_PORT\n");
exit(1);
}
if (!findkey(kv, "DPROTOCOL", protocol)){
fprintf(stderr, "Cannot read DPROTOCOL\n");
exit(1);
}
if (!findkey(kv, "VPN_IP", dovpnip)){
fprintf(stderr, "Cannot read VPN_IP\n");
// exit(1); step further as we don't need an ip
}
freekeyvalues(kv);
// set firewall rules
if (!strcmp(enablered, "on") && strlen(redif))
setChainRules(OVPNRED, redif, protocol, dport);
if (!strcmp(enableblue, "on") && strlen(blueif))
setChainRules(OVPNBLUE, blueif, protocol, dport);
if (!strcmp(enableorange, "on") && strlen(orangeif))
setChainRules(OVPNORANGE, orangeif, protocol, dport);
}
void stopDaemon(void) {
char command[STRING_SIZE];
snprintf(command, STRING_SIZE - 1, "/bin/killall openvpn");
executeCommand(command);
snprintf(command, STRING_SIZE - 1, "/bin/rm -f /var/run/openvpn.pid");
executeCommand(command);
}
void startDaemon(void) {
char command[STRING_SIZE];
if (!((strcmp(enablered, "on")==0) || (strcmp(enableblue, "on")==0) || (strcmp(enableorange, "on")==0))){
fprintf(stderr, "OpenVPN is not enabled on any interface\n");
exit(1);
} else {
snprintf(command, STRING_SIZE-1, "/usr/bin/openvpn --config /var/ipfire/ovpn/server.conf");
executeCommand(command);
}
}
void displayopenvpn(void) {
char command[STRING_SIZE];
snprintf(command, STRING_SIZE - 1, "/bin/killall -sSIGUSR2 openvpn");
executeCommand(command);
}
int main(int argc, char *argv[]) {
if (!(initsetuid()))
exit(1);
if(argc < 2)
usage();
if(argc == 2) {
if( (strcmp(argv[1], "-k") == 0) || (strcmp(argv[1], "--kill") == 0) ) {
stopDaemon();
return 0;
}
else if( (strcmp(argv[1], "-d") == 0) || (strcmp(argv[1], "--display") == 0) ) {
displayopenvpn();
return 0;
}
else if( (strcmp(argv[1], "-dcr") == 0) || (strcmp(argv[1], "--delete-chains-and-rules") == 0) ) {
deleteAllChains();
return 0;
}
else {
ovpnInit();
if( (strcmp(argv[1], "-s") == 0) || (strcmp(argv[1], "--start") == 0) ) {
deleteAllChains();
createAllChains();
setFirewallRules();
startDaemon();
return 0;
}
else if( (strcmp(argv[1], "-sdo") == 0) || (strcmp(argv[1], "--start-daemon-only") == 0) ) {
startDaemon();
return 0;
}
else if( (strcmp(argv[1], "-r") == 0) || (strcmp(argv[1], "--restart") == 0) ) {
stopDaemon();
deleteAllChains();
createAllChains();
setFirewallRules();
startDaemon();
return 0;
}
else if( (strcmp(argv[1], "-fwr") == 0) || (strcmp(argv[1], "--firewall-rules") == 0) ) {
deleteAllChains();
createAllChains();
setFirewallRules();
return 0;
}
else if( (strcmp(argv[1], "-ccr") == 0) || (strcmp(argv[1], "--create-chains-and-rules") == 0) ) {
createAllChains();
setFirewallRules();
return 0;
}
else {
usage();
return 0;
}
}
}
else {
usage();
return 0;
}
return 0;
}

5
src/rc.d/rc.firewall
View File

@@ -236,6 +236,8 @@ case "$1" in
/sbin/iptables -t nat -A POSTROUTING -m mark --mark 3 -j SNAT --to-source $ORANGE_ADDRESS
fi
# run openvpn
/usr/local/bin/openvpnctrl --create-chains-and-rules
# run local firewall configuration, if present
if [ -x /etc/rc.d/rc.firewall.local ]; then
@@ -264,6 +266,9 @@ case "$1" in
/sbin/iptables -A INPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
fi
# stop openvpn
/usr/local/bin/openvpnctrl --delete-chains-and-rules
# run local firewall configuration, if present
if [ -x /etc/rc.d/rc.firewall.local ]; then
/etc/rc.d/rc.firewall.local stop

2
src/rc.d/rc.sysinit
View File

@@ -249,6 +249,8 @@ echo "Starting sshd (if enabled)"
/usr/local/bin/restartssh
echo "Starting ntpd (if enabled)"
/usr/local/bin/restartntpd
echo "Starting openvpn (if enabled)"
/usr/local/bin/openvpnctrl --start-daemon-only
if [ -e "CONFIG_ROOT/proxy/squid.conf" ]; then
echo "Starting squid (if enabled)"