From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH v2 2/2] openvpn: Embed the certificate and key file into
 configuration
Date: Fri, 30 Oct 2015 15:48:46 +0000
Message-ID: <1446220126.2626.181.camel@ipfire.org>
In-Reply-To: <1446220042-22681-2-git-send-email-michael.tremer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3313591276764326357=="
List-Id: <development.lists.ipfire.org>

--===============3313591276764326357==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit

Could someone who owns an iPhone please test this?

Best,
-Michael

On Fri, 2015-10-30 at 15:47 +0000, Michael Tremer wrote:
> This will allow to import just the configuration file
> into iOS and establish the VPN connection. Also works
> with many other OpenVPN clients.
> 
> Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
> ---
>  html/cgi-bin/ovpnmain.cgi | 59
> ++++++++++++++++++++++++++++++++++++++++++++---
>  1 file changed, 56 insertions(+), 3 deletions(-)
> 
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index 7c9ff95..bdbd229 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -2267,11 +2267,14 @@ else
>      	    		
>      my $file_crt = new File::Temp( UNLINK => 1 );
>      my $file_key = new File::Temp( UNLINK => 1 );
> +    my $include_certs = 0;
>  
>      if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f
> "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"
> ) { 
>  	if ($cgiparams{'MODE'} eq 'insecure') {
> +		$include_certs = 1;
> +
>  		# Add the CA
> -		print CLIENTCONF "ca cacert.pem\r\n";
> +		print CLIENTCONF ";ca cacert.pem\r\n";
>  		$zip
> ->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem")  or
> die "Can't add file cacert.pem\n";
>  
>  		# Extract the certificate
> @@ -2282,7 +2285,7 @@ else
>  		}
>  
>  		$zip->addFile("$file_crt",
> "$confighash{$cgiparams{'KEY'}}[1].pem") or die;
> -		print CLIENTCONF "cert
> $confighash{$cgiparams{'KEY'}}[1].pem\r\n";
> +		print CLIENTCONF ";cert
> $confighash{$cgiparams{'KEY'}}[1].pem\r\n";
>  
>  		# Extract the key
>  		system('/usr/bin/openssl', 'pkcs12', '-in',
> "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"
> ,
> @@ -2292,7 +2295,7 @@ else
>  		}
>  
>  		$zip->addFile("$file_key",
> "$confighash{$cgiparams{'KEY'}}[1].key") or die;
> -		print CLIENTCONF "key
> $confighash{$cgiparams{'KEY'}}[1].key\r\n";
> +		print CLIENTCONF ";key
> $confighash{$cgiparams{'KEY'}}[1].key\r\n";
>  	} else {
>  		print CLIENTCONF "pkcs12
> $confighash{$cgiparams{'KEY'}}[1].p12\r\n";
>  		$zip->addFile(
> "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"
> , "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file
> $confighash{$cgiparams{'KEY'}}[1].p12\n";
> @@ -2311,6 +2314,9 @@ else
>  	print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
>      }
>      if ($vpnsettings{'TLSAUTH'} eq 'on') {
> +	if ($cgiparams{'MODE'} eq 'insecure') {
> +		print CLIENTCONF ";";
> +	}
>  	print CLIENTCONF "tls-auth ta.key\r\n";
>  	$zip->addFile( "${General::swroot}/ovpn/certs/ta.key",
> "ta.key")  or die "Can't add file ta.key\n";
>      }
> @@ -2335,6 +2341,53 @@ else
>  		print CLIENTCONF "mtu-disc
> $vpnsettings{'PMTU_DISCOVERY'}\r\n";
>  	}
>      }
> +
> +    if ($include_certs) {
> +	print CLIENTCONF "\r\n";
> +
> +	# CA
> +	open(FILE, "<${General::swroot}/ovpn/ca/cacert.pem");
> +	print CLIENTCONF "<ca>\r\n";
> +	while (<FILE>) {
> +		chomp($_);
> +		print CLIENTCONF "$_\r\n";
> +	}
> +	print CLIENTCONF "</ca>\r\n\r\n";
> +	close(FILE);
> +
> +	# Cert
> +	open(FILE, "<$file_crt");
> +	print CLIENTCONF "<cert>\r\n";
> +	while (<FILE>) {
> +		chomp($_);
> +		print CLIENTCONF "$_\r\n";
> +	}
> +	print CLIENTCONF "</cert>\r\n\r\n";
> +	close(FILE);
> +
> +	# Key
> +	open(FILE, "<$file_key");
> +	print CLIENTCONF "<key>\r\n";
> +	while (<FILE>) {
> +		chomp($_);
> +		print CLIENTCONF "$_\r\n";
> +	}
> +	print CLIENTCONF "</key>\r\n\r\n";
> +	close(FILE);
> +
> +	# TLS auth
> +	if ($vpnsettings{'TLSAUTH'} eq 'on') {
> +		open(FILE, "<${General::swroot}/ovpn/certs/ta.key");
> +		print CLIENTCONF "<tls-auth>\r\n";
> +		while (<FILE>) {
> +			chomp($_);
> +			print CLIENTCONF "$_\r\n";
> +		}
> +		print CLIENTCONF "</tls-auth>\r\n\r\n";
> +		close(FILE);
> +	}
> +    }
> +
>      # Print client.conf.local if entries exist to client.ovpn
>      if (!-z $local_clientconf && $vpnsettings{'ADDITIONAL_CONFIGS'}
> eq 'on') {
>         open (LCC, "$local_clientconf");

--===============3313591276764326357==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEKCmlRSWNCQUFC
Q2dBR0JRSldNNUZlQUFvSkVJQjU4UDl2a0FrSDhFb1AvUnB0L2R0MExyWVo3eWZ5VEZYQldHRW0K
VElkQkQxcTRzOHkrRVNoWmlHRDRib2JWa2R6QkEwci9OaUVJZTMweGIvOUJULzJzcmZkcUZHZ1NL
K04xcy90YwpVQVVJTGc1TkxFL1NPcnY2N2JZcHVXM0JOb0VLSXJ6MzR5M3YvdTE2bnZyVmRjMldU
dnRXMmxHU0MrelloaE1OCjF1VTF5QUd5ajdnOXpNV0p0SDhxV3c2YWFFQ293YnloZ1p0ZXpRUFYx
WWhrUFlsMy9PZllILytFZU9HbDNhdGQKL0oxM0lhRHZuVkFFUkJ2WjNpdC9oQmpHWi9yY0h4U2do
TjhteVh0eTVYS3V2dGM3SmZNbXV1dmVBY3dHWHBaVApaaWxSYTg4OHJ3NzJycERRK2FNalh2cEtj
cjlKWGQwZHM5MTdkVVQ4cnkxQUMyUHdQU0FDcDhua1prclJYRllQCmlGb0xSVXZRVmRTbCtRNzFL
eHNZY1MrSTE0ZGpBcHZGTysrWStWaERzR3ZldHIxQ1FpdWovNnZ5cmxRSE1QR2MKT2ZnSmYrRjBX
elJ3dkVxU09NZm1pUCtBZkxYRW5zcHZRcy9vcmxZN2pjMjBWVmtQbTlYcm1HNXBJeG1sUGkyNwpM
QUI2b1lqS0huaXhLdU9tZnVyR0hxMFpxSE5uVU0xVDNRRjcxay9GMlZzaFlCMVdUZUNIcFJnTFov
R1RyUys5Ck41THp1MENPNDFPR2pzRUxMM05lek9SVGlOc3JnSk5Dd0JGSDIwQndpcTJreEhlaVhT
RE9YUFprQ3RTTUhRUTEKeG1vZExBTkptTEsvQ29keHhWRVhqamk1dW1Yd0dpN054SlB5QlJ3ajZN
RDhhYmRPancyU1o0QW1tbmFsdlJ5TgovdThFZUhPYmd5MTlqeDYrcHlkYwo9Ym03SQotLS0tLUVO
RCBQR1AgU0lHTkFUVVJFLS0tLS0K

--===============3313591276764326357==--