This patch adds the option to download a client package that comes with a regular PEM and key file instead of a PKCS12 file which is easier to use with clients that don't support PKCS12 (like iOS) opposed to converting the file manually.
This requires that the connection is created without using a password for the certificate. Then the certificate is already stored in an insecure way.
This patch also adds this to the Core Update 95 updater.
Fixes: #10966
Signed-off-by: Michael Tremer michael.tremer@ipfire.org CC: Alexander Marx alexander.marx@ipfire.org --- config/rootfiles/core/95/filelists/files | 1 + html/cgi-bin/ovpnmain.cgi | 56 +++++++++++++++++++++++++++++--- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 4 files changed, 55 insertions(+), 4 deletions(-)
diff --git a/config/rootfiles/core/95/filelists/files b/config/rootfiles/core/95/filelists/files index dfecbaf..b886200 100644 --- a/config/rootfiles/core/95/filelists/files +++ b/config/rootfiles/core/95/filelists/files @@ -8,6 +8,7 @@ srv/web/ipfire/cgi-bin/connections.cgi srv/web/ipfire/cgi-bin/dhcp.cgi srv/web/ipfire/cgi-bin/firewall.cgi srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat +srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/pppsetup.cgi srv/web/ipfire/cgi-bin/routing.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 9e252a9..7c9ff95 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2265,9 +2265,38 @@ else print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; } + my $file_crt = new File::Temp( UNLINK => 1 ); + my $file_key = new File::Temp( UNLINK => 1 ); + if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { - print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; - $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; + if ($cgiparams{'MODE'} eq 'insecure') { + # Add the CA + print CLIENTCONF "ca cacert.pem\r\n"; + $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; + + # Extract the certificate + system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } + + $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die; + print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n"; + + # Extract the key + system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } + + $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die; + print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n"; + } else { + print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; + } } else { print CLIENTCONF "ca cacert.pem\r\n"; print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n"; @@ -4251,6 +4280,10 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'};
+ if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { + $confighash{$key}[41] = "no-pass"; + } + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", %confighash); if ($cgiparams{'CHECK1'} ){ @@ -5127,7 +5160,7 @@ END <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th> <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th> <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th> - <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th> + <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th> </tr> END } @@ -5141,7 +5174,7 @@ END <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th> <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th> <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th> - <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th> + <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th> </tr> END } @@ -5240,6 +5273,21 @@ END </td></form> END ; + + if ($confighash{$key}[41] eq "no-pass") { + print <<END; + <form method='post' name='frm${key}g'><td align='center' $col> + <input type='image' name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png' + alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' /> + <input type='hidden' name='MODE' value='insecure' /> + <input type='hidden' name='KEY' value='$key' /> + </td></form> +END + } else { + print "<td $col> </td>"; + } + if ($confighash{$key}[4] eq 'cert') { print <<END; <form method='post' name='frm${key}b'><td align='center' $col> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index cf04d3d..305db0b 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -731,6 +731,7 @@ 'display traffic at home' => 'Berechneten Traffic auf der Startseite anzeigen', 'display webinterface effects' => 'Überblendeffekte einschalten', 'dl client arch' => 'Client Paket herunterladen (zip)', +'dl client arch insecure' => 'Ungesichertes Client-Paket herunterladen (zip)', 'dmz' => 'DMZ', 'dmz pinhole configuration' => 'Einstellungen des DMZ-Schlupfloches', 'dmz pinhole rule added' => 'Regel für DMZ-Schlupfloch hinzugefügt; Starte DMZ-Schlupfloch neu', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 56238ed..4c52392 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -756,6 +756,7 @@ 'display traffic at home' => 'Display calculated traffic on startpage', 'display webinterface effects' => 'Activate effects', 'dl client arch' => 'Download Client Package (zip)', +'dl client arch insecure' => 'Download insecure Client Package (zip)', 'dmz' => 'DMZ', 'dmz pinhole configuration' => 'DMZ pinhole configuration', 'dmz pinhole rule added' => 'DMZ pinhole rule added; restarting DMZ pinhole',
This patch adds the option to download a client package that comes with a regular PEM and key file instead of a PKCS12 file which is easier to use with clients that don't support PKCS12 (like iOS) opposed to converting the file manually.
This requires that the connection is created without using a password for the certificate. Then the certificate is already stored in an insecure way.
This patch also adds this to the Core Update 95 updater.
Fixes: #10966
Signed-off-by: Michael Tremer michael.tremer@ipfire.org CC: Alexander Marx alexander.marx@ipfire.org --- config/rootfiles/core/95/filelists/files | 1 + html/cgi-bin/ovpnmain.cgi | 56 +++++++++++++++++++++++++++++--- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 4 files changed, 55 insertions(+), 4 deletions(-)
diff --git a/config/rootfiles/core/95/filelists/files b/config/rootfiles/core/95/filelists/files index dfecbaf..b886200 100644 --- a/config/rootfiles/core/95/filelists/files +++ b/config/rootfiles/core/95/filelists/files @@ -8,6 +8,7 @@ srv/web/ipfire/cgi-bin/connections.cgi srv/web/ipfire/cgi-bin/dhcp.cgi srv/web/ipfire/cgi-bin/firewall.cgi srv/web/ipfire/cgi-bin/logs.cgi/firewalllogcountry.dat +srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/pppsetup.cgi srv/web/ipfire/cgi-bin/routing.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 9e252a9..7c9ff95 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2265,9 +2265,38 @@ else print CLIENTCONF "remote $netsettings{'ORANGE_ADDRESS'} $vpnsettings{'DDEST_PORT'}\r\n"; } + my $file_crt = new File::Temp( UNLINK => 1 ); + my $file_key = new File::Temp( UNLINK => 1 ); + if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { - print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; - $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; + if ($cgiparams{'MODE'} eq 'insecure') { + # Add the CA + print CLIENTCONF "ca cacert.pem\r\n"; + $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; + + # Extract the certificate + system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } + + $zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die; + print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n"; + + # Extract the key + system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); + if ($?) { + die "openssl error: $?"; + } + + $zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die; + print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n"; + } else { + print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; + $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; + } } else { print CLIENTCONF "ca cacert.pem\r\n"; print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1]cert.pem\r\n"; @@ -4251,6 +4280,10 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[39] = $cgiparams{'DAUTH'}; $confighash{$key}[40] = $cgiparams{'DCIPHER'};
+ if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) { + $confighash{$key}[41] = "no-pass"; + } + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", %confighash); if ($cgiparams{'CHECK1'} ){ @@ -5127,7 +5160,7 @@ END <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th> <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th> <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th> - <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th> + <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th> </tr> END } @@ -5141,7 +5174,7 @@ END <th width='15%' class='boldbase' align='center'><b>$Lang::tr{'type'}</b></th> <th width='20%' class='boldbase' align='center'><b>$Lang::tr{'remark'}</b></th> <th width='10%' class='boldbase' align='center'><b>$Lang::tr{'status'}</b></th> - <th width='5%' class='boldbase' colspan='6' align='center'><b>$Lang::tr{'action'}</b></th> + <th width='5%' class='boldbase' colspan='7' align='center'><b>$Lang::tr{'action'}</b></th> </tr> END } @@ -5240,6 +5273,21 @@ END </td></form> END ; + + if ($confighash{$key}[41] eq "no-pass") { + print <<END; + <form method='post' name='frm${key}g'><td align='center' $col> + <input type='image' name='$Lang::tr{'dl client arch insecure'}' src='/images/openvpn.png' + alt='$Lang::tr{'dl client arch insecure'}' title='$Lang::tr{'dl client arch insecure'}' border='0' /> + <input type='hidden' name='ACTION' value='$Lang::tr{'dl client arch'}' /> + <input type='hidden' name='MODE' value='insecure' /> + <input type='hidden' name='KEY' value='$key' /> + </td></form> +END + } else { + print "<td $col> </td>"; + } + if ($confighash{$key}[4] eq 'cert') { print <<END; <form method='post' name='frm${key}b'><td align='center' $col> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index cf04d3d..305db0b 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -731,6 +731,7 @@ 'display traffic at home' => 'Berechneten Traffic auf der Startseite anzeigen', 'display webinterface effects' => 'Überblendeffekte einschalten', 'dl client arch' => 'Client Paket herunterladen (zip)', +'dl client arch insecure' => 'Ungesichertes Client-Paket herunterladen (zip)', 'dmz' => 'DMZ', 'dmz pinhole configuration' => 'Einstellungen des DMZ-Schlupfloches', 'dmz pinhole rule added' => 'Regel für DMZ-Schlupfloch hinzugefügt; Starte DMZ-Schlupfloch neu', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 56238ed..4c52392 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -756,6 +756,7 @@ 'display traffic at home' => 'Display calculated traffic on startpage', 'display webinterface effects' => 'Activate effects', 'dl client arch' => 'Download Client Package (zip)', +'dl client arch insecure' => 'Download insecure Client Package (zip)', 'dmz' => 'DMZ', 'dmz pinhole configuration' => 'DMZ pinhole configuration', 'dmz pinhole rule added' => 'DMZ pinhole rule added; restarting DMZ pinhole',
This will allow to import just the configuration file into iOS and establish the VPN connection. Also works with many other OpenVPN clients.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 59 ++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 56 insertions(+), 3 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 7c9ff95..bdbd229 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2267,11 +2267,14 @@ else my $file_crt = new File::Temp( UNLINK => 1 ); my $file_key = new File::Temp( UNLINK => 1 ); + my $include_certs = 0;
if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { if ($cgiparams{'MODE'} eq 'insecure') { + $include_certs = 1; + # Add the CA - print CLIENTCONF "ca cacert.pem\r\n"; + print CLIENTCONF ";ca cacert.pem\r\n"; $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
# Extract the certificate @@ -2282,7 +2285,7 @@ else }
$zip->addFile("$file_crt", "$confighash{$cgiparams{'KEY'}}[1].pem") or die; - print CLIENTCONF "cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n"; + print CLIENTCONF ";cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n";
# Extract the key system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", @@ -2292,7 +2295,7 @@ else }
$zip->addFile("$file_key", "$confighash{$cgiparams{'KEY'}}[1].key") or die; - print CLIENTCONF "key $confighash{$cgiparams{'KEY'}}[1].key\r\n"; + print CLIENTCONF ";key $confighash{$cgiparams{'KEY'}}[1].key\r\n"; } else { print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; @@ -2311,6 +2314,9 @@ else print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; } if ($vpnsettings{'TLSAUTH'} eq 'on') { + if ($cgiparams{'MODE'} eq 'insecure') { + print CLIENTCONF ";"; + } print CLIENTCONF "tls-auth ta.key\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key") or die "Can't add file ta.key\n"; } @@ -2335,6 +2341,53 @@ else print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\r\n"; } } + + if ($include_certs) { + print CLIENTCONF "\r\n"; + + # CA + open(FILE, "<${General::swroot}/ovpn/ca/cacert.pem"); + print CLIENTCONF "<ca>\r\n"; + while (<FILE>) { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "</ca>\r\n\r\n"; + close(FILE); + + # Cert + open(FILE, "<$file_crt"); + print CLIENTCONF "<cert>\r\n"; + while (<FILE>) { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "</cert>\r\n\r\n"; + close(FILE); + + # Key + open(FILE, "<$file_key"); + print CLIENTCONF "<key>\r\n"; + while (<FILE>) { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "</key>\r\n\r\n"; + close(FILE); + + # TLS auth + if ($vpnsettings{'TLSAUTH'} eq 'on') { + open(FILE, "<${General::swroot}/ovpn/certs/ta.key"); + print CLIENTCONF "<tls-auth>\r\n"; + while (<FILE>) { + chomp($_); + print CLIENTCONF "$_\r\n"; + } + print CLIENTCONF "</tls-auth>\r\n\r\n"; + close(FILE); + } + } + # Print client.conf.local if entries exist to client.ovpn if (!-z $local_clientconf && $vpnsettings{'ADDITIONAL_CONFIGS'} eq 'on') { open (LCC, "$local_clientconf");
Could someone who owns an iPhone please test this?
Best, -Michael
On Fri, 2015-10-30 at 15:47 +0000, Michael Tremer wrote:
This will allow to import just the configuration file into iOS and establish the VPN connection. Also works with many other OpenVPN clients.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
html/cgi-bin/ovpnmain.cgi | 59 ++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 56 insertions(+), 3 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 7c9ff95..bdbd229 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2267,11 +2267,14 @@ else my $file_crt = new File::Temp( UNLINK => 1 ); my $file_key = new File::Temp( UNLINK => 1 );
my $include_certs = 0;
if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f
"${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12" ) { if ($cgiparams{'MODE'} eq 'insecure') {
$include_certs = 1;- # Add the CA
print CLIENTCONF "ca cacert.pem\r\n";
print CLIENTCONF ";ca cacert.pem\r\n";->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
# Extract the certificate@@ -2282,7 +2285,7 @@ else }
$zip->addFile("$file_crt","$confighash{$cgiparams{'KEY'}}[1].pem") or die;
print CLIENTCONF "cert$confighash{$cgiparams{'KEY'}}[1].pem\r\n";
print CLIENTCONF ";cert$confighash{$cgiparams{'KEY'}}[1].pem\r\n";
# Extract the key system('/usr/bin/openssl', 'pkcs12', '-in',"${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12" , @@ -2292,7 +2295,7 @@ else }
$zip->addFile("$file_key","$confighash{$cgiparams{'KEY'}}[1].key") or die;
print CLIENTCONF "key$confighash{$cgiparams{'KEY'}}[1].key\r\n";
print CLIENTCONF ";key$confighash{$cgiparams{'KEY'}}[1].key\r\n"; } else { print CLIENTCONF "pkcs12 $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12" , "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; @@ -2311,6 +2314,9 @@ else print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; } if ($vpnsettings{'TLSAUTH'} eq 'on') {
- if ($cgiparams{'MODE'} eq 'insecure') {
print CLIENTCONF ";";- } print CLIENTCONF "tls-auth ta.key\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/ta.key",
"ta.key") or die "Can't add file ta.key\n"; } @@ -2335,6 +2341,53 @@ else print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\r\n"; } }
- if ($include_certs) {
- print CLIENTCONF "\r\n";
- # CA
- open(FILE, "<${General::swroot}/ovpn/ca/cacert.pem");
- print CLIENTCONF "<ca>\r\n";
- while (<FILE>) {
chomp($_);print CLIENTCONF "$_\r\n";- }
- print CLIENTCONF "</ca>\r\n\r\n";
- close(FILE);
- # Cert
- open(FILE, "<$file_crt");
- print CLIENTCONF "<cert>\r\n";
- while (<FILE>) {
chomp($_);print CLIENTCONF "$_\r\n";- }
- print CLIENTCONF "</cert>\r\n\r\n";
- close(FILE);
- # Key
- open(FILE, "<$file_key");
- print CLIENTCONF "<key>\r\n";
- while (<FILE>) {
chomp($_);print CLIENTCONF "$_\r\n";- }
- print CLIENTCONF "</key>\r\n\r\n";
- close(FILE);
- # TLS auth
- if ($vpnsettings{'TLSAUTH'} eq 'on') {
open(FILE, "<${General::swroot}/ovpn/certs/ta.key");print CLIENTCONF "<tls-auth>\r\n";while (<FILE>) {chomp($_);print CLIENTCONF "$_\r\n";}print CLIENTCONF "</tls-auth>\r\n\r\n";close(FILE);- }
- }
- # Print client.conf.local if entries exist to client.ovpn if (!-z $local_clientconf && $vpnsettings{'ADDITIONAL_CONFIGS'}
eq 'on') { open (LCC, "$local_clientconf");
-
Michael Tremer