$list = array(); foreach ($a_ca as $ca) { $list[$ca['refid']] = $ca['descr']; } $section->addInput(new Form_Select('caref', 'Peer Certificate Authority', $pconfig['caref'], $list)); } else { $section->addInput(new Form_StaticText('Peer Certificate Authority', sprintf('No Certificate Authorities defined. You may create one here: %s', '<a href="system_camanager.php">System > Cert Manager</a>'))); } if (count($a_crl)) { $section->addInput(new Form_Select('crlref', 'Peer Certificate Revocation list', $pconfig['crlref'], openvpn_build_crl_list())); } else { $section->addInput(new Form_StaticText('Peer Certificate Revocation list', sprintf('No Certificate Revocation Lists defined. You may create one here: %s', '<a href="system_crlmanager.php">System > Cert Manager > Certificate Revocation</a>'))); } $section->addInput(new Form_Checkbox('autokey_enable', 'Auto generate', 'Automatically generate a shared key', $pconfig['autokey_enable'] && empty($pconfig['shared_key']))); $section->addInput(new Form_Textarea('shared_key', 'Shared Key', $pconfig['shared_key']))->setHelp('Paste your shared key here'); $cl = openvpn_build_cert_list(true); $section->addInput(new Form_Select('certref', 'Client Certificate', $pconfig['certref'], $cl['server'])); $section->addInput(new Form_Select('crypto', 'Encryption Algorithm', $pconfig['crypto'], openvpn_get_cipherlist())); $section->addInput(new Form_Select('digest', 'Auth digest algorithm', $pconfig['digest'], openvpn_get_digestlist()))->setHelp('Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN. '); $section->addInput(new Form_Select('engine', 'Hardware Crypto', $pconfig['engine'], openvpn_get_engines())); $form->add($section); $section = new Form_Section('Tunnel settings'); $section->addInput(new Form_Input('tunnel_network', 'IPv4 Tunnel Network', 'text', $pconfig['tunnel_network']))->setHelp('This is the IPv4 virtual network used for private communications between this client and the sercer ' . 'expressed using CIDR (eg. 10.0.8.0/24). The first network address will be assigned to ' . 'the client virtual interface.'); $section->addInput(new Form_Input('tunnel_networkv6', 'IPv6 Tunnel Network', 'text', $pconfig['tunnel_networkv6']))->setHelp('This is the IPv6 virtual network used for private ' . 'communications between this client and the server expressed using CIDR (eg. fe80::/64). ' . 'The first network address will be assigned to the server virtual interface.'); $section->addInput(new Form_Input('remote_network', 'IPv4 Remote network(s)', 'text', $pconfig['remote_network']))->setHelp('IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually ' . 'changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. ' . 'If this is a site-to-site VPN, enter the remote LAN/s here. You may leave this blank if you don\'t want a site-to-site VPN.'); $section->addInput(new Form_Input('remote_networkv6', 'IPv6 Remote network(s)', 'text', $pconfig['remote_networkv6']))->setHelp('These are the IPv6 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually ' . 'changing the routing tables. Expressed as a comma-separated list of one or more IP/PREFIX. ' . 'If this is a site-to-site VPN, enter the remote LAN/s here. You may leave this blank if you don\'t want a site-to-site VPN.'); $section->addInput(new Form_Input('use_shaper', 'Limit outgoing bandwidth', 'number', $pconfig['use_shaper'], ['min' => 100, 'max' => 100000000, 'placeholder' => 'Between 100 and 100,000,000 bytes/sec']))->setHelp('Maximum outgoing bandwidth for this tunnel. Leave empty for no limit. The input value has to be something between 100 bytes/sec and 100 Mbytes/sec (entered as bytes per second).'); $section->addInput(new Form_Select('compression', 'Compression', $pconfig['compression'], $openvpn_compression_modes))->setHelp('Compress tunnel packets using the LZO algorithm. Adaptive compression will dynamically disable compression for a period of time if OpenVPN detects that the data in the packets is not being compressed efficiently.'); $section->addInput(new Form_Checkbox('passtos', 'Type-of-Service', 'Set the TOS IP header value of tunnel packets to match the encapsulated packet value.', $pconfig['passtos'])); $section->addInput(new Form_Checkbox('no_tun_ipv6', 'Disable IPv6', 'Don\'t forward IPv6 traffic. ', $pconfig['no_tun_ipv6'])); $section->addInput(new Form_Checkbox('route_no_pull', 'Don\'t pull routes', 'Bars the server from adding routes to the client\'s routing table', $pconfig['route_no_pull']))->setHelp('This option still allows the server to set the TCP/IP properties of the client\'s TUN/TAP interface. ');
$list = array(); foreach ($a_ca as $ca) { $list[$ca['refid']] = $ca['descr']; } $section->addInput(new Form_Select('caref', 'Peer Certificate Authority', $pconfig['caref'], $list)); } else { $section->addInput(new Form_StaticText('Peer Certificate Authority', sprintf('No Certificate Authorities defined. You may create one here: %s', '<a href="system_camanager.php">System > Cert Manager</a>'))); } if (count($a_crl)) { $section->addInput(new Form_Select('crlref', 'Peer Certificate Revocation list', $pconfig['crlref'], openvpn_build_crl_list())); } else { $section->addInput(new Form_StaticText('Peer Certificate Revocation list', sprintf('No Certificate Revocation Lists defined. You may create one here: %s', '<a href="system_camanager.php">System > Cert Manager</a>'))); } $section->addInput(new Form_Checkbox('autokey_enable', 'Auto generate', 'Automatically generate a shared key', $pconfig['autokey_enable'] && empty($pconfig['shared_key']))); $section->addInput(new Form_Textarea('shared_key', 'Shared Key', $pconfig['shared_key']))->setHelp('Paste your shared key here'); $section->addInput(new Form_Select('certref', 'Client Certificate', $pconfig['certref'], openvpn_build_cert_list(true))); $section->addInput(new Form_Select('crypto', 'Encryption Algorithm', $pconfig['crypto'], openvpn_get_cipherlist())); $section->addInput(new Form_Select('digest', 'Auth digest algorithm', $pconfig['digest'], openvpn_get_digestlist()))->setHelp('Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN. '); $section->addInput(new Form_Select('engine', 'Hardware Crypto', $pconfig['engine'], openvpn_get_engines())); $form->add($section); $section = new Form_Section('Tunnel settings'); $section->addInput(new Form_Input('tunnel_network', 'IPv4 Tunnel Network', 'text', $pconfig['tunnel_network']))->setHelp('This is the IPv4 virtual network used for private communications between this client and the sercer ' . 'expressed using CIDR (eg. 10.0.8.0/24). The first network address will be assigned to ' . 'the client virtual interface.'); $section->addInput(new Form_Input('tunnel_networkv6', 'IPv6 Tunnel Network', 'text', $pconfig['tunnel_networkv6']))->setHelp('This is the IPv6 virtual network used for private ' . 'communications between this client and the server expressed using CIDR (eg. fe80::/64). ' . 'The first network address will be assigned to the server virtual interface.'); $section->addInput(new Form_Input('remote_network', 'IPv4 Remote network(s)', 'text', $pconfig['remote_network']))->setHelp('IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually ' . 'changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. ' . 'If this is a site-to-site VPN, enter the remote LAN/s here. You may leave this blank if you don\'t want a site-to-site VPN.'); $section->addInput(new Form_Input('remote_networkv6', 'IPv6 Remote network(s)', 'text', $pconfig['remote_networkv6']))->setHelp('These are the IPv6 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually ' . 'changing the routing tables. Expressed as a comma-separated list of one or more IP/PREFIX. ' . 'If this is a site-to-site VPN, enter the remote LAN/s here. You may leave this blank if you don\'t want a site-to-site VPN.'); $section->addInput(new Form_Input('use_shaper', 'Limit outgoing bandwidth', 'number', $pconfig['use_shaper'], ['min' => 100, 'max' => 100000000, 'placeholder' => 'Between 100 and 100,000,000 bytes/sec']))->setHelp('Maximum outgoing bandwidth for this tunnel. Leave empty for no limit. The input value has to be something between 100 bytes/sec and 100 Mbytes/sec (entered as bytes per second).'); $section->addInput(new Form_Select('compression', 'Compression', $pconfig['compression'], $openvpn_compression_modes))->setHelp('Compress tunnel packets using the LZO algorithm. Adaptive compression will dynamically disable compression for a period of time if OpenVPN detects that the data in the packets is not being compressed efficiently.'); $section->addInput(new Form_Checkbox('passtos', 'Type-of-Service', 'Set the TOS IP header value of tunnel packets to match the encapsulated packet value.', $pconfig['passtos'])); $section->addInput(new Form_Checkbox('no_tun_ipv6', 'Disable IPv6', 'Don\'t forward IPv6 traffic. ', $pconfig['no_tun_ipv6'])); $section->addInput(new Form_Checkbox('route_no_pull', 'Don\'t pull routes', 'Bars the server from adding routes to the client\'s routing table', $pconfig['route_no_pull']))->setHelp('This option still allows the server to set the TCP/IP properties of the client\'s TUN/TAP interface. '); $section->addInput(new Form_Checkbox('route_no_exec', 'Don\'t add/remove routes', 'Don\'t add or remove routes automatically', $pconfig['route_no_exec']))->setHelp('Pass routes to --route-upscript using environmental variables');
} else { $section->addInput(new Form_StaticText('Peer Certificate Revocation list', sprintf('No Certificate Revocation Lists defined. You may create one here: %s', '<a href="system_camanager.php">System > Cert Manager</a>'))); } $certhelp = '<span id="certtype"></span>'; if (count($a_cert)) { if (!empty(trim($pconfig['certref']))) { $thiscert = lookup_cert($pconfig['certref']); $purpose = cert_get_purpose($thiscert['crt'], true); if ($purpose['server'] != "Yes") { $certhelp = '<span id="certtype" class="text-danger">' . gettext("Warning: The selected server certificate was not created as an SSL Server certificate and may not work as expected") . ' </span>'; } } } else { $certhelp = sprintf('%s%s%s$s', '<span id="certtype">', gettext('No Certificates defined. You may create one here: '), '<a href="system_camanager.php">' . gettext("System > Cert Manager") . '</a>', '</span>'); } $cl = openvpn_build_cert_list(false, true); //Save the number of server certs for use at run-time $servercerts = count($cl['server']); $section->addInput(new Form_Select('certref', 'Server certificate', $pconfig['certref'], $cl['server'] + $cl['non-server']))->setHelp($certhelp); $section->addInput(new Form_Select('dh_length', 'DH Parameter length (bits)', $pconfig['dh_length'], array_combine($openvpn_dh_lengths, $openvpn_dh_lengths)))->setHelp(count($a_cert) ? '' : sprintf('No Certificates defined. You may create one here: %s', '<a href="system_camanager.php">System > Cert Manager</a>')); if (!$pconfig['shared_key']) { $section->addInput(new Form_Checkbox('autokey_enable', 'Shared key', 'Automatically generate a shared key', $pconfig['autokey_enable'])); } $section->addInput(new Form_Textarea('shared_key', 'Shared Key', $pconfig['shared_key']))->setHelp('Paste your shared key here'); $section->addInput(new Form_Select('crypto', 'Encryption Algorithm', $pconfig['crypto'], openvpn_get_cipherlist())); $section->addInput(new Form_Select('digest', 'Auth digest algorithm', $pconfig['digest'], openvpn_get_digestlist()))->setHelp('Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN. '); $section->addInput(new Form_Select('engine', 'Hardware Crypto', $pconfig['engine'], openvpn_get_engines())); $section->addInput(new Form_Select('cert_depth', 'Certificate Depth', $pconfig['cert_depth'], ["" => gettext("Do Not Check")] + $openvpn_cert_depths))->setHelp('When a certificate-based client logs in, do not accept certificates below this depth. ' . 'Useful for denying certificates made with intermediate CAs generated from the same CA as the server.'); $section->addInput(new Form_Checkbox('strictusercn', 'Strict User-CN Matching', 'Enforce match', $pconfig['strictusercn']))->setHelp('When authenticating users, enforce a match between the common name of the client certificate and the username given at login.'); $form->add($section); $section = new Form_Section('Tunnel settings');
$section->addInput(new Form_Textarea('tls', 'Key', $pconfig['tls']))->setHelp('Paste your shared key here'); if (count($a_ca)) { $list = array(); foreach ($a_ca as $ca) { $list[$ca['refid']] = $ca['descr']; } $section->addInput(new Form_Select('caref', 'Peer Certificate Authority', $pconfig['caref'], $list)); } else { $section->addInput(new Form_StaticText('Peer Certificate Authority', sprintf('No Certificate Authorities defined. You may create one here: %s', '<a href="system_camanager.php">System > Cert Manager</a>'))); } if (count($a_crl)) { $section->addInput(new Form_Select('crlref', 'Peer Certificate Revocation list', $pconfig['crlref'], openvpn_build_crl_list())); } else { $section->addInput(new Form_StaticText('Peer Certificate Revocation list', sprintf('No Certificate Revocation Lists defined. You may create one here: %s', '<a href="system_camanager.php">System > Cert Manager</a>'))); } $section->addInput(new Form_Select('certref', 'Server certificate', $pconfig['certref'], openvpn_build_cert_list()))->setHelp(count($a_cert) ? '' : sprintf('No Certificates defined. You may create one here: %s', '<a href="system_camanager.php">System > Cert Manager</a>')); $section->addInput(new Form_Select('dh_length', 'DH Parameter length (bits)', $pconfig['dh_length'], array_combine($openvpn_dh_lengths, $openvpn_dh_lengths)))->setHelp(count($a_cert) ? '' : sprintf('No Certificates defined. You may create one here: %s', '<a href="system_camanager.php">System > Cert Manager</a>')); if (!$pconfig['shared_key']) { $section->addInput(new Form_Checkbox('autokey_enable', 'Shared key', 'Automatically generate a shared key', $pconfig['autokey_enable'])); } $section->addInput(new Form_Textarea('shared_key', 'Shared Key', $pconfig['shared_key']))->setHelp('Paste your shared key here'); $section->addInput(new Form_Select('crypto', 'Encryption Algorithm', $pconfig['crypto'], openvpn_get_cipherlist())); $section->addInput(new Form_Select('digest', 'Auth digest algorithm', $pconfig['digest'], openvpn_get_digestlist()))->setHelp('Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN. '); $section->addInput(new Form_Select('engine', 'Hardware Crypto', $pconfig['engine'], openvpn_get_engines())); $section->addInput(new Form_Select('cert_depth', 'Certificate Depth', $pconfig['cert_depth'], $openvpn_cert_depths))->setHelp('When a certificate-based client logs in, do not accept certificates below this depth. ' . 'Useful for denying certificates made with intermediate CAs generated from the same CA as the server.'); $section->addInput(new Form_Checkbox('strictusercn', 'Strict User-CN Matching', null, $pconfig['strictusercn']))->setHelp('When authenticating users, enforce a match between the common name of the client certificate and the username given at login.'); $form->add($section); $section = new Form_Section('Tunnel settings'); $section->addInput(new Form_Input('tunnel_network', 'IPv4 Tunnel Network', 'text', $pconfig['tunnel_network']))->setHelp('This is the IPv4 virtual network used for private communications between this server and client ' . 'hosts expressed using CIDR (eg. 10.0.8.0/24). The first network address will be assigned to ' . 'the server virtual interface. The remaining network addresses can optionally be assigned ' . 'to connecting clients. (see Address Pool)'); $section->addInput(new Form_Input('tunnel_networkv6', 'IPv6 Tunnel Network', 'text', $pconfig['tunnel_networkv6']))->setHelp('This is the IPv6 virtual network used for private ' . 'communications between this server and client hosts expressed using CIDR (eg. fe80::/64). ' . 'The first network address will be assigned to the server virtual interface. The remaining ' . 'network addresses can optionally be assigned to connecting clients. (see Address Pool)'); $section->addInput(new Form_Checkbox('serverbridge_dhcp', 'Bridge DHCP', 'Allow clients on the bridge to obtain DHCP.', $pconfig['serverbridge_dhcp']));