$list[$ca['refid']] = $ca['descr'];
}
$section->addInput(new Form_Select('caref', 'Peer Certificate Authority', $pconfig['caref'], $list));
} else {
$section->addInput(new Form_StaticText('Peer Certificate Authority', sprintf('No Certificate Authorities defined. You may create one here: %s', '<a href="system_camanager.php">System > Cert Manager</a>')));
}
if (count($a_crl)) {
$section->addInput(new Form_Select('crlref', 'Peer Certificate Revocation list', $pconfig['crlref'], build_crl_list()));
} else {
$section->addInput(new Form_StaticText('Peer Certificate Revocation list', sprintf('No Certificate Revocation Lists defined. You may create one here: %s', '<a href="system_camanager.php">System > Cert Manager</a>')));
}
if (!$pconfig['shared_key']) {
$section->addInput(new Form_checkbox('autokey_enable', 'Auto generate', 'Automatically generate a shared key', $pconfig['autokey_enable']));
$section->addInput(new Form_TextArea('shared_key', 'Shared Key', $pconfig['shared_key']))->setHelp('Paste your shared key here');
}
$section->addInput(new Form_Select('certref', 'Client Certificate', $pconfig['certref'], build_cert_list()));
$section->addInput(new Form_Select('crypto', 'Encryption Algorithm', $pconfig['crypto'], openvpn_get_cipherlist()));
$section->addInput(new Form_Select('digest', 'Auth digest algorithm', $pconfig['digest'], openvpn_get_digestlist()))->setHelp('Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN. ');
$section->addInput(new Form_Select('engine', 'Hardware Crypto', $pconfig['engine'], openvpn_get_engines()));
$form->add($section);
$section = new Form_Section('Tunnel settings');
$section->addInput(new Form_Input('tunnel_network', 'IPv4 Tunnel Network', 'text', $pconfig['tunnel_network']))->setHelp('This is the IPv4 virtual network used for private communications between this client and the sercer ' . 'expressed using CIDR (eg. 10.0.8.0/24). The first network address will be assigned to ' . 'the client virtual interface.');
$section->addInput(new Form_Input('tunnel_networkv6', 'IPv6 Tunnel Network', 'text', $pconfig['tunnel_networkv6']))->setHelp('This is the IPv6 virtual network used for private ' . 'communications between this client and the server expressed using CIDR (eg. fe80::/64). ' . 'The first network address will be assigned to the server virtual interface.');
$section->addInput(new Form_Input('remote_network', 'IPv4 Remote network(s)', 'text', $pconfig['remote_network']))->setHelp('IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually ' . 'changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. ' . 'If this is a site-to-site VPN, enter the remote LAN/s here. You may leave this blank if you don\'t want a site-to-site VPN.');
$section->addInput(new Form_Input('remote_networkv6', 'IPv6 Remote network(s)', 'text', $pconfig['remote_networkv6']))->setHelp('These are the IPv6 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually ' . 'changing the routing tables. Expressed as a comma-separated list of one or more IP/PREFIX. ' . 'If this is a site-to-site VPN, enter the remote LAN/s here. You may leave this blank if you don\'t want a site-to-site VPN.');
$section->addInput(new Form_Input('use_shaper', 'Limit outgoing bandwidth', 'number', $pconfig['use_shaper'], ['min' => 100, 'max' => 100000000, 'placeholder' => 'Between 100 and 100,000,000 bytes/sec']))->setHelp('Maximum outgoing bandwidth for this tunnel. Leave empty for no limit. The input value has to be something between 100 bytes/sec and 100 Mbytes/sec (entered as bytes per second).');
$section->addInput(new Form_Select('compression', 'Compression', $pconfig['compression'], $openvpn_compression_modes))->setHelp('Compress tunnel packets using the LZO algorithm. Adaptive compression will dynamically disable compression for a period of time if OpenVPN detects that the data in the packets is not being compressed efficiently.');
$section->addInput(new Form_checkbox('passtos', 'Type-of-Service', 'Set the TOS IP header value of tunnel packets to match the encapsulated packet value.', $pconfig['passtos']));
$section->addInput(new Form_checkbox('no_tun_ipv6', 'Disable IPv6', 'Don\'t forward IPv6 traffic. ', $pconfig['no_tun_ipv6']));
$section->addInput(new Form_checkbox('route_no_pull', 'Don\'t pull routes', 'Bars the server from adding routes to the client\'s routing table', $pconfig['route_no_pull']))->setHelp('This option still allows the server to set the TCP/IP properties of the client\'s TUN/TAP interface. ');
$section->addInput(new Form_checkbox('route_no_exec', 'Don\'t add/remove routes', 'Don\'t add or remove routes automatically', $pconfig['route_no_exec']))->setHelp('Pass routes to --route-upscript using environmental variables');
$section->addInput(new Form_TextArea('tls', 'Key', $pconfig['tls']))->setHelp('Paste your shared key here');
if (count($a_ca)) {
$list = array();
foreach ($a_ca as $ca) {
$list[$ca['refid']] = $ca['descr'];
}
$section->addInput(new Form_Select('caref', 'Peer Certificate Authority', $pconfig['caref'], $list));
} else {
$section->addInput(new Form_StaticText('Peer Certificate Authority', sprintf('No Certificate Authorities defined. You may create one here: %s', '<a href="system_camanager.php">System > Cert Manager</a>')));
}
if (count($a_crl)) {
$section->addInput(new Form_Select('crlref', 'Peer Certificate Revocation list', $pconfig['crlref'], build_crl_list()));
} else {
$section->addInput(new Form_StaticText('Peer Certificate Revocation list', sprintf('No Certificate Revocation Lists defined. You may create one here: %s', '<a href="system_camanager.php">System > Cert Manager</a>')));
}
$section->addInput(new Form_Select('certref', 'Server certificate', $pconfig['certref'], build_cert_list()))->setHelp(count($a_cert) ? '' : sprintf('No Certificates defined. You may create one here: %s', '<a href="system_camanager.php">System > Cert Manager</a>'));
$section->addInput(new Form_Select('dh_length', 'DH Parameter length (bits)', $pconfig['dh_length'], array_combine($openvpn_dh_lengths, $openvpn_dh_lengths)))->setHelp(count($a_cert) ? '' : sprintf('No Certificates defined. You may create one here: %s', '<a href="system_camanager.php">System > Cert Manager</a>'));
if (!$pconfig['shared_key']) {
$section->addInput(new Form_checkbox('autokey_enable', 'Shared key', 'Automatically generate a shared key', $pconfig['autokey_enable']));
}
$section->addInput(new Form_TextArea('shared_key', 'Shared Key', $pconfig['shared_key']))->setHelp('Paste your shared key here');
$section->addInput(new Form_Select('crypto', 'Encryption Algorithm', $pconfig['crypto'], openvpn_get_cipherlist()));
$section->addInput(new Form_Select('digest', 'Auth digest algorithm', $pconfig['digest'], openvpn_get_digestlist()))->setHelp('Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN. ');
$section->addInput(new Form_Select('engine', 'Hardware Crypto', $pconfig['engine'], openvpn_get_engines()));
$section->addInput(new Form_Select('cert_depth', 'Certificate Depth', $pconfig['cert_depth'], $openvpn_cert_depths))->setHelp('When a certificate-based client logs in, do not accept certificates below this depth. ' . 'Useful for denying certificates made with intermediate CAs generated from the same CA as the server.');
$section->addInput(new Form_checkbox('strictusercn', 'Strict User-CN Matching', null, $pconfig['strictusercn']))->setHelp('When authenticating users, enforce a match between the common name of the client certificate and the username given at login.');
$form->add($section);
$section = new Form_Section('Tunnel settings');
$section->addInput(new Form_Input('tunnel_network', 'IPv4 Tunnel Network', 'text', $pconfig['tunnel_network']))->setHelp('This is the IPv4 virtual network used for private communications between this server and client ' . 'hosts expressed using CIDR (eg. 10.0.8.0/24). The first network address will be assigned to ' . 'the server virtual interface. The remaining network addresses can optionally be assigned ' . 'to connecting clients. (see Address Pool)');
$section->addInput(new Form_Input('tunnel_networkv6', 'IPv6 Tunnel Network', 'text', $pconfig['tunnel_networkv6']))->setHelp('This is the IPv6 virtual network used for private ' . 'communications between this server and client hosts expressed using CIDR (eg. fe80::/64). ' . 'The first network address will be assigned to the server virtual interface. The remaining ' . 'network addresses can optionally be assigned to connecting clients. (see Address Pool)');
$section->addInput(new Form_checkbox('serverbridge_dhcp', 'Bridge DHCP', 'Allow clients on the bridge to obtain DHCP.', $pconfig['serverbridge_dhcp']));
$section->addInput(new Form_Select('authentication_method', 'Authentication Method', $pconfig['authentication_method'], build_auth_method_list()))->setHelp('Must match the setting chosen on the remote side.');
$section->addInput(new Form_Select('mode', 'Negotiation mode', $pconfig['mode'], array("main" => gettext("Main"), "aggressive" => gettext("Aggressive"))))->setHelp('Aggressive is more flexible, but less secure.');
$group = new Form_Group('My identifier');
$group->add(new Form_Select('myid_type', null, $pconfig['myid_type'], build_myid_list()));
$group->add(new Form_Input('myid_data', null, 'text', $pconfig['myid_data']));
$section->add($group);
$group = new Form_Group('Peer identifier');
$group->addClass('peeridgroup');
$group->add(new Form_Select('peerid_type', null, $pconfig['peerid_type'], build_peerid_list()));
$group->add(new Form_Input('peerid_data', null, 'text', $pconfig['peerid_data']));
if ($pconfig['mobile']) {
$group->setHelp('This is known as the "group" setting on some VPN client implementations');
}
$section->add($group);
$section->addInput(new Form_Input('pskey', 'Pre-Shared Key', 'text', $pconfig['pskey']))->setHelp('Enter the Pre-Shared Key string.');
$section->addInput(new Form_Select('certref', 'My Certificate', $pconfig['certref'], build_cert_list()))->setHelp('Select a certificate previously configured in the Certificate Manager.');
$section->addInput(new Form_Select('caref', 'Peer Certificate Authority', $pconfig['caref'], build_ca_list()))->setHelp('Select a certificate authority previously configured in the Certificate Manager.');
$form->add($section);
$section = new Form_Section('Phase 1 Proposal (Algorithms)');
$group = new Form_Group('Encryption Algorithm');
$group->add(new Form_Select('ealgo', null, $pconfig['ealgo']['name'], build_eal_list()));
$group->add(new Form_Select('ealgo_keylen', null, $pconfig['ealgo_keylen'], array()));
$section->add($group);
$section->addInput(new Form_Select('halgo', 'Hash Algorithm', $pconfig['halgo'], $p1_halgos))->setHelp('Must match the setting chosen on the remote side.');
$section->addInput(new Form_Select('dhgroup', 'DH Group', $pconfig['dhgroup'], $p1_dhgroups))->setHelp('Must match the setting chosen on the remote side.');
$section->addInput(new Form_Input('lifetime', 'Lifetime (Seconds)', 'number', $pconfig['lifetime']));
$form->add($section);
$section = new Form_Section('Advanced Options');
$section->addInput(new Form_Checkbox('rekey_enable', 'Disable rekey', 'Disables renegotiation when a connection is about to expire.', $pconfig['rekey_enable']));
$section->addInput(new Form_Checkbox('reauth_enable', 'Disable Reauth', 'Whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, reauthentication is always done.', $pconfig['reauth_enable']));
$section->addInput(new Form_Checkbox('responderonly', 'Responder Only', 'Enable this option to never initiate this connection from this side, only respond to incoming requests.', $pconfig['responderonly']));
$section->addClass('Radius');
$section->addInput(new Form_Checkbox('reauthenticate', 'Reathentication', 'Reauthenticate connected users every minute', $pconfig['reauthenticate']))->setHelp('If reauthentication is enabled, Access-Requests will be sent to the RADIUS server for each user that is logged in every minute. ' . 'If an Access-Reject is received for a user, that user is disconnected from the captive portal immediately.');
$section->addInput(new Form_Checkbox('radmac_enable', 'RADIUS MAC Authentication', 'Enable RADIUS MAC authentication', $pconfig['radmac_enable']))->setHelp('If this option is enabled, the captive portal will try to authenticate users by sending their MAC address as the username ' . 'and the password entered below to the RADIUS server.');
$section->addInput(new Form_Input('radmac_secret', 'MAC authentication secret', 'text', $pconfig['radmac_secret']));
$section->addInput(new Form_Select('radiussrcip_attribute', 'RADIUS NAS IP Attribute', $pconfig['radiussrcip_attribute'], build_radiusnas_list()))->setHelp('Choose the IP to use for calling station attribute.');
$section->addInput(new Form_Checkbox('radiussession_timeout', 'Session timeout', 'Use RADIUS Session-Timeout attributes', $pconfig['radiussession_timeout']))->setHelp('When enabled, clients will be disconnected after the amount of time retrieved from the RADIUS Session-Timeout attribute.');
$section->addInput(new Form_Select('radiusvendor', 'Type', $pconfig['radiusvendor'], ['default' => 'default', 'cisco' => 'cisco']))->setHelp('If RADIUS type is set to Cisco, in Access-Requests the value of Calling-Station-ID will be set to the client\'s IP address and the ' . 'Called-Station-Id to the client\'s MAC address. Default behavior is Calling-Station-Id = client\'s MAC address and ' . 'Called-Station-ID = pfSense\'s WAN IP address.');
$section->addInput(new Form_Checkbox('reverseacct', 'Accounting style', 'Invert Acct-Input-Octets and Acct-Output-Octets', $pconfig['reverseacct']))->setHelp('When enabled, data counts for RADIUS accounting packets will be taken from the client perspective, not the NAS. ' . 'Acct-Input-Octets will represent download, and Acct-Output-Octets will represent upload.');
$section->addInput(new Form_Input('radiusnasid', 'NAS Identifier', 'text', $pconfig['radiusnasid']))->setHelp('Specify a NAS identifier to override the default value (pfSense.localdomain)');
$section->addInput(new Form_Select('radmac_format', 'MAC address format', $pconfig['radmac_format'], ['default' => 'Default', 'singledash' => 'Single dash', 'ietf' => 'IETF', 'cisco' => 'Cisco', 'unformatted' => 'Unformatted']))->setHelp('This option changes the MAC address format used in the whole RADIUS system. Change this if you also need to change the username format for ' . 'RADIUS MAC authentication.' . '<br />' . 'Default: 00:11:22:33:44:55' . '<br />' . 'Single dash: 001122-334455' . '<br />' . 'IETF: 00-11-22-33-44-55' . '<br />' . 'Cisco: 0011.2233.4455' . '<br />' . 'Unformatted: 001122334455');
$form->add($section);
$section = new Form_Section('HTTPS options');
$section->addClass('HTTPS');
$section->addInput(new Form_Checkbox('httpslogin_enable', 'Login', 'Enable HTTPS login', $pconfig['httpslogin_enable']))->setHelp('When enabled, the username and password will be transmitted over an HTTPS connection to protect against eavesdroppers. ' . 'A server name and certificate must also be specified below.');
$section->addInput(new Form_Input('httpsname', 'HTTPS server name', 'text', $pconfig['httpsname']))->setHelp('This name will be used in the form action for the HTTPS POST and should match the Common Name (CN) in your certificate ' . '(otherwise, the client browser will most likely display a security warning). ' . 'Make sure captive portal clients can resolve this name in DNS and verify on the client that the IP resolves to the correct interface IP on pfSense.');
$section->addInput(new Form_Select('certref', 'SSL Certificate', $pconfig['certref'], build_cert_list()))->setHelp('If no certificates are defined, you may define one here: ' . '<a href="system_certmanager.php">System > Cert Manager</a>');
$section->addInput(new Form_Checkbox('nohttpsforwards', 'HTTPS Forwards', 'Disable HTTPS Forwards', $pconfig['nohttpsforwards']))->setHelp('If this option is set, attempts to connect to SSL/HTTPS (Port 443) sites will not be forwarded to the captive portal' . 'This prevents certificate errors from being presented to the user even if HTTPS logins are enabled. ' . 'Users must attempt a connecton to an HTTP (Port 80) site to get forwarded to the captive portal. ' . 'If HTTPS logins are enabled, the user will be redirected to the HTTPS login page.');
$form->add($section);
$section = new Form_Section('HTML page contents');
$section->addClass('HTML');
$section->addInput(new Form_Input('htmlfile', 'Portal page contents', 'file', $pconfig['htmlfile']))->setHelp('Upload an HTML/PHP file for the portal page here (leave blank to keep the current one). Make sure to include a form (POST to "$PORTAL_ACTION$") ' . 'with a submit button (name="accept") and a hidden field with name="redirurl" and value="$PORTAL_REDIRURL$". ' . 'Include the "auth_user" and "auth_pass" and/or "auth_voucher" input fields if authentication is enabled, otherwise it will always fail.' . '<br />' . 'Example code for the form:' . '<br />' . '<form method="post" action="$PORTAL_ACTION$"><br />
<input name="auth_user" type="text"><br />
<input name="auth_pass" type="password"><br />
<input name="auth_voucher" type="text"><br />
<input name="redirurl" type="hidden" value="$PORTAL_REDIRURL$"><br />
<input name="accept" type="submit" value="Continue"><br />
</form>')->addClass('btn btn-info btn-sm');
list($host) = explode(":", $_SERVER['HTTP_HOST']);
$zoneid = $pconfig['zoneid'] ? $pconfig['zoneid'] : 8000;
if ($pconfig['httpslogin_enable']) {
$port = $pconfig['listenporthttps'] ? $pconfig['listenporthttps'] : $zoneid + 8001;
