raspap-webgui/includes/openvpn.php

<?php

require_once 'includes/status_messages.php';
require_once 'includes/config.php';
require_once 'includes/wifi_functions.php';

getWifiInterface();

/**
 * Manage OpenVPN configuration
 */
function DisplayOpenVPNConfig()
{
    $status = new StatusMessages();
    if (!RASPI_MONITOR_ENABLED) {
        if (isset($_POST['SaveOpenVPNSettings'])) {
            if (isset($_POST['authUser'])) {
                $authUser = strip_tags(trim($_POST['authUser']));
            }
            if (isset($_POST['authPassword'])) {
                $authPassword = strip_tags(trim($_POST['authPassword']));
            }
            if (is_uploaded_file( $_FILES["customFile"]["tmp_name"])) {
                $return = SaveOpenVPNConfig($status, $_FILES['customFile'], $authUser, $authPassword);
            }
        } elseif (isset($_POST['StartOpenVPN'])) {
            $status->addMessage('Attempting to start OpenVPN', 'info');
            exec('sudo /bin/systemctl start openvpn-client@client', $return);
            exec('sudo /bin/systemctl enable openvpn-client@client', $return);
            foreach ($return as $line) {
                $status->addMessage($line, 'info');
            }
        } elseif (isset($_POST['StopOpenVPN'])) {
            $status->addMessage('Attempting to stop OpenVPN', 'info');
            exec('sudo /bin/systemctl stop openvpn-client@client', $return);
            exec('sudo /bin/systemctl disable openvpn-client@client', $return);
            foreach ($return as $line) {
                $status->addMessage($line, 'info');
            }
        }
    }

    exec('pidof openvpn | wc -l', $openvpnstatus);
    exec('wget https://ipinfo.io/ip -qO -', $return);

    $serviceStatus = $openvpnstatus[0] == 0 ? "down" : "up";
    $auth = file(RASPI_OPENVPN_CLIENT_LOGIN, FILE_IGNORE_NEW_LINES);
    $public_ip = $return[0];

    // parse client auth credentials
    if (!empty($auth)) {
        $auth = array_filter($auth, 'filter_comments');
        $authUser = current($auth);
        $authPassword = next($auth);
    }
    $clients = preg_grep('/client.(conf)$/', scandir(pathinfo(RASPI_OPENVPN_CLIENT_CONFIG, PATHINFO_DIRNAME)));

    $logEnable = 0;
    if (!empty($_POST) && !isset($_POST['log-openvpn'])) {
        $logOutput = "";
        $f = @fopen("/tmp/openvpn.log", "r+");
        if ($f !== false) {
            ftruncate($f, 0);
            fclose($f);
        }
    } elseif (isset($_POST['log-openvpn']) || filesize('/tmp/openvpn.log') >0) {
        $logEnable = 1;
        exec("sudo /etc/raspap/openvpn/openvpnlog.sh", $logOutput);
        $logOutput = file_get_contents('/tmp/openvpn.log');
    }

    echo renderTemplate(
        "openvpn", compact(
            "status",
            "serviceStatus",
            "openvpnstatus",
            "logEnable",
            "logOutput",
            "public_ip",
            "authUser",
            "authPassword",
            "clients"
        )
    );
}

/**
 * Validates uploaded .ovpn file, adds auth-user-pass and
 * stores auth credentials in login.conf. Copies files from
 * tmp to OpenVPN
 *
 * @param  object $status
 * @param  object $file
 * @param  string $authUser
 * @param  string $authPassword
 * @return object $status
 */
function SaveOpenVPNConfig($status, $file, $authUser, $authPassword)
{
    $tmp_ovpnclient = '/tmp/ovpnclient.ovpn';
    $tmp_authdata = '/tmp/authdata';
    $auth_flag = 0;

    try {
        // If undefined or multiple files, treat as invalid
        if (!isset($file['error']) || is_array($file['error'])) {
            throw new RuntimeException('Invalid parameters');
        }

        // Parse returned errors
        switch ($file['error']) {
        case UPLOAD_ERR_OK:
            break;
        case UPLOAD_ERR_NO_FILE:
            throw new RuntimeException('OpenVPN configuration file not sent');
        case UPLOAD_ERR_INI_SIZE:
        case UPLOAD_ERR_FORM_SIZE:
            throw new RuntimeException('Exceeded filesize limit');
        default:
            throw new RuntimeException('Unknown errors');
        }

        // Validate extension
        $ext = pathinfo($file['name'], PATHINFO_EXTENSION);
        if ($ext != 'ovpn') {
            throw new RuntimeException('Invalid file extension');
        }

        // Validate MIME type
        $finfo = new finfo(FILEINFO_MIME_TYPE);
        if (false === $ext = array_search(
            $finfo->file($file['tmp_name']),
            array(
                'ovpn' => 'text/plain'
            ),
            true
        )
        ) {
            throw new RuntimeException('Invalid file format');
        }

        // Validate filesize
        define('KB', 1024);
        if ($file['size'] > 64*KB) {
            throw new RuntimeException('File size limit exceeded');
        }

        // Use safe filename, save to /tmp
        if (!move_uploaded_file(
            $file['tmp_name'],
            sprintf(
                '/tmp/%s.%s',
                'ovpnclient',
                $ext
            )
        )
        ) {
            throw new RuntimeException('Unable to move uploaded file');
        }


        // Good file upload, update auth credentials if present
        $prepend = '# filename '.pathinfo($file['name'], PATHINFO_FILENAME) .PHP_EOL;
        if (!empty($authUser) && !empty($authPassword)) {
            $auth_flag = 1;
            // Move tmp authdata to /etc/openvpn/login.conf
            $auth.= $authUser .PHP_EOL . $authPassword .PHP_EOL;
            file_put_contents($tmp_authdata, $auth);
            file_prepend_data($tmp_authdata, $prepend);
            file_move_config(RASPI_OPENVPN_CLIENT_LOGIN);
            chmod($tmp_authdata, 0644);
            system("sudo cp $tmp_authdata " . RASPI_OPENVPN_CLIENT_LOGIN, $return);
            if ($return !=0) {
                $status->addMessage('Unable to save client auth credentials', 'danger');
            }
        }

        // Prepend filname tag to .ovpn client config
        file_prepend_data($tmp_ovpnclient, $prepend);

        // Set iptables rules and, optionally, auth-user-pass
        exec("sudo /etc/raspap/openvpn/configauth.sh $tmp_ovpnclient $auth_flag " .$_SESSION['ap_interface'], $return);
        foreach ($return as $line) {
            $status->addMessage($line, 'info');
        }

        // Copy tmp client config to /etc/openvpn/client
        file_move_config(RASPI_OPENVPN_CLIENT_CONFIG);
        chmod($tmp_ovpnclient, 0644);
        system("sudo cp $tmp_ovpnclient " . RASPI_OPENVPN_CLIENT_CONFIG, $return);
        if ($return ==0) {
            $status->addMessage('OpenVPN client.conf uploaded successfully', 'info');
        } else {
            $status->addMessage('Unable to save OpenVPN client config', 'danger');
        }

        return $status;
    } catch (RuntimeException $e) {
        $status->addMessage($e->getMessage(), 'danger');
        return $status;
    }
}
Templatized OpenVPN config 2019-11-12 17:03:26 +01:00			`<?php`

Processed with phpcbf 2020-02-15 18:57:46 +01:00			`require_once 'includes/status_messages.php';`
Add include wifi_functions getWifiInterface() 2020-06-07 18:17:16 +02:00			`require_once 'includes/config.php';`
			`require_once 'includes/wifi_functions.php';`

			`getWifiInterface();`
Templatized OpenVPN config 2019-11-12 17:03:26 +01:00
			`/**`
			`* Manage OpenVPN configuration`
			`*/`
			`function DisplayOpenVPNConfig()`
			`{`
Handle .ovpn file upload, auth-user-pass config, client svc start/stop 2019-11-16 11:10:25 +01:00			`$status = new StatusMessages();`
fully locked down the back-end in monitoring mode 2020-02-14 03:38:46 +01:00			`if (!RASPI_MONITOR_ENABLED) {`
			`if (isset($_POST['SaveOpenVPNSettings'])) {`
			`if (isset($_POST['authUser'])) {`
			`$authUser = strip_tags(trim($_POST['authUser']));`
			`}`
			`if (isset($_POST['authPassword'])) {`
			`$authPassword = strip_tags(trim($_POST['authPassword']));`
			`}`
Implement openvpn logging 2021-02-09 22:57:15 +01:00			`if (is_uploaded_file( $_FILES["customFile"]["tmp_name"])) {`
			`$return = SaveOpenVPNConfig($status, $_FILES['customFile'], $authUser, $authPassword);`
			`}`
fully locked down the back-end in monitoring mode 2020-02-14 03:38:46 +01:00			`} elseif (isset($_POST['StartOpenVPN'])) {`
			`$status->addMessage('Attempting to start OpenVPN', 'info');`
			`exec('sudo /bin/systemctl start openvpn-client@client', $return);`
ovpn, uap0 compatibility; readme 2020-03-15 12:02:20 +01:00			`exec('sudo /bin/systemctl enable openvpn-client@client', $return);`
fully locked down the back-end in monitoring mode 2020-02-14 03:38:46 +01:00			`foreach ($return as $line) {`
			`$status->addMessage($line, 'info');`
			`}`
			`} elseif (isset($_POST['StopOpenVPN'])) {`
			`$status->addMessage('Attempting to stop OpenVPN', 'info');`
			`exec('sudo /bin/systemctl stop openvpn-client@client', $return);`
ovpn, uap0 compatibility; readme 2020-03-15 12:02:20 +01:00			`exec('sudo /bin/systemctl disable openvpn-client@client', $return);`
fully locked down the back-end in monitoring mode 2020-02-14 03:38:46 +01:00			`foreach ($return as $line) {`
			`$status->addMessage($line, 'info');`
			`}`
Handle .ovpn file upload, auth-user-pass config, client svc start/stop 2019-11-16 11:10:25 +01:00			`}`
			`}`
Templatized OpenVPN config 2019-11-12 17:03:26 +01:00
			`exec('pidof openvpn \| wc -l', $openvpnstatus);`
Resolve public_ip 2019-11-17 13:00:30 +01:00			`exec('wget https://ipinfo.io/ip -qO -', $return);`
Templatized OpenVPN config 2019-11-12 17:03:26 +01:00
Handle .ovpn file upload, auth-user-pass config, client svc start/stop 2019-11-16 11:10:25 +01:00			`$serviceStatus = $openvpnstatus[0] == 0 ? "down" : "up";`
Resolve public_ip 2019-11-17 13:00:30 +01:00			`$auth = file(RASPI_OPENVPN_CLIENT_LOGIN, FILE_IGNORE_NEW_LINES);`
			`$public_ip = $return[0];`
Templatized OpenVPN config 2019-11-12 17:03:26 +01:00
Handle .ovpn file upload, auth-user-pass config, client svc start/stop 2019-11-16 11:10:25 +01:00			`// parse client auth credentials`
			`if (!empty($auth)) {`
Prepend .ovpn filename to client + login 2021-02-06 12:03:30 +01:00			`$auth = array_filter($auth, 'filter_comments');`
			`$authUser = current($auth);`
			`$authPassword = next($auth);`
Templatized OpenVPN config 2019-11-12 17:03:26 +01:00			`}`
Add certificate option to openvpn GUI add JS code to display options and selected ovpn file 2021-03-27 10:29:09 +01:00			`$clients = preg_grep('/client.(conf)$/', scandir(pathinfo(RASPI_OPENVPN_CLIENT_CONFIG, PATHINFO_DIRNAME)));`
Handle .ovpn file upload, auth-user-pass config, client svc start/stop 2019-11-16 11:10:25 +01:00
Persist log-openvpn option 2021-02-10 12:27:24 +01:00			`$logEnable = 0;`
			`if (!empty($_POST) && !isset($_POST['log-openvpn'])) {`
			`$logOutput = "";`
			`$f = @fopen("/tmp/openvpn.log", "r+");`
			`if ($f !== false) {`
			`ftruncate($f, 0);`
			`fclose($f);`
			`}`
			`} elseif (isset($_POST['log-openvpn']) \|\| filesize('/tmp/openvpn.log') >0) {`
Implement openvpn logging 2021-02-09 22:57:15 +01:00			`$logEnable = 1;`
			`exec("sudo /etc/raspap/openvpn/openvpnlog.sh", $logOutput);`
			`$logOutput = file_get_contents('/tmp/openvpn.log');`
			`}`

Processed with phpcbf 2020-02-15 18:57:46 +01:00			`echo renderTemplate(`
			`"openvpn", compact(`
			`"status",`
			`"serviceStatus",`
			`"openvpnstatus",`
Implement openvpn logging 2021-02-09 22:57:15 +01:00			`"logEnable",`
			`"logOutput",`
Processed with phpcbf 2020-02-15 18:57:46 +01:00			`"public_ip",`
			`"authUser",`
Update w/ file_move_config + permissions 2021-02-07 12:54:57 +01:00			`"authPassword",`
			`"clients"`
Processed with phpcbf 2020-02-15 18:57:46 +01:00			`)`
			`);`
Templatized OpenVPN config 2019-11-12 17:03:26 +01:00			`}`

Templatized Tor proxy config 2019-11-12 22:05:21 +01:00			`/**`
Handle .ovpn file upload, auth-user-pass config, client svc start/stop 2019-11-16 11:10:25 +01:00			`* Validates uploaded .ovpn file, adds auth-user-pass and`
			`* stores auth credentials in login.conf. Copies files from`
			`* tmp to OpenVPN`
			`*`
Processed with phpcbf 2020-02-15 18:57:46 +01:00			`* @param object $status`
			`* @param object $file`
			`* @param string $authUser`
			`* @param string $authPassword`
Handle .ovpn file upload, auth-user-pass config, client svc start/stop 2019-11-16 11:10:25 +01:00			`* @return object $status`
			`*/`
			`function SaveOpenVPNConfig($status, $file, $authUser, $authPassword)`
Templatized Tor proxy config 2019-11-12 22:05:21 +01:00			`{`
Update tmp paths, parameterize control script 2019-11-17 11:16:10 +01:00			`$tmp_ovpnclient = '/tmp/ovpnclient.ovpn';`
			`$tmp_authdata = '/tmp/authdata';`
Allow empty credentials in case of client key auth. Thanks @r45635 2019-11-17 19:16:14 +01:00			`$auth_flag = 0;`
Handle .ovpn file upload, auth-user-pass config, client svc start/stop 2019-11-16 11:10:25 +01:00
			`try {`
			`// If undefined or multiple files, treat as invalid`
			`if (!isset($file['error']) \|\| is_array($file['error'])) {`
			`throw new RuntimeException('Invalid parameters');`
Templatized Tor proxy config 2019-11-12 22:05:21 +01:00			`}`
Handle .ovpn file upload, auth-user-pass config, client svc start/stop 2019-11-16 11:10:25 +01:00
			`// Parse returned errors`
			`switch ($file['error']) {`
Processed with phpcbf 2020-02-15 18:57:46 +01:00			`case UPLOAD_ERR_OK:`
			`break;`
			`case UPLOAD_ERR_NO_FILE:`
			`throw new RuntimeException('OpenVPN configuration file not sent');`
			`case UPLOAD_ERR_INI_SIZE:`
			`case UPLOAD_ERR_FORM_SIZE:`
			`throw new RuntimeException('Exceeded filesize limit');`
			`default:`
			`throw new RuntimeException('Unknown errors');`
Templatized Tor proxy config 2019-11-12 22:05:21 +01:00			`}`

Handle .ovpn file upload, auth-user-pass config, client svc start/stop 2019-11-16 11:10:25 +01:00			`// Validate extension`
			`$ext = pathinfo($file['name'], PATHINFO_EXTENSION);`
			`if ($ext != 'ovpn') {`
			`throw new RuntimeException('Invalid file extension');`
			`}`
Templatized Tor proxy config 2019-11-12 22:05:21 +01:00
Handle .ovpn file upload, auth-user-pass config, client svc start/stop 2019-11-16 11:10:25 +01:00			`// Validate MIME type`
			`$finfo = new finfo(FILEINFO_MIME_TYPE);`
			`if (false === $ext = array_search(`
			`$finfo->file($file['tmp_name']),`
			`array(`
			`'ovpn' => 'text/plain'`
			`),`
			`true`
Processed with phpcbf 2020-02-15 18:57:46 +01:00			`)`
			`) {`
Handle .ovpn file upload, auth-user-pass config, client svc start/stop 2019-11-16 11:10:25 +01:00			`throw new RuntimeException('Invalid file format');`
			`}`
Templatized Tor proxy config 2019-11-12 22:05:21 +01:00
Handle .ovpn file upload, auth-user-pass config, client svc start/stop 2019-11-16 11:10:25 +01:00			`// Validate filesize`
			`define('KB', 1024);`
Allow empty credentials in case of client key auth. Thanks @r45635 2019-11-17 19:16:14 +01:00			`if ($file['size'] > 64*KB) {`
Handle .ovpn file upload, auth-user-pass config, client svc start/stop 2019-11-16 11:10:25 +01:00			`throw new RuntimeException('File size limit exceeded');`
			`}`

			`// Use safe filename, save to /tmp`
			`if (!move_uploaded_file(`
			`$file['tmp_name'],`
			`sprintf(`
			`'/tmp/%s.%s',`
			`'ovpnclient',`
			`$ext`
			`)`
Processed with phpcbf 2020-02-15 18:57:46 +01:00			`)`
			`) {`
Handle .ovpn file upload, auth-user-pass config, client svc start/stop 2019-11-16 11:10:25 +01:00			`throw new RuntimeException('Unable to move uploaded file');`
			`}`
Prepend .ovpn filename to client + login 2021-02-06 12:03:30 +01:00

Allow empty credentials in case of client key auth. Thanks @r45635 2019-11-17 19:16:14 +01:00			`// Good file upload, update auth credentials if present`
Prepend .ovpn filename to client + login 2021-02-06 12:03:30 +01:00			`$prepend = '# filename '.pathinfo($file['name'], PATHINFO_FILENAME) .PHP_EOL;`
Allow empty credentials in case of client key auth. Thanks @r45635 2019-11-17 19:16:14 +01:00			`if (!empty($authUser) && !empty($authPassword)) {`
			`$auth_flag = 1;`
			`// Move tmp authdata to /etc/openvpn/login.conf`
Prepend .ovpn filename to client + login 2021-02-06 12:03:30 +01:00			`$auth.= $authUser .PHP_EOL . $authPassword .PHP_EOL;`
Allow empty credentials in case of client key auth. Thanks @r45635 2019-11-17 19:16:14 +01:00			`file_put_contents($tmp_authdata, $auth);`
Prepend .ovpn filename to client + login 2021-02-06 12:03:30 +01:00			`file_prepend_data($tmp_authdata, $prepend);`
Update w/ file_move_config + permissions 2021-02-07 12:54:57 +01:00			`file_move_config(RASPI_OPENVPN_CLIENT_LOGIN);`
			`chmod($tmp_authdata, 0644);`
Allow empty credentials in case of client key auth. Thanks @r45635 2019-11-17 19:16:14 +01:00			`system("sudo cp $tmp_authdata " . RASPI_OPENVPN_CLIENT_LOGIN, $return);`
			`if ($return !=0) {`
			`$status->addMessage('Unable to save client auth credentials', 'danger');`
			`}`
			`}`

Prepend .ovpn filename to client + login 2021-02-06 12:03:30 +01:00			`// Prepend filname tag to .ovpn client config`
			`file_prepend_data($tmp_ovpnclient, $prepend);`

Allow empty credentials in case of client key auth. Thanks @r45635 2019-11-17 19:16:14 +01:00			`// Set iptables rules and, optionally, auth-user-pass`
Rename ambiguous variable for clarity 2020-06-09 16:32:49 +02:00			`exec("sudo /etc/raspap/openvpn/configauth.sh $tmp_ovpnclient $auth_flag " .$_SESSION['ap_interface'], $return);`
Handle .ovpn file upload, auth-user-pass config, client svc start/stop 2019-11-16 11:10:25 +01:00			`foreach ($return as $line) {`
			`$status->addMessage($line, 'info');`
			`}`

Allow empty credentials in case of client key auth. Thanks @r45635 2019-11-17 19:16:14 +01:00			`// Copy tmp client config to /etc/openvpn/client`
Update w/ file_move_config + permissions 2021-02-07 12:54:57 +01:00			`file_move_config(RASPI_OPENVPN_CLIENT_CONFIG);`
			`chmod($tmp_ovpnclient, 0644);`
Allow empty credentials in case of client key auth. Thanks @r45635 2019-11-17 19:16:14 +01:00			`system("sudo cp $tmp_ovpnclient " . RASPI_OPENVPN_CLIENT_CONFIG, $return);`
Handle .ovpn file upload, auth-user-pass config, client svc start/stop 2019-11-16 11:10:25 +01:00			`if ($return ==0) {`
Allow empty credentials in case of client key auth. Thanks @r45635 2019-11-17 19:16:14 +01:00			`$status->addMessage('OpenVPN client.conf uploaded successfully', 'info');`
Handle .ovpn file upload, auth-user-pass config, client svc start/stop 2019-11-16 11:10:25 +01:00			`} else {`
Allow empty credentials in case of client key auth. Thanks @r45635 2019-11-17 19:16:14 +01:00			`$status->addMessage('Unable to save OpenVPN client config', 'danger');`
Handle .ovpn file upload, auth-user-pass config, client svc start/stop 2019-11-16 11:10:25 +01:00			`}`
Allow empty credentials in case of client key auth. Thanks @r45635 2019-11-17 19:16:14 +01:00
Handle .ovpn file upload, auth-user-pass config, client svc start/stop 2019-11-16 11:10:25 +01:00			`return $status;`
			`} catch (RuntimeException $e) {`
			`$status->addMessage($e->getMessage(), 'danger');`
			`return $status;`
			`}`
			`}`