mirror of
https://github.com/billz/raspap-webgui.git
synced 2025-03-01 10:31:47 +00:00
Add VPN server IPs to Firewall GUI
This commit is contained in:
Christian Zeitnitz
@@ -39,7 +39,7 @@ function createRuleStr(&$sect, &$conf) {
|
||||
$repl=$val="";
|
||||
switch ( $dep["type"] ) {
|
||||
case "list":
|
||||
if ( isset($dep["var"]) && !empty($conf[$dep["var"]]) ) $val = explode(',', $conf[$dep["var"]]);
|
||||
if ( isset($dep["var"]) && !empty($conf[$dep["var"]]) ) $val = explode(' ', $conf[$dep["var"]]);
|
||||
if ( !empty($val) && isset($dep["replace"]) ) $repl=$dep["replace"];
|
||||
break;
|
||||
case "string":
|
||||
@@ -103,9 +103,9 @@ function configureFirewall() {
|
||||
}
|
||||
|
||||
function WriteFirewallConf($conf) {
|
||||
$ret = false;
|
||||
if ( is_array($conf) ) write_php_ini($conf,RASPAP_FIREWALL_CONF);
|
||||
return $ret;
|
||||
$ret = false;
|
||||
if ( is_array($conf) ) write_php_ini($conf,RASPAP_FIREWALL_CONF);
|
||||
return $ret;
|
||||
}
|
||||
|
||||
|
||||
@@ -115,10 +115,6 @@ function ReadFirewallConf() {
|
||||
} else {
|
||||
$conf = array();
|
||||
$conf["firewall-enable"] = false;
|
||||
$conf["openvpn-enable"] = false;
|
||||
$conf["openvpn-serverip"] = "";
|
||||
$conf["wireguard-enable"] = false;
|
||||
$conf["wireguard-serverip"] = "";
|
||||
$conf["ssh-enable"] = false;
|
||||
$conf["http-enable"] = false;
|
||||
$conf["excl-devices"] = "";
|
||||
@@ -127,26 +123,32 @@ function ReadFirewallConf() {
|
||||
$conf["client-device"] = "";
|
||||
$conf["restricted-ips"] = "";
|
||||
}
|
||||
|
||||
# get openvpn server IP (if existing)
|
||||
if ( RASPI_OPENVPN_ENABLED && file_exists(RASPI_OPENVPN_CLIENT_CONFIG) ) {
|
||||
exec('cat '.RASPI_OPENVPN_CLIENT_CONFIG.' | sed -rn "s/^remote\s*([a-z0-9\.\-\_]*)\s*([0-9]*).*$/\1/ip" ', $ret);
|
||||
if ( !empty($ret) ) {
|
||||
$ip = $ret[0];
|
||||
$ip = ( filter_var($ip, FILTER_VALIDATE_IP) !== false ) ? $ip : gethostbyname($ip);
|
||||
if ( !empty($ip) ) {
|
||||
$conf["openvpn-serverip"] = "$ip";
|
||||
$conf["openvpn-enable"] = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
# get wireguard server IP (if existing)
|
||||
if ( RASPI_WIREGUARD_ENABLED && file_exists(RASPI_WIREGUARD_CONFIG) ) {
|
||||
# search for endpoint
|
||||
}
|
||||
return $conf;
|
||||
}
|
||||
|
||||
function getVPN_IPs() {
|
||||
$ips = "";
|
||||
# get openvpn server IPs for UDP (if existing)
|
||||
if ( RASPI_OPENVPN_ENABLED && ($fconf = glob(RASPI_OPENVPN_CLIENT_PATH ."/*.conf")) !== false && !empty($fconf) ) {
|
||||
foreach ( $fconf as $f ) {
|
||||
exec('cat '.$f.' | sed -rn "s/^remote\s*([a-z0-9\.\-\_]*)\s*([0-9]*).*$/\1/ip" ', $result);
|
||||
$ip = (isset($result[0])) ? $result[0] : "";
|
||||
unset($result);
|
||||
exec('cat '.$f.' | sed -rn "s/^proto\s*([a-z]*).*$/\1/ip" ', $result);
|
||||
$proto = (isset($result[0])) ? $result[0] : "";
|
||||
if ( !empty($ip) && trim(strtolower($proto)) === "udp" ) {
|
||||
$ip = gethostbyname($ip);
|
||||
if ( filter_var($ip,FILTER_VALIDATE_IP) && strpos($ips, $ip) === false ) $ips .= " $ip";
|
||||
}
|
||||
}
|
||||
}
|
||||
# get wireguard server IPs for UDP (if existing)
|
||||
if ( RASPI_WIREGUARD_ENABLED && ($fconf = glob(RASPI_WIREGUARD_PATH ."/*.conf")) !== false && !empty($fconf) ) {
|
||||
}
|
||||
return trim($ips);
|
||||
}
|
||||
|
||||
|
||||
function DisplayFirewallConfig()
|
||||
{
|
||||
|
||||
@@ -154,7 +156,6 @@ function DisplayFirewallConfig()
|
||||
|
||||
$json = file_get_contents(RASPAP_IPTABLES_CONF);
|
||||
$ipt_rules = json_decode($json, true);
|
||||
|
||||
getWifiInterface();
|
||||
$ap_device = $_SESSION['ap_interface'];
|
||||
$clients = getClients();
|
||||
@@ -179,20 +180,41 @@ function DisplayFirewallConfig()
|
||||
if ( isset($_POST['save-firewall']) ) $status->addMessage(_('Firewall settings saved. Firewall is still disabled.'), 'success');
|
||||
if ( isset($_POST['excl-devices']) ) {
|
||||
$excl = filter_var($_POST['excl-devices'], FILTER_SANITIZE_STRING);
|
||||
$excl = str_replace(' ', '', $excl);
|
||||
if ( !empty($excl) && $fw_conf["excl-devices"] != $excl ) {
|
||||
$excl = str_replace(',', ' ', $excl);
|
||||
$excl = trim(preg_replace('/\s+/', ' ', $excl));
|
||||
if ( $fw_conf["excl-devices"] != $excl ) {
|
||||
$status->addMessage(_('Exclude devices '. $excl), 'success');
|
||||
$fw_conf["excl-devices"] = $excl;
|
||||
}
|
||||
}
|
||||
if ( isset($_POST['excluded-ips']) ) {
|
||||
$excl = filter_var($_POST['excluded-ips'], FILTER_SANITIZE_STRING);
|
||||
$excl = str_replace(',', ' ', $excl);
|
||||
$excl = trim(preg_replace('/\s+/', ' ', $excl));
|
||||
if ( !empty($excl) ) {
|
||||
$excl = explode(' ',$excl);
|
||||
$str_excl = "";
|
||||
foreach ( $excl as $ip ) {
|
||||
if ( filter_var($ip,FILTER_VALIDATE_IP) ) $str_excl .= "$ip ";
|
||||
else $status->addMessage(_('Exclude IP address '. $ip . ' failed - not a valid IP address'), 'warning');
|
||||
}
|
||||
}
|
||||
$str_excl = trim($str_excl);
|
||||
if ( $fw_conf["excluded-ips"] != $str_excl ) {
|
||||
$status->addMessage(_('Exclude IP address(es) '. $str_excl ), 'success');
|
||||
$fw_conf["excluded-ips"] = $str_excl;
|
||||
}
|
||||
}
|
||||
WriteFirewallConf($fw_conf);
|
||||
configureFirewall();
|
||||
}
|
||||
$vpn_ips = getVPN_IPs();
|
||||
echo renderTemplate("firewall", compact(
|
||||
"status",
|
||||
"ap_device",
|
||||
"str_clients",
|
||||
"fw_conf",
|
||||
"ipt_rules")
|
||||
"ipt_rules",
|
||||
"vpn_ips")
|
||||
);
|
||||
}
|
||||
|
||||
@@ -18,34 +18,45 @@
|
||||
<?php endif ?>
|
||||
<div class="row">
|
||||
<div class="col-md-6">
|
||||
<p class="mr-2"><small><?php echo _("The default firewall will allow only outgoing and already established traffic. No UDP traffic is allowed. There are no restrictions for the access point.") ?></small></p>
|
||||
<p class="mr-2"><small><?php echo _("The default firewall will only allow outgoing and already established traffic.<br> No incoming UDP traffic is allowed.<br>There are no restrictions for the access point <code>$ap_device</code>.") ?></small></p>
|
||||
</div>
|
||||
</div>
|
||||
<form id="frm-firewall" action="firewall_conf" method="POST" >
|
||||
<?php echo CSRFTokenFieldTag(); ?>
|
||||
<h5><?php echo _("Exceptions for Services"); ?></h4>
|
||||
<h5><?php echo _("Exception: Service"); ?></h4>
|
||||
<div class="row">
|
||||
<div class="form-group col-md-6">
|
||||
<div class="custom-control custom-switch">
|
||||
<input class="custom-control-input" id="ssh-enable" type="checkbox" name="ssh-enable" value="1" aria-describedby="exceptions-description" <?php if ($fw_conf["ssh-enable"]) echo "checked"; ?> >
|
||||
<input class="custom-control-input" id="ssh-enable" type="checkbox" name="ssh-enable" value="1" aria-describedby="exception-description" <?php if ($fw_conf["ssh-enable"]) echo "checked"; ?> >
|
||||
<label class="custom-control-label" for="ssh-enable"><?php echo _("allow SSH access on port 22") ?></label>
|
||||
</div>
|
||||
<div class="custom-control custom-switch">
|
||||
<input class="custom-control-input" id="http-enable" type="checkbox" name="http-enable" value="1" aria-describedby="exceptions-description" <?php if ($fw_conf["http-enable"]) echo "checked"; ?> >
|
||||
<label class="custom-control-label" for="http-enable"><?php echo _("allow access to the RaspAP GUI") ?></label>
|
||||
<label class="custom-control-label" for="http-enable"><?php echo _("allow access to the RaspAP GUI on port 80 or 443") ?></label>
|
||||
</div>
|
||||
<p class="mb-0" id="exceptions-description">
|
||||
<small><?php echo _("Allow access for some services from the client side.") ?></small>
|
||||
<small><?php echo _("Allow incoming connections for some services from the internet side.") ?></small>
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
<h5><?php echo _("Exclusions from the firewall"); ?></h4>
|
||||
<h5><?php echo _("Exception: network device"); ?></h4>
|
||||
<div class="row">
|
||||
<div class="form-group col-md-6">
|
||||
<label for="excl-device"><?php echo _("Exclude device(s)") ?></label>
|
||||
<input class="form-control" id="excl-devices" type="text" name="excl-devices" value="<?php echo $fw_conf["excl-devices"] ?>" aria-describedby="exclusion-description" >
|
||||
<p class="mb-0" id="exclusion-description">
|
||||
<small><?php echo _("Exclude the given network device(s) (separated by a comma) from firewall rules.<br>Current client devices: <code>$str_clients</code><br>The access point <code>". $ap_device ."</code> is per default excluded.") ?></small>
|
||||
<small><?php echo _("Exclude the given network device(s) (separated by a blank or comma) from firewall rules.<br>Current client devices: <code>$str_clients</code><br>The access point <code>". $ap_device ."</code> is per default excluded.") ?></small>
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
<h5><?php echo _("Exception: IP-Address"); ?></h4>
|
||||
<div class="row">
|
||||
<div class="form-group col-md-6">
|
||||
<label for="excluded-ips"><?php echo _("Allow incoming connections from") ?></label>
|
||||
<input class="form-control" id="excluded-ips" type="text" name="excluded-ips" value="<?php echo $fw_conf["excluded-ips"] ?>" aria-describedby="excl-ips-description" >
|
||||
<p class="mb-0" id="excl-ips-description">
|
||||
<small><?php echo _("For the given IP-addresses (separated by a blank or comma) the incoming connection (via TCP and UDP) is accepted.<br>This is required for an OpenVPN via UDP or Wireguard connection.") ?></small>
|
||||
<small><?php if ( !empty($vpn_ips) ) echo _("<br>The list of configured VPN server IP addresses: <code>". $vpn_ips. "</code>") ?></small>
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
Reference in New Issue
Block a user