[v2,2/2] openvpn: Embed the certificate and key file into configuration
| Message ID | 1446220042-22681-2-git-send-email-michael.tremer@ipfire.org |
|---|---|
| State | Accepted |
| Commit | b22d8aaf4ad26840cc6907580e6bd0cfea73b160 |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.tremer.info [172.28.1.200]) by septima.ipfire.org (Postfix) with ESMTP id 87AE660456 for <patchwork@ipfire.org>; Fri, 30 Oct 2015 16:48:13 +0100 (CET) Received: from hedwig.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 5D5EB4615; Fri, 30 Oct 2015 16:48:13 +0100 (CET) Received: from ipfire.tremer.co.uk (167.37.189.80.dyn.plus.net [80.189.37.167]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 8856E4561; Fri, 30 Oct 2015 16:47:38 +0100 (CET) From: Michael Tremer <michael.tremer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH v2 2/2] openvpn: Embed the certificate and key file into configuration Date: Fri, 30 Oct 2015 15:47:22 +0000 Message-Id: <1446220042-22681-2-git-send-email-michael.tremer@ipfire.org> X-Mailer: git-send-email 2.4.4 In-Reply-To: <1446220042-22681-1-git-send-email-michael.tremer@ipfire.org> References: <1446157505-23020-1-git-send-email-michael.tremer@ipfire.org> <1446220042-22681-1-git-send-email-michael.tremer@ipfire.org> X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <http://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <http://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Cc: Michael Tremer <michael.tremer@ipfire.org> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Message
Michael Tremer
Oct. 31, 2015, 2:47 a.m. UTC
This will allow to import just the configuration file
into iOS and establish the VPN connection. Also works
with many other OpenVPN clients.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
html/cgi-bin/ovpnmain.cgi | 59 ++++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 56 insertions(+), 3 deletions(-)
Comments
Could someone who owns an iPhone please test this? Best, -Michael On Fri, 2015-10-30 at 15:47 +0000, Michael Tremer wrote: > This will allow to import just the configuration file > into iOS and establish the VPN connection. Also works > with many other OpenVPN clients. > > Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> > --- > html/cgi-bin/ovpnmain.cgi | 59 > ++++++++++++++++++++++++++++++++++++++++++++--- > 1 file changed, 56 insertions(+), 3 deletions(-) > > diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi > index 7c9ff95..bdbd229 100644 > --- a/html/cgi-bin/ovpnmain.cgi > +++ b/html/cgi-bin/ovpnmain.cgi > @@ -2267,11 +2267,14 @@ else > > my $file_crt = new File::Temp( UNLINK => 1 ); > my $file_key = new File::Temp( UNLINK => 1 ); > + my $include_certs = 0; > > if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f > "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12" > ) { > if ($cgiparams{'MODE'} eq 'insecure') { > + $include_certs = 1; > + > # Add the CA > - print CLIENTCONF "ca cacert.pem\r\n"; > + print CLIENTCONF ";ca cacert.pem\r\n"; > $zip > ->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or > die "Can't add file cacert.pem\n"; > > # Extract the certificate > @@ -2282,7 +2285,7 @@ else > } > > $zip->addFile("$file_crt", > "$confighash{$cgiparams{'KEY'}}[1].pem") or die; > - print CLIENTCONF "cert > $confighash{$cgiparams{'KEY'}}[1].pem\r\n"; > + print CLIENTCONF ";cert > $confighash{$cgiparams{'KEY'}}[1].pem\r\n"; > > # Extract the key > system('/usr/bin/openssl', 'pkcs12', '-in', > "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12" > , > @@ -2292,7 +2295,7 @@ else > } > > $zip->addFile("$file_key", > "$confighash{$cgiparams{'KEY'}}[1].key") or die; > - print CLIENTCONF "key > $confighash{$cgiparams{'KEY'}}[1].key\r\n"; > + print CLIENTCONF ";key > $confighash{$cgiparams{'KEY'}}[1].key\r\n"; > } else { > print CLIENTCONF "pkcs12 > $confighash{$cgiparams{'KEY'}}[1].p12\r\n"; > $zip->addFile( > "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12" > , "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file > $confighash{$cgiparams{'KEY'}}[1].p12\n"; > @@ -2311,6 +2314,9 @@ else > print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; > } > if ($vpnsettings{'TLSAUTH'} eq 'on') { > + if ($cgiparams{'MODE'} eq 'insecure') { > + print CLIENTCONF ";"; > + } > print CLIENTCONF "tls-auth ta.key\r\n"; > $zip->addFile( "${General::swroot}/ovpn/certs/ta.key", > "ta.key") or die "Can't add file ta.key\n"; > } > @@ -2335,6 +2341,53 @@ else > print CLIENTCONF "mtu-disc > $vpnsettings{'PMTU_DISCOVERY'}\r\n"; > } > } > + > + if ($include_certs) { > + print CLIENTCONF "\r\n"; > + > + # CA > + open(FILE, "<${General::swroot}/ovpn/ca/cacert.pem"); > + print CLIENTCONF "<ca>\r\n"; > + while (<FILE>) { > + chomp($_); > + print CLIENTCONF "$_\r\n"; > + } > + print CLIENTCONF "</ca>\r\n\r\n"; > + close(FILE); > + > + # Cert > + open(FILE, "<$file_crt"); > + print CLIENTCONF "<cert>\r\n"; > + while (<FILE>) { > + chomp($_); > + print CLIENTCONF "$_\r\n"; > + } > + print CLIENTCONF "</cert>\r\n\r\n"; > + close(FILE); > + > + # Key > + open(FILE, "<$file_key"); > + print CLIENTCONF "<key>\r\n"; > + while (<FILE>) { > + chomp($_); > + print CLIENTCONF "$_\r\n"; > + } > + print CLIENTCONF "</key>\r\n\r\n"; > + close(FILE); > + > + # TLS auth > + if ($vpnsettings{'TLSAUTH'} eq 'on') { > + open(FILE, "<${General::swroot}/ovpn/certs/ta.key"); > + print CLIENTCONF "<tls-auth>\r\n"; > + while (<FILE>) { > + chomp($_); > + print CLIENTCONF "$_\r\n"; > + } > + print CLIENTCONF "</tls-auth>\r\n\r\n"; > + close(FILE); > + } > + } > + > # Print client.conf.local if entries exist to client.ovpn > if (!-z $local_clientconf && $vpnsettings{'ADDITIONAL_CONFIGS'} > eq 'on') { > open (LCC, "$local_clientconf");