From patchwork Thu May 28 17:58:44 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Tremer <michael.tremer@ipfire.org>
X-Patchwork-Id: 3145
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 49XwSM63mkz43xG
	for <patchwork@web04.haj.ipfire.org>; Thu, 28 May 2020 17:59:15 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 49XwSH4C0Cz38T;
	Thu, 28 May 2020 17:59:11 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 49XwSH29nzz2xjy;
	Thu, 28 May 2020 17:59:11 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 49XwSB10dHz2yx6
 for <development@lists.ipfire.org>; Thu, 28 May 2020 17:59:06 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (Client did not present a certificate)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 49XwS970Jqz1dJ;
 Thu, 28 May 2020 17:59:05 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1590688746;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=K5VjWWfQT1M2CgIzOX/QxSrOfr6ySJcWzpUbkqVKYO8=;
 b=qWPjw+A0DFxvHCbQ6ci9lu9/kFvwbSBvOJ5qD8ljqzpd0CIK0xBR1eBLImIl6b4JkIayCA
 PPIUya3up/GJlWBg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1590688746;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=K5VjWWfQT1M2CgIzOX/QxSrOfr6ySJcWzpUbkqVKYO8=;
 b=brrxqQehDIhU7tjY+ZnA90PoM/Ifzwf/D41VZX3q7mSFBFCvDU6Khk4RffZwZHk4TtrNBh
 ReDLBPkqiu6fU2fXcrYzeN4H0qJRANJE/vMYXEejIr0wm7EESmFKsxfP4Wsq/PUY7/rzd7
 /ZGoZf+DWsS5W6QLlEHCRPe8c+O98KKO3Nl8azmOSZzT6j8L/fQzgReGzaGnuAb2HHdHci
 fVRGM1sqv9mpqDUAPNkbHTWnS+ld7RWDfvs7fi+Xh2AVgkOnARUA7t8nk+Sd9DpYf3UDsQ
 iOyR/TO85/HVxuQ+UijRsE3k8fnwEMs30KQawnGKa19u7yLU50sEUmrkqK7M1Q==
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 10/16] IPsec: Allow sending DNS server addresses to RW clients
Date: Thu, 28 May 2020 17:58:44 +0000
Message-Id: <20200528175850.12638-11-michael.tremer@ipfire.org>
In-Reply-To: <20200528175850.12638-1-michael.tremer@ipfire.org>
References: <20200528175850.12638-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 doc/language_issues.de   |  2 +-
 doc/language_issues.en   |  2 ++
 doc/language_issues.es   |  2 ++
 doc/language_issues.fr   |  2 +-
 doc/language_issues.it   |  2 +-
 doc/language_issues.nl   |  2 ++
 doc/language_issues.pl   |  2 ++
 doc/language_issues.ru   |  2 ++
 doc/language_issues.tr   |  2 +-
 doc/language_missings    |  8 ++++++
 html/cgi-bin/vpnmain.cgi | 54 ++++++++++++++++++++++++++++++++++------
 langs/en/cgi-bin/en.pl   |  1 +
 12 files changed, 69 insertions(+), 12 deletions(-)

diff --git a/doc/language_issues.de b/doc/language_issues.de
index 4c4a37742..ab074d94d 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -219,7 +219,6 @@ WARNING: translation string unused: dns new 1
 WARNING: translation string unused: dns saved
 WARNING: translation string unused: dns saved txt
 WARNING: translation string unused: dns server
-WARNING: translation string unused: dns servers
 WARNING: translation string unused: dnssec information
 WARNING: translation string unused: do not log this port list
 WARNING: translation string unused: domain not set
@@ -800,6 +799,7 @@ WARNING: untranslated string: guardian logtarget_file = unknown string
 WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: no entries = No entries at the moment.
diff --git a/doc/language_issues.en b/doc/language_issues.en
index 9bef2930c..c05fc0800 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -624,6 +624,7 @@ WARNING: untranslated string: dns no address given = No IP Address given.
 WARNING: untranslated string: dns no tls hostname given = No TLS hostname given.
 WARNING: untranslated string: dns proxy server = DNS Proxy Server
 WARNING: untranslated string: dns recursor mode = Recursor Mode
+WARNING: untranslated string: dns servers = DNS Servers
 WARNING: untranslated string: dns title = Domain Name System
 WARNING: untranslated string: dns tls hostname = TLS Hostname
 WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
@@ -1166,6 +1167,7 @@ WARNING: untranslated string: ipfires hostname = IPFire's Hostname
 WARNING: untranslated string: ipinfo = IP info
 WARNING: untranslated string: ipsec = IPsec
 WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 57a20d214..376af0dc4 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -833,6 +833,7 @@ WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisati
 WARNING: untranslated string: dns no address given = No IP Address given.
 WARNING: untranslated string: dns no tls hostname given = No TLS hostname given.
 WARNING: untranslated string: dns recursor mode = Recursor Mode
+WARNING: untranslated string: dns servers = DNS Servers
 WARNING: untranslated string: dns tls hostname = TLS Hostname
 WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
 WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
@@ -1147,6 +1148,7 @@ WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hos
 WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
 WARNING: untranslated string: ipsec = IPsec
 WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index 3fe75fd07..c52ef3972 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -246,7 +246,6 @@ WARNING: translation string unused: dns new 1
 WARNING: translation string unused: dns saved
 WARNING: translation string unused: dns saved txt
 WARNING: translation string unused: dns server
-WARNING: translation string unused: dns servers
 WARNING: translation string unused: dnssec information
 WARNING: translation string unused: do not log this port list
 WARNING: translation string unused: domain not set
@@ -839,6 +838,7 @@ WARNING: untranslated string: guardian logtarget_file = unknown string
 WARNING: untranslated string: guardian logtarget_syslog = unknown string
 WARNING: untranslated string: guardian no entries = unknown string
 WARNING: untranslated string: guardian service = unknown string
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec invalid ip address or fqdn for rw endpoint = Invalid IP address or FQDN for Host-to-Net Endpoint
 WARNING: untranslated string: ipsec roadwarrior endpoint = Host-to-Net Endpoint
 WARNING: untranslated string: pakfire ago = ago.
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 53cd94b90..be1f9c351 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -220,7 +220,6 @@ WARNING: translation string unused: dns new 1
 WARNING: translation string unused: dns saved
 WARNING: translation string unused: dns saved txt
 WARNING: translation string unused: dns server
-WARNING: translation string unused: dns servers
 WARNING: translation string unused: dnsforward forward_server
 WARNING: translation string unused: dnssec information
 WARNING: translation string unused: do not log this port list
@@ -983,6 +982,7 @@ WARNING: untranslated string: invalid input for valid till days = Invalid input
 WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
 WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
 WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 85a9cd587..21e1e8daa 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -856,6 +856,7 @@ WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisati
 WARNING: untranslated string: dns no address given = No IP Address given.
 WARNING: untranslated string: dns no tls hostname given = No TLS hostname given.
 WARNING: untranslated string: dns recursor mode = Recursor Mode
+WARNING: untranslated string: dns servers = DNS Servers
 WARNING: untranslated string: dns tls hostname = TLS Hostname
 WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
 WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
@@ -992,6 +993,7 @@ WARNING: untranslated string: invalid input for valid till days = Invalid input
 WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
 WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
 WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 57a20d214..376af0dc4 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -833,6 +833,7 @@ WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisati
 WARNING: untranslated string: dns no address given = No IP Address given.
 WARNING: untranslated string: dns no tls hostname given = No TLS hostname given.
 WARNING: untranslated string: dns recursor mode = Recursor Mode
+WARNING: untranslated string: dns servers = DNS Servers
 WARNING: untranslated string: dns tls hostname = TLS Hostname
 WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
 WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
@@ -1147,6 +1148,7 @@ WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hos
 WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
 WARNING: untranslated string: ipsec = IPsec
 WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 6ed13933a..dc8d83beb 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -837,6 +837,7 @@ WARNING: untranslated string: dns mode for qname minimisation = QNAME Minimisati
 WARNING: untranslated string: dns no address given = No IP Address given.
 WARNING: untranslated string: dns no tls hostname given = No TLS hostname given.
 WARNING: untranslated string: dns recursor mode = Recursor Mode
+WARNING: untranslated string: dns servers = DNS Servers
 WARNING: untranslated string: dns tls hostname = TLS Hostname
 WARNING: untranslated string: dns use isp assigned nameservers = Use ISP-assigned DNS servers
 WARNING: untranslated string: dns use protocol for dns queries = Protocol for DNS queries
@@ -1149,6 +1150,7 @@ WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hos
 WARNING: untranslated string: invalid logserver protocol = Invalid syslogd server protocol
 WARNING: untranslated string: ipsec = IPsec
 WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index 8821371f7..dd4d24ae3 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -242,7 +242,6 @@ WARNING: translation string unused: dns new 1
 WARNING: translation string unused: dns saved
 WARNING: translation string unused: dns saved txt
 WARNING: translation string unused: dns server
-WARNING: translation string unused: dns servers
 WARNING: translation string unused: dnsforward forward_server
 WARNING: translation string unused: dnssec information
 WARNING: translation string unused: do not log this port list
@@ -909,6 +908,7 @@ WARNING: untranslated string: invalid input for local ip address = Invalid input
 WARNING: untranslated string: invalid input for mode = Invalid input for mode
 WARNING: untranslated string: invalid ip or hostname = Invalid IP Address or Hostname
 WARNING: untranslated string: ipsec connection = IPsec Connection
+WARNING: untranslated string: ipsec dns server address is invalid = Invalid DNS server IP address(es)
 WARNING: untranslated string: ipsec interface mode gre = GRE
 WARNING: untranslated string: ipsec interface mode none = - None (Default) -
 WARNING: untranslated string: ipsec interface mode vti = VTI
diff --git a/doc/language_missings b/doc/language_missings
index 3034db5ba..fe0713fdf 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -37,6 +37,7 @@
 < g.dtm
 < g.lite
 < insert removable device
+< ipsec dns server address is invalid
 < ipsec invalid ip address or fqdn for rw endpoint
 < ipsec roadwarrior endpoint
 < no entries
@@ -567,6 +568,7 @@
 < invalid logserver protocol
 < ipsec
 < ipsec connection
+< ipsec dns server address is invalid
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
@@ -927,6 +929,7 @@
 < download apple profile
 < g.dtm
 < g.lite
+< ipsec dns server address is invalid
 < ipsec invalid ip address or fqdn for rw endpoint
 < ipsec roadwarrior endpoint
 < upload fcdsl.o
@@ -1138,6 +1141,7 @@
 < invalid ip or hostname
 < invalid logserver protocol
 < ipsec connection
+< ipsec dns server address is invalid
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
@@ -1514,6 +1518,7 @@
 < invalid ip or hostname
 < invalid logserver protocol
 < ipsec connection
+< ipsec dns server address is invalid
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
@@ -2211,6 +2216,7 @@
 < invalid logserver protocol
 < ipsec
 < ipsec connection
+< ipsec dns server address is invalid
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
@@ -3069,6 +3075,7 @@
 < invalid logserver protocol
 < ipsec
 < ipsec connection
+< ipsec dns server address is invalid
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
@@ -3483,6 +3490,7 @@
 < invalid input for mode
 < invalid ip or hostname
 < ipsec connection
+< ipsec dns server address is invalid
 < ipsec interface mode gre
 < ipsec interface mode none
 < ipsec interface mode vti
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 0d141cb88..93120ea44 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -124,6 +124,7 @@ $cgiparams{'MODE'} = "tunnel";
 $cgiparams{'INTERFACE_MODE'} = "";
 $cgiparams{'INTERFACE_ADDRESS'} = "";
 $cgiparams{'INTERFACE_MTU'} = 1500;
+$cgiparams{'DNS_SERVERS'} = "";
 &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
 
 my %APPLE_CIPHERS = (
@@ -511,6 +512,13 @@ sub writeipsecfiles {
 		# Fragmentation
 		print CONF "\tfragmentation=yes\n";
 
+		# DNS Servers for RW
+		if ($lconfighash{$key}[3] eq 'host') {
+			my @servers = split(/\|/, $lconfighash{$key}[39]);
+
+			print CONF "\trightdns=" . join(",", @servers) . "\n";
+		}
+
 		print CONF "\n";
 	} #foreach key
 
@@ -1612,6 +1620,7 @@ END
 		$cgiparams{'INTERFACE_MODE'}		= $confighash{$cgiparams{'KEY'}}[36];
 		$cgiparams{'INTERFACE_ADDRESS'}		= $confighash{$cgiparams{'KEY'}}[37];
 		$cgiparams{'INTERFACE_MTU'}		= $confighash{$cgiparams{'KEY'}}[38];
+		$cgiparams{'DNS_SERVERS'}		= $confighash{$cgiparams{'KEY'}}[39];
 
 		if (!$cgiparams{'DPD_DELAY'}) {
 			$cgiparams{'DPD_DELAY'} = 30;
@@ -1745,6 +1754,16 @@ END
 			}
 		}
 
+		if ($cgiparams{'TYPE'} eq 'host') {
+			my @servers = split(",", $cgiparams{'DNS_SERVERS'});
+			foreach my $server (@servers) {
+				unless (&Network::check_ip_address($server)) {
+					$errormessage = $Lang::tr{'ipsec dns server address is invalid'};
+					goto VPNCONF_ERROR;
+				}
+			}
+		}
+
 		if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
 			$errormessage = $Lang::tr{'invalid input'};
 			goto VPNCONF_ERROR;
@@ -2147,7 +2166,7 @@ END
 	my $key = $cgiparams{'KEY'};
 	if (! $key) {
 		$key = &General::findhasharraykey (\%confighash);
-		foreach my $i (0 .. 38) { $confighash{$key}[$i] = "";}
+		foreach my $i (0 .. 39) { $confighash{$key}[$i] = "";}
 	}
 	$confighash{$key}[0] = $cgiparams{'ENABLED'};
 	$confighash{$key}[1] = $cgiparams{'NAME'};
@@ -2198,6 +2217,7 @@ END
 	$confighash{$key}[36] = $cgiparams{'INTERFACE_MODE'};
 	$confighash{$key}[37] = $cgiparams{'INTERFACE_ADDRESS'};
 	$confighash{$key}[38] = $cgiparams{'INTERFACE_MTU'};
+	$confighash{$key}[39] = join("|", split(",", $cgiparams{'DNS_SERVERS'}));
 
 	# free unused fields!
 	$confighash{$key}[15] = 'off';
@@ -2280,6 +2300,7 @@ END
 	$cgiparams{'INTERFACE_MODE'}        	= "";
 	$cgiparams{'INTERFACE_ADDRESS'}        	= "";
 	$cgiparams{'INTERFACE_MTU'}        	= 1500;
+	$cgiparams{'DNS_SERVERS'}        	= "";
 }
 
 VPNCONF_ERROR:
@@ -2376,11 +2397,8 @@ END
 EOF
 	}
 
-	my $disabled;
-	my $blob;
-	if ($cgiparams{'TYPE'} eq 'host') {
-		$disabled = "disabled='disabled'";
-	} elsif ($cgiparams{'TYPE'} eq 'net') {
+	my $blob = "";
+	if ($cgiparams{'TYPE'} eq 'net') {
 		$blob = "<img src='/blob.gif' alt='*' />";
 	};
 
@@ -2390,6 +2408,9 @@ EOF
 	my @remote_subnets = split(/\|/, $cgiparams{'REMOTE_SUBNET'});
 	my $remote_subnets = join(",", @remote_subnets);
 
+	my @dns_servers = split(/\|/, $cgiparams{'DNS_SERVERS'});
+	my $dns_servers = join(",", @dns_servers);
+
 	print <<END;
 	<tr>
 		<td width='20%'>$Lang::tr{'enabled'}</td>
@@ -2425,10 +2446,26 @@ END
 		<td width='30%'>
 			<input type='text' name='LOCAL_SUBNET' value='$local_subnets' size="25" />
 		</td>
-		<td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'}&nbsp;$blob</td>
+END
+
+	if ($cgiparams{'TYPE'} eq "net") {
+		print <<END;
+		<td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'remote subnet'}&nbsp;<img src='/blob.gif' alt='*' /></td>
+		<td width='30%'>
+			<input type='text' name='REMOTE_SUBNET' value='$remote_subnets' size="25" />
+		</td>
+END
+
+	} elsif ($cgiparams{'TYPE'} eq "host") {
+		print <<END;
+		<td class='boldbase' nowrap='nowrap' width='20%'>$Lang::tr{'dns servers'}:</td>
 		<td width='30%'>
-			<input $disabled type='text' name='REMOTE_SUBNET' value='$remote_subnets' size="25" />
+			<input type='text' name='DNS_SERVERS' value='$dns_servers' size="25" />
 		</td>
+END
+	}
+
+	print <<END;
 	</tr>
 	<tr>
 		<td class='boldbase' width='20%'>$Lang::tr{'vpn local id'}:</td>
@@ -2764,6 +2801,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 		$cgiparams{'INTERFACE_MODE'}		= $confighash{$cgiparams{'KEY'}}[36];
 		$cgiparams{'INTERFACE_ADDRESS'}		= $confighash{$cgiparams{'KEY'}}[37];
 		$cgiparams{'INTERFACE_MTU'}		= $confighash{$cgiparams{'KEY'}}[38];
+		$cgiparams{'DNS_SERVERS'}		= $confighash{$cgiparams{'KEY'}}[39];
 
 		if (!$cgiparams{'DPD_DELAY'}) {
 			$cgiparams{'DPD_DELAY'} = 30;
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 54e8c404a..adc04f6b3 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1547,6 +1547,7 @@
 'ipinfo' => 'IP info',
 'ipsec' => 'IPsec',
 'ipsec connection' => 'IPsec Connection',
+'ipsec dns server address is invalid' => 'Invalid DNS server IP address(es)',
 'ipsec interface mode gre' => 'GRE',
 'ipsec interface mode none' => '- None (Default) -',
 'ipsec interface mode vti' => 'VTI',