Home Explore Help
Register Sign In
wareck
/
luci
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: a68673da78
Branches Tags
luci
/
applications
/
luci-app-ocserv
/
luasrc
/
model
/
cbi
/
ocserv
/
main.lua

main.lua 6.0 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175 
  1. -- Copyright 2014 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
    2. 

  2. -- Licensed to the public under the Apache License 2.0.
    3. 

  3. 

  4. local fs = require "nixio.fs"
    5. 

  5. local has_ipv6 = fs.access("/proc/net/ipv6_route")
    6. 

  6. 

  7. m = Map("ocserv", translate("OpenConnect VPN"))
    8. 

  8. 

  9. s = m:section(TypedSection, "ocserv", "OpenConnect")
    10. 

  10. s.anonymous = true
    11. 

  11. 

  12. s:tab("general",  translate("General Settings"))
    13. 

  13. s:tab("ca", translate("CA certificate"))
    14. 

  14. s:tab("template", translate("Edit Template"))
    15. 

  15. 

  16. local e = s:taboption("general", Flag, "enable", translate("Enable server"))
    17. 

  17. e.rmempty = false
    18. 

  18. e.default = "1"
    19. 

  19. 

  20. local o_sha = s:taboption("general", DummyValue, "sha_hash", translate("Server's certificate SHA1 hash"),
    21. 

  21. 			  translate("That value should be communicated to the client to verify the server's certificate"))
    22. 

  22. local o_pki = s:taboption("general", DummyValue, "pkid", translate("Server's Public Key ID"),
    23. 

  23. 			  translate("An alternative value to be communicated to the client to verify the server's certificate; this value only depends on the public key"))
    24. 

  24. 

  25. local fd = io.popen("/usr/bin/certtool -i --infile /etc/ocserv/server-cert.pem", "r")
    26. 

  26. if fd then local ln
    27. 

  27. 	local found_sha = false
    28. 

  28. 	local found_pki = false
    29. 

  29. 	local complete = 0
    30. 

  30. 	while complete < 2 do
    31. 

  31. 		local ln = fd:read("*l")
    32. 

  32. 		if not ln then
    33. 

  33. 			break
    34. 

  34. 		elseif ln:match("SHA%-?1 fingerprint:") then
    35. 

  35. 			found_sha = true
    36. 

  36. 		elseif found_sha then
    37. 

  37. 			local hash = ln:match("([a-f0-9]+)")
    38. 

  38. 			o_sha.default = hash and hash:upper()
    39. 

  39. 			complete = complete + 1
    40. 

  40. 			found_sha = false
    41. 

  41. 		elseif ln:match("Public Key I[Dd]:") then
    42. 

  42. 			found_pki = true
    43. 

  43. 		elseif found_pki then
    44. 

  44. 			local hash = ln:match("([a-f0-9]+)")
    45. 

  45. 			o_pki.default = hash and "sha1:" .. hash:upper()
    46. 

  46. 			complete = complete + 1
    47. 

  47. 			found_pki = false
    48. 

  48. 		end
    49. 

  49. 	end
    50. 

  50. 	fd:close()
    51. 

  51. end
    52. 

  52. 

  53. function m.on_commit(map)
    54. 

  54. 	luci.sys.call("/usr/bin/occtl reload  >/dev/null 2>&1")
    55. 

  55. end
    56. 

  56. 

  57. function e.write(self, section, value)
    58. 

  58. 	if value == "0" then
    59. 

  59. 		luci.sys.call("/etc/init.d/ocserv stop >/dev/null 2>&1")
    60. 

  60. 		luci.sys.call("/etc/init.d/ocserv disable  >/dev/null 2>&1")
    61. 

  61. 	else
    62. 

  62. 		luci.sys.call("/etc/init.d/ocserv enable  >/dev/null 2>&1")
    63. 

  63. 		luci.sys.call("/etc/init.d/ocserv restart  >/dev/null 2>&1")
    64. 

  64. 	end
    65. 

  65. 	Flag.write(self, section, value)
    66. 

  66. end
    67. 

  67. 

  68. local o
    69. 

  69. 

  70. o = s:taboption("general", ListValue, "auth", translate("User Authentication"),
    71. 

  71. 	translate("The authentication method for the users. The simplest is plain with a single username-password pair. Use PAM modules to authenticate using another server (e.g., LDAP, Radius)."))
    72. 

  72. o.rmempty = false
    73. 

  73. o.default = "plain"
    74. 

  74. o:value("plain")
    75. 

  75. o:value("PAM")
    76. 

  76. 

  77. o = s:taboption("general", Value, "zone", translate("Firewall Zone"),
    78. 

  78. 	translate("The firewall zone that the VPN clients will be set to"))
    79. 

  79. o.nocreate = true
    80. 

  80. o.default = "lan"
    81. 

  81. o.template = "cbi/firewall_zonelist"
    82. 

  82. 

  83. s:taboption("general", Value, "port", translate("Port"),
    84. 

  84. 	translate("The same UDP and TCP ports will be used"))
    85. 

  85. s:taboption("general", Value, "max_clients", translate("Max clients"))
    86. 

  86. s:taboption("general", Value, "max_same", translate("Max same clients"))
    87. 

  87. s:taboption("general", Value, "dpd", translate("Dead peer detection time (secs)"))
    88. 

  88. 

  89. local pip = s:taboption("general", Flag, "predictable_ips", translate("Predictable IPs"),
    90. 

  90. 	translate("The assigned IPs will be selected deterministically"))
    91. 

  91. pip.default = "1"
    92. 

  92. 

  93. local compr = s:taboption("general", Flag, "compression", translate("Enable compression"),
    94. 

  94. 	translate("Enable compression"))
    95. 

  95. compr.default = "1"
    96. 

  96. 

  97. local udp = s:taboption("general", Flag, "udp", translate("Enable UDP"),
    98. 

  98. 	translate("Enable UDP channel support; this must be enabled unless you know what you are doing"))
    99. 

  99. udp.default = "1"
    100. 

  100. 

  101. local cisco = s:taboption("general", Flag, "cisco_compat", translate("AnyConnect client compatibility"),
    102. 

  102. 	translate("Enable support for CISCO AnyConnect clients"))
    103. 

  103. cisco.default = "1"
    104. 

  104. 

  105. ipaddr = s:taboption("general", Value, "ipaddr", translate("VPN <abbr title=\"Internet Protocol Version 4\">IPv4</abbr>-Network-Address"))
    106. 

  106. ipaddr.datatype = "ip4addr"
    107. 

  107. ipaddr.default = "192.168.100.1"
    108. 

  108. 

  109. nm = s:taboption("general", Value, "netmask", translate("VPN <abbr title=\"Internet Protocol Version 4\">IPv4</abbr>-Netmask"))
    110. 

  110. nm.datatype = "ip4addr"
    111. 

  111. nm.default = "255.255.255.0"
    112. 

  112. nm:value("255.255.255.0")
    113. 

  113. nm:value("255.255.0.0")
    114. 

  114. nm:value("255.0.0.0")
    115. 

  115. 

  116. if has_ipv6 then
    117. 

  117. 	ip6addr = s:taboption("general", Value, "ip6addr", translate("VPN <abbr title=\"Internet Protocol Version 6\">IPv6</abbr>-Network-Address"), translate("<abbr title=\"Classless Inter-Domain Routing\">CIDR</abbr>-Notation: address/prefix"))
    118. 

  118. 	ip6addr.datatype = "ip6addr"
    119. 

  119. end
    120. 

  120. 

  121. 

  122. tmpl = s:taboption("template", Value, "_tmpl",
    123. 

  123. 	translate("Edit the template that is used for generating the ocserv configuration."))
    124. 

  124. 

  125. tmpl.template = "cbi/tvalue"
    126. 

  126. tmpl.rows = 20
    127. 

  127. 

  128. function tmpl.cfgvalue(self, section)
    129. 

  129. 	return nixio.fs.readfile("/etc/ocserv/ocserv.conf.template")
    130. 

  130. end
    131. 

  131. 

  132. function tmpl.write(self, section, value)
    133. 

  133. 	value = value:gsub("\r\n?", "\n")
    134. 

  134. 	nixio.fs.writefile("/etc/ocserv/ocserv.conf.template", value)
    135. 

  135. end
    136. 

  136. 

  137. ca = s:taboption("ca", Value, "_ca",
    138. 

  138. 	translate("View the CA certificate used by this server. You will need to save it as 'ca.pem' and import it into the clients."))
    139. 

  139. 

  140. ca.template = "cbi/tvalue"
    141. 

  141. ca.rows = 20
    142. 

  142. 

  143. function ca.cfgvalue(self, section)
    144. 

  144. 	return nixio.fs.readfile("/etc/ocserv/ca.pem")
    145. 

  145. end
    146. 

  146. 

  147. --[[DNS]]--
    148. 

  148. 

  149. s = m:section(TypedSection, "dns", translate("DNS servers"),
    150. 

  150. 	translate("The DNS servers to be provided to clients; can be either IPv6 or IPv4"))
    151. 

  151. s.anonymous = true
    152. 

  152. s.addremove = true
    153. 

  153. s.template = "cbi/tblsection"
    154. 

  154. 

  155. s:option(Value, "ip", translate("IP Address")).rmempty = true
    156. 

  156. s.datatype = "ipaddr"
    157. 

  157. 

  158. --[[Routes]]--
    159. 

  159. 

  160. s = m:section(TypedSection, "routes", translate("Routing table"),
    161. 

  161. 	translate("The routing table to be provided to clients; you can mix IPv4 and IPv6 routes, the server will send only the appropriate. Leave empty to set a default route"))
    162. 

  162. s.anonymous = true
    163. 

  163. s.addremove = true
    164. 

  164. s.template = "cbi/tblsection"
    165. 

  165. 

  166. s:option(Value, "ip", translate("IP Address")).rmempty = true
    167. 

  167. 

  168. o = s:option(Value, "netmask", translate("Netmask (or IPv6-prefix)"))
    169. 

  169. o.default = "255.255.255.0"
    170. 

  170. o:value("255.255.255.0")
    171. 

  171. o:value("255.255.0.0")
    172. 

  172. o:value("255.0.0.0")
    173. 

  173. 

  174. 

  175. return m
    176.