1 -- Copyright 2014 Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
2 -- Licensed to the public under the Apache License 2.0.
4 local fs = require "nixio.fs"
5 local has_ipv6 = fs.access("/proc/net/ipv6_route")
7 m = Map("ocserv", translate("OpenConnect VPN"))
9 s = m:section(TypedSection, "ocserv", "OpenConnect")
12 s:tab("general", translate("General Settings"))
13 s:tab("ca", translate("CA certificate"))
14 s:tab("template", translate("Edit Template"))
16 local e = s:taboption("general", Flag, "enable", translate("Enable server"))
20 local o_pki = s:taboption("general", DummyValue, "pkid", translate("Server's Public Key ID"),
21 translate("The value to be communicated to the client to verify the server's certificate; this value only depends on the public key"))
23 local fd = io.popen("/usr/bin/certtool --hash sha256 --key-id --infile /etc/ocserv/server-cert.pem", "r")
25 local ln = fd:read("*l")
27 o_pki.default = "sha256:" .. ln
32 function m.on_commit(map)
33 luci.sys.call("/usr/bin/occtl reload >/dev/null 2>&1")
36 function e.write(self, section, value)
38 luci.sys.call("/etc/init.d/ocserv stop >/dev/null 2>&1")
39 luci.sys.call("/etc/init.d/ocserv disable >/dev/null 2>&1")
41 luci.sys.call("/etc/init.d/ocserv enable >/dev/null 2>&1")
42 luci.sys.call("/etc/init.d/ocserv restart >/dev/null 2>&1")
44 Flag.write(self, section, value)
49 o = s:taboption("general", ListValue, "auth", translate("User Authentication"),
50 translate("The authentication method for the users. The simplest is plain with a single username-password pair. Use PAM modules to authenticate using another server (e.g., LDAP, Radius)."))
56 s:taboption("general", Value, "port", translate("Port"),
57 translate("The same UDP and TCP ports will be used"))
58 s:taboption("general", Value, "max_clients", translate("Max clients"))
59 s:taboption("general", Value, "max_same", translate("Max same clients"))
60 s:taboption("general", Value, "dpd", translate("Dead peer detection time (secs)"))
62 local pip = s:taboption("general", Flag, "predictable_ips", translate("Predictable IPs"),
63 translate("The assigned IPs will be selected deterministically"))
66 local compr = s:taboption("general", Flag, "compression", translate("Enable compression"),
67 translate("Enable compression"))
70 local udp = s:taboption("general", Flag, "udp", translate("Enable UDP"),
71 translate("Enable UDP channel support; this must be enabled unless you know what you are doing"))
74 local cisco = s:taboption("general", Flag, "cisco_compat", translate("AnyConnect client compatibility"),
75 translate("Enable support for CISCO AnyConnect clients"))
79 tmpl = s:taboption("template", Value, "_tmpl",
80 translate("Edit the template that is used for generating the ocserv configuration."))
82 tmpl.template = "cbi/tvalue"
85 function tmpl.cfgvalue(self, section)
86 return nixio.fs.readfile("/etc/ocserv/ocserv.conf.template")
89 function tmpl.write(self, section, value)
90 value = value:gsub("\r\n?", "\n")
91 nixio.fs.writefile("/etc/ocserv/ocserv.conf.template", value)
94 ca = s:taboption("ca", Value, "_ca",
95 translate("View the CA certificate used by this server. You will need to save it as 'ca.pem' and import it into the clients."))
97 ca.template = "cbi/tvalue"
100 function ca.cfgvalue(self, section)
101 return nixio.fs.readfile("/etc/ocserv/ca.pem")
104 --[[Networking options]]--
106 local parp = s:taboption("general", Flag, "proxy_arp", translate("Enable proxy arp"),
107 translate("Provide addresses to clients from a subnet of LAN; if enabled the network below must be a subnet of LAN. Note that the first address of the specified subnet will be reserved by ocserv, so it should not be in use. If you have a network in LAN covering 192.168.1.0/24 use 192.168.1.192/26 to reserve the upper 62 addresses."))
110 ipaddr = s:taboption("general", Value, "ipaddr", translate("VPN <abbr title=\"Internet Protocol Version 4\">IPv4</abbr>-Network-Address"),
111 translate("The IPv4 subnet address to provide to clients; this should be some private network different than the LAN addresses unless proxy ARP is enabled. Leave empty to attempt auto-configuration."))
112 ipaddr.datatype = "ip4addr"
113 ipaddr.default = "192.168.100.1"
115 nm = s:taboption("general", Value, "netmask", translate("VPN <abbr title=\"Internet Protocol Version 4\">IPv4</abbr>-Netmask"),
116 translate("The mask of the subnet above."))
117 nm.datatype = "ip4addr"
118 nm.default = "255.255.255.0"
119 nm:value("255.255.255.0")
120 nm:value("255.255.0.0")
121 nm:value("255.0.0.0")
124 ip6addr = s:taboption("general", Value, "ip6addr", translate("VPN <abbr title=\"Internet Protocol Version 6\">IPv6</abbr>-Network-Address"), translate("<abbr title=\"Classless Inter-Domain Routing\">CIDR</abbr>-Notation: address/prefix"),
125 translate("The IPv6 subnet address to provide to clients; leave empty to attempt auto-configuration."))
126 ip6addr.datatype = "ip6addr"
132 s = m:section(TypedSection, "dns", translate("DNS servers"),
133 translate("The DNS servers to be provided to clients; can be either IPv6 or IPv4. Typically you should include the address of this device"))
136 s.template = "cbi/tblsection"
138 s:option(Value, "ip", translate("IP Address")).rmempty = true
139 s.datatype = "ipaddr"
143 s = m:section(TypedSection, "routes", translate("Routing table"),
144 translate("The routing table to be provided to clients; you can mix IPv4 and IPv6 routes, the server will send only the appropriate. Leave empty to set a default route"))
147 s.template = "cbi/tblsection"
149 s:option(Value, "ip", translate("IP Address")).rmempty = true
151 o = s:option(Value, "netmask", translate("Netmask (or IPv6-prefix)"))
152 o.default = "255.255.255.0"
153 o:value("255.255.255.0")
154 o:value("255.255.0.0")