Fixes 21

conf/openvpn_client.conf.tpl

@@ -23,6 +23,7 @@ comp-lzo adaptive
 
 # TLS
 tls-client
+<TPL:TA_COMMENT>tls-auth /etc/openvpn/keys/user_ta.key 1
 remote-cert-tls server
 ca /etc/openvpn/keys/ca-server.crt
 <TPL:CERT_COMMENT>cert /etc/openvpn/keys/user.crt

conf/ynh-vpnclient

@@ -114,6 +114,12 @@ start_openvpn() {
     sed 's|^<TPL:CERT_COMMENT>|;|' -i /etc/openvpn/client.conf
   fi
 
+  if [ -e /etc/openvpn/keys/user_ta.key ]; then
+    sed 's|^<TPL:TA_COMMENT>||' -i /etc/openvpn/client.conf
+  else
+    sed 's|^<TPL:TA_COMMENT>|;|' -i /etc/openvpn/client.conf
+  fi
+
   if [[ "${proto}" =~ udp ]]; then
     sed 's|^<TPL:UDP_COMMENT>||' -i /etc/openvpn/client.conf
   else

sources/controller.php

@@ -78,6 +78,7 @@ dispatch('/', function() {
   set('ip6_net', $ip6_net);
   set('crt_client_exists', file_exists('/etc/openvpn/keys/user.crt'));
   set('crt_client_key_exists', file_exists('/etc/openvpn/keys/user.key'));
+  set('crt_client_ta_exists', file_exists('/etc/openvpn/keys/user_ta.key'));
   set('crt_server_ca_exists', file_exists('/etc/openvpn/keys/ca-server.crt'));
   set('faststatus', service_faststatus() == 0);
   set('raw_openvpn', $raw_openvpn);
@@ -180,6 +181,12 @@ dispatch_put('/settings', function() {
     } elseif($_POST['crt_client_key_delete'] == 1) {
       unlink('/etc/openvpn/keys/user.key');
     }
+
+    if($_FILES['crt_client_ta']['error'] == UPLOAD_ERR_OK) {
+      move_uploaded_file($_FILES['crt_client_ta']['tmp_name'], '/etc/openvpn/keys/user_ta.key');
+    } elseif($_POST['crt_client_ta_delete'] == 1) {
+      unlink('/etc/openvpn/keys/user_ta.key');
+    }
     
     if($_FILES['crt_server_ca']['error'] == UPLOAD_ERR_OK) {
       move_uploaded_file($_FILES['crt_server_ca']['tmp_name'], '/etc/openvpn/keys/ca-server.crt');

sources/i18n/fr_FR/LC_MESSAGES/localization.po

@@ -8,8 +8,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: data 2\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2015-09-28 16:51+0200\n"
-"PO-Revision-Date: 2015-09-28 16:52+0200\n"
+"POT-Creation-Date: 2015-09-28 17:23+0200\n"
+"PO-Revision-Date: 2015-09-28 17:25+0200\n"
 "Last-Translator: samy boutayeb <samy@langues-etcetera.fr>\n"
 "Language-Team: none\n"
 "Language: fr\n"
@@ -19,62 +19,62 @@ msgstr ""
 "Plural-Forms: nplurals=2; plural=(n > 1);\n"
 "X-Generator: Poedit 1.8.4\n"
 
-#: sources/controller.php:102
+#: sources/controller.php:103
 msgid "The Server Address, the Server Port and the Protocol cannot be empty"
 msgstr ""
 "L'adresse du serveur, le port du serveur et le protocole ne peuvent pas être "
 "vides"
 
-#: sources/controller.php:106
+#: sources/controller.php:107
 msgid "The Server Port must be only composed of digits"
 msgstr "Le port du serveur ne peut correspondre qu'à des chiffres"
 
-#: sources/controller.php:110
+#: sources/controller.php:111
 msgid "The Protocol must be \"udp\" or \"tcp\""
 msgstr "Le protocole ne peut correspondre qu'à \"udp\" ou \"tcp\""
 
-#: sources/controller.php:114
+#: sources/controller.php:115
 msgid "You need to define two DNS resolver addresses"
 msgstr "Vous devez définir deux adresses de résolveur DNS"
 
-#: sources/controller.php:120
+#: sources/controller.php:121
 msgid "A Client Certificate is needed when you suggest a Key, or vice versa"
 msgstr ""
 "Un certificat client est nécessaire si vous proposez une clé, et inversement"
 
-#: sources/controller.php:124
+#: sources/controller.php:125
 msgid "A Password is needed when you suggest a Username, or vice versa"
 msgstr ""
 "Un mot de passe est nécessaire si vous proposez un nom d'utilisateur, et "
 "inversement"
 
-#: sources/controller.php:128
+#: sources/controller.php:129
 msgid "You need a Server CA."
 msgstr "Vous ne pouvez pas ne pas avoir de CA de serveur"
 
-#: sources/controller.php:132
+#: sources/controller.php:133
 msgid "You need either a Client Certificate, either a Username, or both"
 msgstr ""
 "Vous devez avoir soit un certificat client, soit un nom d'utilisateur, soit "
 "les deux"
 
-#: sources/controller.php:139
+#: sources/controller.php:140
 msgid "The IPv6 Delegated Prefix format looks bad"
 msgstr "Le format du préfixe IPv6 délégué semble incorrect"
 
-#: sources/controller.php:150
+#: sources/controller.php:151
 msgid "configuration not updated"
 msgstr "configuration non-mise à jour"
 
-#: sources/controller.php:197
+#: sources/controller.php:204
 msgid "Configuration updated and service successfully reloaded"
 msgstr "Configuration mise à jour et service correctement rechargé"
 
-#: sources/controller.php:199
+#: sources/controller.php:206
 msgid "Configuration updated but service reload failed"
 msgstr "Configuration mise à jour mais le rechargement du service a échoué"
 
-#: sources/controller.php:203
+#: sources/controller.php:210
 msgid "Service successfully disabled"
 msgstr "Service désactivé avec succès"
 
@@ -87,7 +87,7 @@ msgid "Error"
 msgstr "Erreur"
 
 #: sources/views/layout.html.php:54 sources/views/settings.html.php:117
-#: sources/views/settings.html.php:157
+#: sources/views/settings.html.php:131
 msgid "Notice"
 msgstr "Notice"
 
@@ -197,92 +197,105 @@ msgstr ""
 msgid "Authentication"
 msgstr "Authentification"
 
-#: sources/views/settings.html.php:128
+#: sources/views/settings.html.php:131
+msgid "You need to upload a Server CA for starting your VPN Client."
+msgstr "Vous devez transférer un CA de serveur pour démarrer votre client VPN."
+
+#: sources/views/settings.html.php:135
+msgid "Update Server CA"
+msgstr "Actualiser le CA du serveur"
+
+#: sources/views/settings.html.php:135
+msgid "Upload Server CA"
+msgstr "Transférer le CA du serveur"
+
+#: sources/views/settings.html.php:138
+msgid "You cannot have no server CA"
+msgstr "Vous ne pouvez pas ne pas avoir de CA de serveur"
+
+#: sources/views/settings.html.php:143 sources/views/settings.html.php:156
+#: sources/views/settings.html.php:169 sources/views/settings.html.php:182
+msgid "Browse"
+msgstr "Parcourir"
+
+#: sources/views/settings.html.php:148
 msgid "Update Client Cert."
 msgstr "Actualiser le certificat client"
 
-#: sources/views/settings.html.php:128
+#: sources/views/settings.html.php:148
 msgid "Upload Client Cert."
-msgstr "Téléverser le certificat client"
+msgstr "Téléverser un certificat client"
 
-#: sources/views/settings.html.php:131 sources/views/settings.html.php:144
+#: sources/views/settings.html.php:151 sources/views/settings.html.php:164
+#: sources/views/settings.html.php:177
 msgid "Delete this certificate"
 msgstr "Supprimer ce certificat"
 
-#: sources/views/settings.html.php:136 sources/views/settings.html.php:149
-#: sources/views/settings.html.php:169
-msgid "Browse"
-msgstr "Parcourir"
-
-#: sources/views/settings.html.php:141
+#: sources/views/settings.html.php:161
 msgid "Update Client Key"
 msgstr "Actualiser la clé client"
 
-#: sources/views/settings.html.php:141
+#: sources/views/settings.html.php:161
 msgid "Upload Client Key"
-msgstr "Téléverser la clé client"
+msgstr "Téléverser un clé client"
 
-#: sources/views/settings.html.php:147
+#: sources/views/settings.html.php:167 sources/views/settings.html.php:180
 msgid "Make sure your browser is able to read the key file before uploading"
 msgstr ""
 "Assurez-vous que votre navigateur peut lire le fichier contenant la clé "
 "avant de le téléverser"
 
-#: sources/views/settings.html.php:149
+#: sources/views/settings.html.php:169 sources/views/settings.html.php:182
 msgid "make sure your browser is able to read the key file before uploading"
 msgstr ""
 "assurez-vous que votre navigateur peut lire le fichier contenant la clé "
 "avant de le téléverser"
 
-#: sources/views/settings.html.php:157
-msgid "You need to upload a Server CA for starting your VPN Client."
-msgstr "Vous devez transférer un CA de serveur pour démarrer votre client VPN."
-
-#: sources/views/settings.html.php:161
-msgid "Update Server CA"
-msgstr "Actualiser le CA du serveur"
-
-#: sources/views/settings.html.php:161
-msgid "Upload Server CA"
-msgstr "Transférer le CA du serveur"
+#: sources/views/settings.html.php:174
+msgid "ta.key"
+msgstr "ta.key"
 
-#: sources/views/settings.html.php:164
-msgid "You cannot have no server CA"
-msgstr "Vous ne pouvez pas ne pas avoir de CA de serveur"
+#: sources/views/settings.html.php:174
+msgid "Update Shared-Secret"
+msgstr "Actualiser le secret partagé"
 
 #: sources/views/settings.html.php:174
+msgid "Upload Shared-Secret"
+msgstr "Téléverser un secret partagé"
+
+#: sources/views/settings.html.php:187
 msgid "Username"
 msgstr "Nom d'utilisateur"
 
-#: sources/views/settings.html.php:176 sources/views/settings.html.php:183
+#: sources/views/settings.html.php:189 sources/views/settings.html.php:196
 msgid "Leave empty if not necessary"
 msgstr "Laisser vide si non nécessaire"
 
-#: sources/views/settings.html.php:181
+#: sources/views/settings.html.php:194
 msgid "Password"
 msgstr "Mot de passe"
 
-#: sources/views/settings.html.php:191
+#: sources/views/settings.html.php:204
 msgid "DNS"
 msgstr "DNS"
 
-#: sources/views/settings.html.php:196
+#: sources/views/settings.html.php:209
 msgid "First resolver"
 msgstr "Premier résolveur"
 
-#: sources/views/settings.html.php:198 sources/views/settings.html.php:205
+#: sources/views/settings.html.php:211 sources/views/settings.html.php:218
 msgid "IPv6 or IPv4"
 msgstr "IPv6 ou IPv4"
 
-#: sources/views/settings.html.php:203
+#: sources/views/settings.html.php:216
 msgid "Second resolver"
 msgstr "Second résolveur"
 
-#: sources/views/settings.html.php:213
+#: sources/views/settings.html.php:226
 msgid "Reloading may take a few minutes. Be patient."
 msgstr "Le rechargement peut prendre quelques minutes. Soyez patient."
 
-#: sources/views/settings.html.php:213
+#: sources/views/settings.html.php:226
 msgid "Save and reload"
 msgstr "Sauvegarder et recharger"
 

sources/i18n/localization.pot

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2015-09-28 16:51+0200\n"
+"POT-Creation-Date: 2015-09-28 17:23+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -17,55 +17,55 @@ msgstr ""
 "Content-Type: text/plain; charset=CHARSET\n"
 "Content-Transfer-Encoding: 8bit\n"
 
-#: sources/controller.php:102
+#: sources/controller.php:103
 msgid "The Server Address, the Server Port and the Protocol cannot be empty"
 msgstr ""
 
-#: sources/controller.php:106
+#: sources/controller.php:107
 msgid "The Server Port must be only composed of digits"
 msgstr ""
 
-#: sources/controller.php:110
+#: sources/controller.php:111
 msgid "The Protocol must be \"udp\" or \"tcp\""
 msgstr ""
 
-#: sources/controller.php:114
+#: sources/controller.php:115
 msgid "You need to define two DNS resolver addresses"
 msgstr ""
 
-#: sources/controller.php:120
+#: sources/controller.php:121
 msgid "A Client Certificate is needed when you suggest a Key, or vice versa"
 msgstr ""
 
-#: sources/controller.php:124
+#: sources/controller.php:125
 msgid "A Password is needed when you suggest a Username, or vice versa"
 msgstr ""
 
-#: sources/controller.php:128
+#: sources/controller.php:129
 msgid "You need a Server CA."
 msgstr ""
 
-#: sources/controller.php:132
+#: sources/controller.php:133
 msgid "You need either a Client Certificate, either a Username, or both"
 msgstr ""
 
-#: sources/controller.php:139
+#: sources/controller.php:140
 msgid "The IPv6 Delegated Prefix format looks bad"
 msgstr ""
 
-#: sources/controller.php:150
+#: sources/controller.php:151
 msgid "configuration not updated"
 msgstr ""
 
-#: sources/controller.php:197
+#: sources/controller.php:204
 msgid "Configuration updated and service successfully reloaded"
 msgstr ""
 
-#: sources/controller.php:199
+#: sources/controller.php:206
 msgid "Configuration updated but service reload failed"
 msgstr ""
 
-#: sources/controller.php:203
+#: sources/controller.php:210
 msgid "Service successfully disabled"
 msgstr ""
 
@@ -78,7 +78,7 @@ msgid "Error"
 msgstr ""
 
 #: sources/views/layout.html.php:54 sources/views/settings.html.php:117
-#: sources/views/settings.html.php:157
+#: sources/views/settings.html.php:131
 msgid "Notice"
 msgstr ""
 
@@ -181,87 +181,100 @@ msgstr ""
 msgid "Authentication"
 msgstr ""
 
-#: sources/views/settings.html.php:128
-msgid "Update Client Cert."
+#: sources/views/settings.html.php:131
+msgid "You need to upload a Server CA for starting your VPN Client."
 msgstr ""
 
-#: sources/views/settings.html.php:128
-msgid "Upload Client Cert."
+#: sources/views/settings.html.php:135
+msgid "Update Server CA"
 msgstr ""
 
-#: sources/views/settings.html.php:131 sources/views/settings.html.php:144
-msgid "Delete this certificate"
+#: sources/views/settings.html.php:135
+msgid "Upload Server CA"
+msgstr ""
+
+#: sources/views/settings.html.php:138
+msgid "You cannot have no server CA"
 msgstr ""
 
-#: sources/views/settings.html.php:136 sources/views/settings.html.php:149
-#: sources/views/settings.html.php:169
+#: sources/views/settings.html.php:143 sources/views/settings.html.php:156
+#: sources/views/settings.html.php:169 sources/views/settings.html.php:182
 msgid "Browse"
 msgstr ""
 
-#: sources/views/settings.html.php:141
+#: sources/views/settings.html.php:148
+msgid "Update Client Cert."
+msgstr ""
+
+#: sources/views/settings.html.php:148
+msgid "Upload Client Cert."
+msgstr ""
+
+#: sources/views/settings.html.php:151 sources/views/settings.html.php:164
+#: sources/views/settings.html.php:177
+msgid "Delete this certificate"
+msgstr ""
+
+#: sources/views/settings.html.php:161
 msgid "Update Client Key"
 msgstr ""
 
-#: sources/views/settings.html.php:141
+#: sources/views/settings.html.php:161
 msgid "Upload Client Key"
 msgstr ""
 
-#: sources/views/settings.html.php:147
+#: sources/views/settings.html.php:167 sources/views/settings.html.php:180
 msgid "Make sure your browser is able to read the key file before uploading"
 msgstr ""
 
-#: sources/views/settings.html.php:149
+#: sources/views/settings.html.php:169 sources/views/settings.html.php:182
 msgid "make sure your browser is able to read the key file before uploading"
 msgstr ""
 
-#: sources/views/settings.html.php:157
-msgid "You need to upload a Server CA for starting your VPN Client."
-msgstr ""
-
-#: sources/views/settings.html.php:161
-msgid "Update Server CA"
+#: sources/views/settings.html.php:174
+msgid "ta.key"
 msgstr ""
 
-#: sources/views/settings.html.php:161
-msgid "Upload Server CA"
+#: sources/views/settings.html.php:174
+msgid "Update Shared-Secret"
 msgstr ""
 
-#: sources/views/settings.html.php:164
-msgid "You cannot have no server CA"
+#: sources/views/settings.html.php:174
+msgid "Upload Shared-Secret"
 msgstr ""
 
-#: sources/views/settings.html.php:174
+#: sources/views/settings.html.php:187
 msgid "Username"
 msgstr ""
 
-#: sources/views/settings.html.php:176 sources/views/settings.html.php:183
+#: sources/views/settings.html.php:189 sources/views/settings.html.php:196
 msgid "Leave empty if not necessary"
 msgstr ""
 
-#: sources/views/settings.html.php:181
+#: sources/views/settings.html.php:194
 msgid "Password"
 msgstr ""
 
-#: sources/views/settings.html.php:191
+#: sources/views/settings.html.php:204
 msgid "DNS"
 msgstr ""
 
-#: sources/views/settings.html.php:196
+#: sources/views/settings.html.php:209
 msgid "First resolver"
 msgstr ""
 
-#: sources/views/settings.html.php:198 sources/views/settings.html.php:205
+#: sources/views/settings.html.php:211 sources/views/settings.html.php:218
 msgid "IPv6 or IPv4"
 msgstr ""
 
-#: sources/views/settings.html.php:203
+#: sources/views/settings.html.php:216
 msgid "Second resolver"
 msgstr ""
 
-#: sources/views/settings.html.php:213
+#: sources/views/settings.html.php:226
 msgid "Reloading may take a few minutes. Be patient."
 msgstr ""
 
-#: sources/views/settings.html.php:213
+#: sources/views/settings.html.php:226
 msgid "Save and reload"
 msgstr ""

sources/views/settings.html.php

@@ -125,6 +125,26 @@
 
         <div style="padding: 14px 14px 0 10px">
           <div class="form-group">
+            <?php if(!$crt_server_ca_exists): ?>
+              <div class="alert alert-dismissible alert-warning fade in" style="margin: 2px 16px 17px" role="alert">
+                <button type="button" class="close" data-dismiss="alert"><span aria-hidden="true">&times;</span><span class="sr-only">Close</span></button>
+                <strong><?= _('Notice') ?>:</strong> <?= _("You need to upload a Server CA for starting your VPN Client.") ?>
+              </div>
+            <?php endif; ?>
+
+            <label for="crt_server_ca" class="col-sm-3 control-label"><?= $crt_server_ca_exists ? _('Update Server CA') : _('Upload Server CA') ?></label>
+            <div class="input-group col-sm-9" style="padding: 0 15px">
+              <?php if($crt_server_ca_exists): ?>
+                <a class="btn btn-danger not-allowed btn-disabled input-group-addon" id="crt_server_ca_deletebtn" data-toggle="tooltip" data-title="<?= _('You cannot have no server CA') ?>"><span class="glyphicon glyphicon-remove"></span></a>
+                <input id="crt_server_ca_delete" name="crt_server_ca_delete" type="checkbox" value="1" style="display: none" />
+              <?php endif; ?>
+              <input type="text" class="form-control fileinput" id="crt_server_ca_choosertxt" placeholder="-----BEGIN CERTIFICATE-----" readonly="readonly" />
+              <input id="crt_server_ca" name="crt_server_ca" type="file" style="display: none" />
+              <a class="btn input-group-addon fileinput" id="crt_server_ca_chooserbtn" data-toggle="tooltip" data-title="<?= _('Browse') ?>"><span class="glyphicon glyphicon-search"></span></a>
+            </div>
+          </div>
+
+          <div class="form-group">
             <label for="crt_client" class="col-sm-3 control-label"><?= $crt_client_exists ? _('Update Client Cert.') : _('Upload Client Cert.') ?></label>
             <div class="input-group col-sm-9" style="padding: 0 15px">
               <?php if($crt_client_exists): ?>
@@ -151,22 +171,15 @@
           </div>
 
           <div class="form-group">
-            <?php if(!$crt_server_ca_exists): ?>
-              <div class="alert alert-dismissible alert-warning fade in" style="margin: 2px 16px 17px" role="alert">
-                <button type="button" class="close" data-dismiss="alert"><span aria-hidden="true">&times;</span><span class="sr-only">Close</span></button>
-                <strong><?= _('Notice') ?>:</strong> <?= _("You need to upload a Server CA for starting your VPN Client.") ?>
-              </div>
-            <?php endif; ?>
-
-            <label for="crt_server_ca" class="col-sm-3 control-label"><?= $crt_server_ca_exists ? _('Update Server CA') : _('Upload Server CA') ?></label>
+            <label for="crt_client_ta" class="col-sm-3 control-label" data-toggle="tooltip" data-title="<?= _('ta.key') ?>"><?= $crt_client_ta_exists ? _('Update Shared-Secret') : _('Upload Shared-Secret') ?></label>
             <div class="input-group col-sm-9" style="padding: 0 15px">
-              <?php if($crt_server_ca_exists): ?>
-                <a class="btn btn-danger not-allowed btn-disabled input-group-addon" id="crt_server_ca_deletebtn" data-toggle="tooltip" data-title="<?= _('You cannot have no server CA') ?>"><span class="glyphicon glyphicon-remove"></span></a>
-                <input id="crt_server_ca_delete" name="crt_server_ca_delete" type="checkbox" value="1" style="display: none" />
+              <?php if($crt_client_ta_exists): ?>
+                <a class="btn btn-danger input-group-addon deletefile" id="crt_client_ta_deletebtn" data-toggle="tooltip" data-title="<?= _('Delete this certificate') ?>"><span class="glyphicon glyphicon-remove"></span></a>
+                <input id="crt_client_ta_delete" name="crt_client_ta_delete" type="checkbox" value="1" style="display: none" />
               <?php endif; ?>
-              <input type="text" class="form-control fileinput" id="crt_server_ca_choosertxt" placeholder="-----BEGIN CERTIFICATE-----" readonly="readonly" />
-              <input id="crt_server_ca" name="crt_server_ca" type="file" style="display: none" />
-              <a class="btn input-group-addon fileinput" id="crt_server_ca_chooserbtn" data-toggle="tooltip" data-title="<?= _('Browse') ?>"><span class="glyphicon glyphicon-search"></span></a>
+              <input type="text" class="form-control fileinput" id="crt_client_ta_choosertxt" data-toggle="tooltip" data-title="<?= _('Make sure your browser is able to read the key file before uploading') ?>" placeholder="-----BEGIN PRIVATE KEY-----" readonly="readonly" />
+              <input id="crt_client_ta" name="crt_client_ta" type="file" style="display: none" />
+              <a class="btn input-group-addon fileinput" id="crt_client_ta_chooserbtn" data-toggle="tooltip" data-title="<?= _('Browse') ?> (<?= _('make sure your browser is able to read the key file before uploading') ?>)"><span class="glyphicon glyphicon-search"></span></a>
             </div>
           </div>