FreeRadius: PPTP - RADIUS and client IP address



  • All,

    I have configured the pfsense PPTP server to point to the local FreeRADIUS package. This works OK  and I am able to create accounts and they users are login in OK.

    However, what I have notice is that with this pfsense FreeRADIUS package you cannot specify the static IP for a particular account. With the local database you can specify the usernamem passsword and (optionally) an IP address. But with the FreeRADIUS database you can only specify the username and password.

    Is this a limitation of the RADIUS authentication method - or is it just the limitation of the current FreeRADIUS package? Are there any plans to update the FreeRADIUS package to allow configuring of the PPTP account IP address?

    Regards,

    Mon



  • I have the same problem :( :( my 1st idea is probably sample from WARTA project they use ppptd.dial for dynamicly add rules witch VPN ip to firewall



  • I think it's a gui limitation of the current freeradius ipmlementation. Patches accepted  ;)



  • where are there patches ?



  • Somebody has to add the functionality and generate a patch. If that is then send in to us we'll add it to the official package.



  • I also add FreeRadius to my pfsense…
    but, for me.. nothing more important than ID security.
    I think it much better if ID can't be share.. Now as I know, 1 ID can be share with many user at a same time..
    Any tips to solve this..?
    thanks



  • At services>captive portal check this option:


    If this option is set, only the most recent login per username will be active. Subsequent logins will cause machines previously logged in with the same username to be disconnected.



  • Thanks for replying

    actually, I already thick in this option… But its still allow many user using 1 ID at the same time. For your info.. I am using FreeRadius with RC2.
    Thanks

    From portal Auth log

    Oct 12 22:13:15 logportalauth[7489]: LOGIN: test, 00:0c:f1:20:b5:7c, 192.168.1.114
    Oct 12 22:27:41 logportalauth[9545]: LOGIN: test, 00:14:a4:73:d5:9f, 192.168.1.104
    Oct 12 22:56:52 logportalauth[24672]: LOGIN: test, 00:12:0e:4d:2d:cd, 192.168.1.116

    [/] Disable concurrent logins
    If this option is set, only the most recent login per username will be active. Subsequent logins will cause machines previously logged in with the same username to be disconnected.



  • Actually I think that option only works when using the local user manager. The radiusserver needs to deny the second login but there is no option for this in the gui of the freeradius package for this.



  • I succeeded in preventing multiple connetion with same ID. I used freeradius's "Simultaneous-User" function for it without gui configuration. Here is the tip I made.

    1. If you havn't install freeradius package yet, install it from packages at pfsense.

    2. uninstall freeradius package from installed package page.
    It is needed becasue you will lost the contents of "users" file you made after rebooting if you don't remove the package gui from pfsene.

    3. I found some problem to start freeradius on pfsense1.0.1. I think it is due to missing libltdl-1.5.22 dependon and wrong configuration variable for the location of pidfile on radiusd.conf.

    a. install libltdl-1.5.22
    get it from ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/All/libltdl-1.5.22.tbz
    and upload it to pfsese. You can use "command prompt -> uplaod" on pfsense.
    logo on to pfsense console -> 8. shell
    #cd /tmp
    #pkg_add libltdl-1.5.22.tbz

    b. now you need to adjust radiusd.conf
    #ee /usr/local/etc/raddb/radiusd.conf
    find pidfile = ${run_dir}/radiusd and change it to pidfile = /var/run/radiusd.pid

    and set bind_address and port like below.
    bind_address = *
    port = 0

    and save.

    4. and open /usr/local/etc/raddb/clients.conf file and edit it like below

    client 127.0.0.1 {
    secret = passward
    shortname = local
    }

    pls note the "passward" is the password for you to use for "RADIUS shared secret" on pptp configuration.

    5. and go to pptp configuration page on pfsense
    check 'Use a RADIUS server for authentication'
    check 'Enable RADIUS accounting'
    enter 127.0.0.1 for 'RADIUS server'
    enter 'RADIUS shared secret'  -> You should use the password that was used for "secret=" on clients.conf.
    and save

    6. add the pptp users to /usr/local/etc/raddb/users as like following.

    test1 User-Password == "test1"
            Fall-Through = Yes

    test2 User-Password == "test2"
            Fall-Through = Yes

    DEFAULT Simultaneous-Use += 1

    In this case, the pptp users are test1 and test2. And they can connect only one time simultaneously. If you want two simultaneous connetions, you can change "DEFAULT Simultaneous-Use += 1" to "DEFAULT Simultaneous-Use += 2"

    7. restart freeradius to get read the new "users" file.
    #killall radiusd
    #radiusd
    or
    #/usr/local/etc/rc.d/radiusd.sh restart

    8. If you need to add more pptp user to freeradius's users file, you can edit it from 'Edit file' menu at pfsense or from the shell. And you should restart radiusd.

    With this way, I succeded to prvent multiple pptp connetions but I failed to assign user ID to specific IP address with "Framed-IP-Address =" at freeradius user file.

    test   User-Password == "test"
            Service-Type = Framed-User,
            Framed-Protocol = PPP,
            Framed-IP-Address = 10.100.1.198

    Radiusd sends the reply for the IP address to pfsense but I think pfsense ignore it and give the dynamic ip address. I see the option of 'RADIUS issued IP's' on pppoe configuration page on pfsense. So I think geting ip address from radius is possible for pptp as well. Is there anyone who give me an advice how to make pfsense to accept the freeradies reply and assign the ip address from freeradius?

    And hope that somebody will adjust Freeradius package gui to add the Simultaneous-User function to users file.



  • As you seem to know what you are doing, why not implementing this feature and providing diffs against the current code so we can commit them?  ;D



  • I'd like to but I don't know how to. Sorry, I'm a begginer of freebsd and I'm not even a programer. I don't know about php and C language and even don't know exactly how pfsense is working. I read some documents of freeradius and I just got this infromation from the documents and log.

    If you give me some documents about how to implement feature and provide diffs, I can figure out whether I can do or not.



  • I succeeded in assigning ip address from radius server with just modifying vpn_pptp.php and vpn.inc file. I didn't even know about php but I got some hits from vpn_pppoe.php and copied some codes from it.

    Now it is possible that the pptp user will get the ip address from other radius and you can prevent multiple pptp connetion with same ID if you are using other radius.

    If you want these pptp fuctions to be available with freeradius package on pfsene, pls use my previous tip.

    I will try to modify freeradius package as well later but I'm not sure I can do that.

    Dear Hoba,
    Could you give me an advise which files are involved in for freeradius package configuration?
    And pls adv me where I should send the new vpn_pptp.php and vpn.inc files to for your checking and commiting.



  • i was planning on trying to add some things to the freeradius gui and the radiusd.conf this weekend
    stuf like :
    expire
    session-time

    don't now if the freeradius package is already on version 1.1.13 ?
    then also:
    logintime  added to user file and radiusd.conf (alaws to only be online between the times and days that are given for  that user)
    user defined counters added to radiusd.conf
    user defined counter atributs to user file
    so that you can limet on the max sesions you can make
    limet the max online time a day,week,month etc

    maybe a extra textbox for extra things to add to a user like the static ip stuff ?



  • Now, I finished the freeradius package gui for assigning ip address to user and multiple connection control. I spent almost the day for it.

    Dear Hoba,
    If you don't mind, I will send the files of vpn.inc, vpn_pptp.php, freeradius.inc and freeradius.xml to you via e-mail.

    Dear Jeroen234,
    It's good news. I'm waiting for your version that will support more functions. If you don't mind I'd like to send the files to you as well. I think it may help for your work.



  • Can you just attach them as diffs against the latest version of the files that you changed here? This way maybe jeroen can merge them together with his changes too.



  • @sbyoon:

    Dear Jeroen234,
    It's good news. I'm waiting for your version that will support more functions. If you don't mind I'd like to send the files to you as well. I think it may help for your work.

    no problem send them to jeroenjohanzwarts at hotmail dot com

    i will them add the extra functions to those  files
    don't now if you have made the Simultaneous-User function a user based one
    or just a globel one
    if it is globel  then i will add a user based one



  • I will send the files to your e-mail. And I'v made user based Simultaneous-Use fuction.








  • got them thanks

    [edit]

    this is what i have working now:
    Expiration , Session-Timeout , Onlinetime

    user file:
    john User-Password == "doe", Simultaneous-Use += 1, Expiration := "101020081010"

    Framed-IP-Address = 10.10.10.10,
            Login-Time := "Any0800-2000",

    jeroen234 User-Password == "jeroen234", Simultaneous-Use += 1, Expiration := "121220071010"

    joop User-Password == "joop", Simultaneous-Use += 1, Expiration := "201020081010"

    sint User-Password == "sint", Simultaneous-Use += 1

    Session-Timeout := 500,



  • Dear Jeroen,

    It looks so good. Pfsense will have the strong radius server functions.

    Dear Hoba,

    As I mentioned before, we need some modifictions on pfsense's pptp so that it uses the reply from radius server for assigning the ip address from radius server to pptp users. The files involved in it are vpn.inc and vpn_pptp.php. I'm posting my new files here for your information.

    vpn.inc

    /*
    	vpn.inc
    	Copyright (C) 2004-2006 Scott Ullrich
    	All rights reserved.
    
    	originally part of m0n0wall (http://m0n0.ch/wall)
    	Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
    	All rights reserved.
    
    	Redistribution and use in source and binary forms, with or without
    	modification, are permitted provided that the following conditions are met:
    
    	1\. Redistributions of source code must retain the above copyright notice,
    	   this list of conditions and the following disclaimer.
    
    	2\. Redistributions in binary form must reproduce the above copyright
    	   notice, this list of conditions and the following disclaimer in the
    	   documentation and/or other materials provided with the distribution.
    
    	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
    	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
    	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
    	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
    	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
    	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
    	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
    	POSSIBILITY OF SUCH DAMAGE.
    */
    
    /* include all configuration functions */
    require_once("functions.inc");
    
    /* master setup for vpn (mpd) */
    function vpn_setup() {
    	/* start pptpd */
    	vpn_pptpd_configure();
    
    	/* start pppoe server */
    	vpn_pppoe_configure();
    }
    
    function vpn_ipsec_failover_configure() {
    	global $config, $g;
    
    	$sasyncd_text = "";
    
    	if($config['installedpackages']['sasyncd']['config'] <> "")
    		foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) {
    			$enabled = isset($sasyncd['enable']);
    			if(!$enabled)
    				return;
    			if($sasyncd['peerip'] <> "")
    				$sasyncd_text .= "peer {$sasyncd['peerip']}\n";
    			if($sasyncd['interface'])
    				$sasyncd_text .= "carp interface {$sasyncd['interface']}\n";
    			if($sasyncd['sharedkey'] <> "")
    				$sasyncd_text .= "sharedkey {$sasyncd['sharedkey']}\n";
    			if($sasyncd['mode'] <> "")
    				$sasyncd_text .= "mode {$sasyncd['mode']}\n";
    			if($sasyncd['listenon'] <> "")
    				$sasyncd_text .= "listen on {$sasyncd['listenon']}\n";
    			if($sasyncd['flushmodesync'] <> "")
    				$sasyncd_text .= "flushmode sync {$sasyncd['flushmodesync']}\n";
    		}
    
    	$fd = fopen("{$g['varetc_path']}/sasyncd.conf", "w");
    	fwrite($fd, $sasyncd_text);
    	fclose($fd);
    	chmod("{$g['varetc_path']}/sasyncd.conf", 0600);
    
    	mwexec("killall sasyncd");
    
    	/* launch sasyncd, oh wise one */
    	/* mwexec_bg("/usr/local/sbin/sasyncd -d -v -v -v"); */
    }
    
    function find_last_gif_device() {
    	 	$regs = "";
            $last_gif_found = -1;
            if (!($fp = popen("/sbin/ifconfig -l", "r"))) return -1;
            $ifconfig_data = fread($fp, 4096);
            pclose($fp);
            $ifconfig_array = split(" ", $ifconfig_data);
            foreach ($ifconfig_array as $ifconfig) {
                    ereg("gif(.)", $ifconfig, $regs);
                    if($regs[0]) {
                            if($regs[0] > $last_gif_found)
                                    $last_gif_found = $regs[1];
                    }
            }
            return $last_gif_found;
    }
    
    function vpn_ipsec_configure($ipchg = false) {
    	global $config, $g, $sa, $sn;
    
    	/* get the automatic /etc/ping_hosts.sh ready */
    	unlink_if_exists("/var/db/ipsecpinghosts");
    	touch("/var/db/ipsecpinghosts");
    
    	if($g['booting'] == true) {
    		/* determine if we should load the via padlock module */
    		$dmesg_boot = `cat /var/log/dmesg.boot | grep CPU`;
    		if(stristr($dmesg_boot, "ACE") == true) {
    			//echo "Enabling [VIA Padlock] ...";
    			//mwexec("/sbin/kldload padlock");
    			//mwexec("/sbin/sysctl net.inet.ipsec.crypto_support=1");
    			//mwexec("/sbin/setkey -F");
    			//mwexec("/sbin/setkey -FP");
    			//echo " done.\n";
    		}
    	}
    
    	if(isset($config['ipsec']['preferredoldsa'])) {
    		mwexec("/sbin/sysctl net.key.preferred_oldsa=0");
    	} else {
    		mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30");
    	}
    
    	$number_of_gifs = find_last_gif_device();
    	for($x=0; $x<$number_of_gifs; $x++) {
    		mwexec("/sbin/ifconfig gif" . $x . " delete");
    	}
    
    	$curwanip = get_current_wan_address();
    	if($config['installedpackages']['sasyncd']['config'] <> "")
    		foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) {
    			if($sasyncd['ip'] <> "")
    				$curwanip = $sasyncd['ip'];
    		}
    
    	$syscfg = $config['system'];
    	$ipseccfg = $config['ipsec'];
    	$lancfg = $config['interfaces']['lan'];
    	$lanip = $lancfg['ipaddr'];
    	$lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
    	$lansn = $lancfg['subnet'];
    
    	if ($g['booting']) {
    		if (!isset($ipseccfg['enable']))
    			return 0;
    
    		echo "Configuring IPsec VPN... ";
    	} else {
    		/* kill racoon */
    		mwexec("/usr/bin/killall racoon");
    
    		/* wait for process to die */
    		sleep(2);
    
    		/* send a SIGKILL to be sure */
    		sigkillbypid("{$g['varrun_path']}/racoon.pid", "KILL");
    	}
    
    	/* flush SPD and SAD */
    	mwexec("/sbin/setkey -FP");
    	mwexec("/sbin/setkey -F");
    
    	if (isset($ipseccfg['enable'])) {
    
    		/* fastforwarding is not compatible with ipsec tunnels */
    		system("/sbin/sysctl net.inet.ip.fastforwarding=0 >/dev/null 2>&1");
    
    		if (!$curwanip) {
    			/* IP address not configured yet, exit */
    			if ($g['booting'])
    				echo "done\n";
    			return 0;
    		}
    
    		if ((is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) ||
    				isset($ipseccfg['mobileclients']['enable'])) {
    
    			if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel'])) {
    
    				/* generate spd.conf */
    				$fd = fopen("{$g['varetc_path']}/spd.conf", "w");
    				if (!$fd) {
    					printf("Error: cannot open spd.conf in vpn_ipsec_configure().\n");
    					return 1;
    				}
    
    				$spdconf = "";
    
    				$spdconf .= "spdadd {$lansa}/{$lansn} {$lanip}/32 any -P in none;\n";
    				$spdconf .= "spdadd {$lanip}/32 {$lansa}/{$lansn} any -P out none;\n";
    
    				foreach ($ipseccfg['tunnel'] as $tunnel) {
    
    					if (isset($tunnel['disabled']))
    						continue;
    
    					$ep = vpn_endpoint_determine($tunnel, $curwanip);
    					if (!$ep)
    						continue;
    
    					vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn);
    
    					if(is_domain($tunnel['remote-gateway'])) {
    						$tmp = gethostbyname($tunnel['remote-gateway']);
    						if($tmp)
    							$tunnel['remote-gateway'] = $tmp;
    					}
    
    					/* add entry to host pinger */
    					if($tunnel['pinghost']) {
    						$pfd = fopen("/var/db/ipsecpinghosts","a");
    						$srcip = find_interface_ip($config['interfaces']['lan']['if']);
    						$dstip = $tunnel['pinghost'];
    						fwrite($pfd, "$srcip|$dstip|3\n");
    						fclose($pfd);
    					}
    
    					if(isset($tunnel['creategif'])) {
    						$number_of_gifs = find_last_gif_device();
    						$number_of_gifs++;
    						$curwanip = get_current_wan_address();
    						if($config['installedpackages']['sasyncd']['config'] <> "")
    							foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) {
    								if($sasyncd['ip'] <> "")
    									$curwanip = $sasyncd['ip'];
    							}
    						mwexec("/sbin/ifconfig gif" . $number_of_gifs . " tunnel" . $curwanip . " " . $tunnel['remote-gateway']);
    						mwexec("/sbin/ifconfig gif" . $number_of_gifs . " {$lansa}/{$lansn} {$lanip}/32");
    					}
    
    					$spdconf .= "spdadd {$sa}/{$sn} " .
    						"{$tunnel['remote-subnet']} any -P out ipsec " .
    						"{$tunnel['p2']['protocol']}/tunnel/{$ep}-" .
    						"{$tunnel['remote-gateway']}/unique;\n";
    
    					$spdconf .= "spdadd {$tunnel['remote-subnet']} " .
    						"{$sa}/{$sn} any -P in ipsec " .
    						"{$tunnel['p2']['protocol']}/tunnel/{$tunnel['remote-gateway']}-" .
    						"{$ep}/unique;\n";
    				}
    
    				fwrite($fd, $spdconf);
    				fclose($fd);
    
    				/* load SPD */
    				mwexec("/sbin/setkey -c < {$g['varetc_path']}/spd.conf");
    			}
    
    			/* generate racoon.conf */
    			$fd = fopen("{$g['varetc_path']}/racoon.conf", "w");
    			if (!$fd) {
    				printf("Error: cannot open racoon.conf in vpn_ipsec_configure().\n");
    				return 1;
    			}
    
    			$racoonconf = "";
    
    	if($config['installedpackages']['sasyncd']['config'] <> "")
    		foreach($config['installedpackages']['sasyncd']['config'] as $sasyncd) {
    			if($sasyncd['ip'] <> "")
    				$curwanip = $sasyncd['ip'];
    				/* natt - turn on if <developer> exists */
    				if(isset($config['system']['developer']) <> "") {
    					$lanip = $config['interfaces']['lan']['ipaddr'];
    					if($lanip <> "")
    						$natt = "isakmp_natt {$lanip}[4500];\n";
    
    				}
    				$interface_ip = $sasyncd['ip'];
    				$racoonconf .= <<<eod<br>listen {
    	isakmp {$interface_ip} [500];
    	{$natt}
    }
    
    EOD;
    			}
    
    			$racoonconf .= "path pre_shared_key \"{$g['varetc_path']}/psk.txt\";\n\n";
    			$racoonconf .= "path certificate  \"{$g['varetc_path']}\";\n\n";
    
    			/* generate CA certificates files */
    			$cacertnum = 0;
    			if (is_array($ipseccfg['cacert']) && count($ipseccfg['cacert']))
    				foreach ($ipseccfg['cacert'] as $cacert) {
    					++$cacertnum;
    					if (isset($cacert['cert'])) {
    						$cert = base64_decode($cacert['cert']);
    						$x509cert = openssl_x509_parse(openssl_x509_read($cert));
    						if(is_array($x509cert) && isset($x509cert['hash'])) {
    							$fd1 = fopen("{$g['varetc_path']}/{$x509cert['hash']}.0", "w");
    							if (!$fd1) {
    								printf("Error: cannot open {$x509cert['hash']}.0 in vpn.\n");
    								return 1;
    							}
    							chmod("{$g['varetc_path']}/{$x509cert['hash']}.0", 0600);
    							fwrite($fd1, $cert);
    							fclose($fd1);
    						}
    					}
    				}
    
    			$tunnelnumber = 0;
    			if (is_array($ipseccfg['tunnel']) && count($ipseccfg['tunnel']))
    				foreach ($ipseccfg['tunnel'] as $tunnel) {
    
    				++$tunnelnumber;
    
    				if (isset($tunnel['disabled']))
    					continue;
    
    				$ep = vpn_endpoint_determine($tunnel, $curwanip);
    				if (!$ep)
    					continue;
    
    				vpn_localnet_determine($tunnel['local-subnet'], $sa, $sn);
    
    				if (isset($tunnel['p1']['myident']['myaddress'])) {
    					$myidentt = "address";
    					$myident = $ep;
    				} else if (isset($tunnel['p1']['myident']['address'])) {
    					$myidentt = "address";
    					$myident = $tunnel['p1']['myident']['address'];
    				} else if (isset($tunnel['p1']['myident']['fqdn'])) {
    					$myidentt = "fqdn";
    					$myident = $tunnel['p1']['myident']['fqdn'];
    				} else if (isset($tunnel['p1']['myident']['ufqdn'])) {
    					$myidentt = "user_fqdn";
    					$myident = $tunnel['p1']['myident']['ufqdn'];
     				} else if (isset($tunnel['p1']['myident']['dyn_dns'])) {
    					$myidentt = "dyn_dns";
    					$myident = gethostbyname($tunnel['p1']['myident']['dyn_dns']);
     				}
    
    				if (isset($tunnel['p1']['authentication_method'])) {
    					$authmethod = $tunnel['p1']['authentication_method'];
    				} else {$authmethod = 'pre_shared_key';}
    
    				$certline = '';
    
    				if ($authmethod == 'rsasig') {
    					if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) {
    						$cert = base64_decode($tunnel['p1']['cert']);
    						$private_key = base64_decode($tunnel['p1']['private-key']);
    					} else {
    						/* null certificate/key */
    						$cert = '';
    						$private_key = '';
    					}
    
    					if ($tunnel['p1']['peercert'])
    						$peercert = base64_decode($tunnel['p1']['peercert']);
    					else
    						$peercert = '';
    
    					$fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", "w");
    					if (!$fd1) {
    						printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n");
    						return 1;
    					}
    					chmod("{$g['varetc_path']}/server{$tunnelnumber}-signed.pem", 0600);
    					fwrite($fd1, $cert);
    					fclose($fd1);
    
    					$fd1 = fopen("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", "w");
    					if (!$fd1) {
    						printf("Error: cannot open server{$tunnelnumber}-key.pem in vpn.\n");
    						return 1;
    					}
    					chmod("{$g['varetc_path']}/server{$tunnelnumber}-key.pem", 0600);
    					fwrite($fd1, $private_key);
    					fclose($fd1);
    
    					$certline = "certificate_type x509 \"server{$tunnelnumber}-signed.pem\" \"server{$tunnelnumber}-key.pem\";";
    
    					if ($peercert!=''){
    						$fd1 = fopen("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", "w");
    						if (!$fd1) {
    							printf("Error: cannot open server{$tunnelnumber}-signed.pem in vpn.\n");
    							return 1;
    						}
    						chmod("{$g['varetc_path']}/peer{$tunnelnumber}-signed.pem", 0600);
    						fwrite($fd1, $peercert);
    						fclose($fd1);
    						$certline .= << <eod<br>peers_certfile "peer{$tunnelnumber}-signed.pem";
    EOD;
    					}
    				}
    				$racoonconf .= <<<eod<br>remote {$tunnel['remote-gateway']} \{
    	exchange_mode {$tunnel['p1']['mode']};
    	my_identifier {$myidentt} "{$myident}";
    	{$certline}
    	peers_identifier address {$tunnel['remote-gateway']};
    	initial_contact on;
    	support_proxy on;
    	proposal_check obey;
    
    	proposal \{
    		encryption_algorithm {$tunnel['p1']['encryption-algorithm']};
    		hash_algorithm {$tunnel['p1']['hash-algorithm']};
    		authentication_method {$authmethod};
    		dh_group {$tunnel['p1']['dhgroup']};
    
    EOD;
    				if ($tunnel['p1']['lifetime'])
    					$racoonconf .= "		lifetime time {$tunnel['p1']['lifetime']} secs;\n";
    
    				$racoonconf .= "	}\n";
    
    				if ($tunnel['p1']['lifetime'])
    					$racoonconf .= "	lifetime time {$tunnel['p1']['lifetime']} secs;\n";
    
    				$racoonconf .= "}\n\n";
    
    				$p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']);
    				$p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']);
    
    				$racoonconf .= <<<eod<br>sainfo address {$sa}/{$sn} any address {$tunnel['remote-subnet']} any \{
    	encryption_algorithm {$p2ealgos};
    	authentication_algorithm {$p2halgos};
    	compression_algorithm deflate;
    
    EOD;
    
    				if ($tunnel['p2']['pfsgroup'])
    					$racoonconf .= "	pfs_group {$tunnel['p2']['pfsgroup']};\n";
    
    				if ($tunnel['p2']['lifetime'])
    					$racoonconf .= "	lifetime time {$tunnel['p2']['lifetime']} secs;\n";
    
    				$racoonconf .= "}\n\n";
    			}
    
    			/* mobile clients? */
    			if (isset($ipseccfg['mobileclients']['enable'])) {
    
    				$tunnel = $ipseccfg['mobileclients'];
    
    				if (isset($tunnel['p1']['myident']['myaddress'])) {
    					$myidentt = "address";
    					$myident = $curwanip;
    				} else if (isset($tunnel['p1']['myident']['address'])) {
    					$myidentt = "address";
    					$myident = $tunnel['p1']['myident']['address'];
    				} else if (isset($tunnel['p1']['myident']['fqdn'])) {
    					$myidentt = "fqdn";
    					$myident = $tunnel['p1']['myident']['fqdn'];
    				} else if (isset($tunnel['p1']['myident']['ufqdn'])) {
    					$myidentt = "user_fqdn";
    					$myident = $tunnel['p1']['myident']['ufqdn'];
     				}
    
    				if (isset($tunnel['p1']['authentication_method'])) {
    					$authmethod = $tunnel['p1']['authentication_method'];
    				} else {$authmethod = 'pre_shared_key';}
    
    				$certline = '';
    				if ($authmethod == 'rsasig') {
    					if ($tunnel['p1']['cert'] && $tunnel['p1']['private-key']) {
    						$cert = base64_decode($tunnel['p1']['cert']);
    						$private_key = base64_decode($tunnel['p1']['private-key']);
    					} else {
    						/* null certificate/key */
    						$cert = '';
    						$private_key = '';
    					}
    
    					if ($tunnel['p1']['peercert'])
    						$peercert = base64_decode($tunnel['p1']['peercert']);
    					else
    						$peercert = '';
    
    					$fd1 = fopen("{$g['varetc_path']}/server-mobile{$tunnelnumber}-signed.pem", "w");
    					if (!$fd1) {
    						printf("Error: cannot open server-mobile{$tunnelnumber}-signed.pem in vpn.\n");
    						return 1;
    					}
    					chmod("{$g['varetc_path']}/server-mobile{$tunnelnumber}-signed.pem", 0600);
    					fwrite($fd1, $cert);
    					fclose($fd1);
    
    					$fd1 = fopen("{$g['varetc_path']}/server-mobile{$tunnelnumber}-key.pem", "w");
    					if (!$fd1) {
    						printf("Error: cannot open server-mobile{$tunnelnumber}-key.pem in vpn.\n");
    						return 1;
    					}
    					chmod("{$g['varetc_path']}/server-mobile{$tunnelnumber}-key.pem", 0600);
    					fwrite($fd1, $private_key);
    					fclose($fd1);
    
    					$certline = "certificate_type x509 \"server-mobile{$tunnelnumber}-signed.pem\" \"server-mobile{$tunnelnumber}-key.pem\";";
    				}
    				$racoonconf .= <<<eod<br>remote anonymous \{
    	exchange_mode {$tunnel['p1']['mode']};
    	my_identifier {$myidentt} "{$myident}";
    	{$certline}
    	initial_contact on;
    	passive on;
    	generate_policy on;
    	support_proxy on;
    	proposal_check obey;
    
    	proposal \{
    		encryption_algorithm {$tunnel['p1']['encryption-algorithm']};
    		hash_algorithm {$tunnel['p1']['hash-algorithm']};
    		authentication_method {$authmethod};
    		dh_group {$tunnel['p1']['dhgroup']};
    
    EOD;
    				if ($tunnel['p1']['lifetime'])
    					$racoonconf .= "		lifetime time {$tunnel['p1']['lifetime']} secs;\n";
    
    				$racoonconf .= "	}\n";
    
    				if ($tunnel['p1']['lifetime'])
    					$racoonconf .= "	lifetime time {$tunnel['p1']['lifetime']} secs;\n";
    
    				$racoonconf .= "}\n\n";
    
    				$p2ealgos = join(",", $tunnel['p2']['encryption-algorithm-option']);
    				$p2halgos = join(",", $tunnel['p2']['hash-algorithm-option']);
    
    				$racoonconf .= <<<eod<br>sainfo anonymous \{
    	encryption_algorithm {$p2ealgos};
    	authentication_algorithm {$p2halgos};
    	compression_algorithm deflate;
    
    EOD;
    
    				if ($tunnel['p2']['pfsgroup'])
    					$racoonconf .= "	pfs_group {$tunnel['p2']['pfsgroup']};\n";
    
    				if ($tunnel['p2']['lifetime'])
    					$racoonconf .= "	lifetime time {$tunnel['p2']['lifetime']} secs;\n";
    
    				$racoonconf .= "}\n\n";
    			}
    
    			fwrite($fd, $racoonconf);
    			fclose($fd);
    
    			/* generate psk.txt */
    			$fd = fopen("{$g['varetc_path']}/psk.txt", "w");
    			if (!$fd) {
    				printf("Error: cannot open psk.txt in vpn_ipsec_configure().\n");
    				return 1;
    			}
    
    			$pskconf = "";
    
    			if (is_array($ipseccfg['tunnel'])) {
    				foreach ($ipseccfg['tunnel'] as $tunnel) {
    					if (isset($tunnel['disabled']))
    						continue;
    					$pskconf .= "{$tunnel['remote-gateway']}	 {$tunnel['p1']['pre-shared-key']}\n";
    				}
    			}
    
    			/* add PSKs for mobile clients */
    			if (is_array($ipseccfg['mobilekey'])) {
    				foreach ($ipseccfg['mobilekey'] as $key) {
    					$pskconf .= "{$key['ident']}	{$key['pre-shared-key']}\n";
    				}
    			}
    
    			fwrite($fd, $pskconf);
    			fclose($fd);
    			chmod("{$g['varetc_path']}/psk.txt", 0600);
    
    			/* start racoon */
    			mwexec("/usr/local/sbin/racoon -f {$g['varetc_path']}/racoon.conf");
    		}
    	}
    
    	vpn_ipsec_failover_configure();
    
    	if (!$g['booting']) {
    		/* reload the filter */
    		touch("{$g["tmp_path"]}/filter_dirty");
    	}
    
    	if ($g['booting'])
    		echo "done\n";
    
    	return 0;
    }
    
    function vpn_pptpd_configure() {
    	global $config, $g;
    
    	$syscfg = $config['system'];
    	$pptpdcfg = $config['pptpd'];
    
    	if ($g['booting']) {
    		if (!$pptpdcfg['mode'] || ($pptpdcfg['mode'] == "off"))
    			return 0;
    
    		echo "Configuring PPTP VPN service... ";
    	} else {
    		/* kill mpd */
    		killbypid("{$g['varrun_path']}/mpd-vpn.pid");
    
    		/* wait for process to die */
    		sleep(3);
    
    		if(is_process_running("mpd -b")) {
    			killbypid("{$g['varrun_path']}/mpd-vpn.pid");
    			log_error("Could not kill mpd within 3 seconds.   Trying again.");
    		}
    
    		/* remove mpd.conf, if it exists */
    		unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.conf");
    		unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.links");
    		unlink_if_exists("{$g['varetc_path']}/mpd-vpn/mpd.secret");
    	}
    
    	/* make sure mpd-vpn directory exists */
    	if (!file_exists("{$g['varetc_path']}/mpd-vpn"))
    		mkdir("{$g['varetc_path']}/mpd-vpn");
    
    	switch ($pptpdcfg['mode']) {
    
    		case 'server':
    
    			/* write mpd.conf */
    			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "w");
    			if (!$fd) {
    				printf("Error: cannot open mpd.conf in vpn_pptpd_configure().\n");
    				return 1;
    			}
    
    			$mpdconf = <<<eod<br>pptpd:
    
    EOD;
    
    			for ($i = 0; $i < $g['n_pptp_units']; $i++) {
    				$mpdconf .= "	load pt{$i}\n";
    			}
    
    			for ($i = 0; $i < $g['n_pptp_units']; $i++) {
    
    				$clientip = long2ip(ip2long($pptpdcfg['remoteip']) + $i);
    				$ngif = "ng" . ($i+1);
    
    				if(isset($pptpdcfg['radius']['radiusissueips']) && isset($pptpdcfg['radius']['enable'])) {
    					$isssue_ip_type = "set ipcp ranges {$pptpdcfg['localip']}/32 0.0.0.0/0";
    					$isssue_ip_type .="\n\tset ipcp yes radius-ip";
    				} else {
    					$isssue_ip_type = "set ipcp ranges {$pptpdcfg['localip']}/32 {$clientip}/32";
    				}
    
    				$mpdconf .= << <eod<br>pt{$i}:
    	new -i {$ngif} pt{$i} pt{$i}
    	{$isssue_ip_type}
    	load pts
    
    EOD;
    			}
    
    			$mpdconf .= << <eod<br>pts:
    	set iface disable on-demand
    	set iface enable proxy-arp
    	set iface enable tcpmssfix
    	set iface idle 1800
    	set iface up-script /usr/local/sbin/vpn-linkup
    	set iface down-script /usr/local/sbin/vpn-linkdown
    	set bundle enable multilink
    	set bundle enable crypt-reqd
    	set link yes acfcomp protocomp
    	set link no pap chap
    	set link enable chap-msv2
    	set link mtu 1460
    	set link keep-alive 10 60
    	set ipcp yes vjcomp
    	set bundle enable compression
    	set ccp yes mppc
    	set ccp yes mpp-e128
    	set ccp yes mpp-stateless
    
    EOD;
    
    			if (!isset($pptpdcfg['req128'])) {
    				$mpdconf .= << <eod<br>set ccp yes mpp-e40
    	set ccp yes mpp-e56
    
    EOD;
    			}
    
    			if (is_array($pptpdcfg['dnsserver']) && ($pptpdcfg['dnsserver'][0])) {
    				$mpdconf .= "	set ipcp dns " . join(" ", $pptpdcfg['dnsserver']) . "\n";
    			} else if (isset($config['dnsmasq']['enable'])) {
    				$mpdconf .= "	set ipcp dns " . $config['interfaces']['lan']['ipaddr'];
    				if ($syscfg['dnsserver'][0])
    					$mpdconf .= " " . $syscfg['dnsserver'][0];
    				$mpdconf .= "\n";
    			} else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
    				$mpdconf .= "	set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
    			}
    
    			if (isset($pptpdcfg['radius']['enable'])) {
    				$mpdconf .= << <eod<br>set radius server {$pptpdcfg['radius']['server']} "{$pptpdcfg['radius']['secret']}"
    	set radius retries 3
    	set radius timeout 10
    	set bundle enable radius-auth
    	set bundle disable radius-fallback
    
    EOD;
    
    				if (isset($pptpdcfg['radius']['accounting'])) {
    					$mpdconf .= << <eod<br>set bundle enable radius-acct
    
    EOD;
    				}
    			}
    
    			fwrite($fd, $mpdconf);
    			fclose($fd);
    
    			/* write mpd.links */
    			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "w");
    			if (!$fd) {
    				printf("Error: cannot open mpd.links in vpn_pptpd_configure().\n");
    				return 1;
    			}
    
    			$mpdlinks = "";
    
    			for ($i = 0; $i < $g['n_pptp_units']; $i++) {
    				$mpdlinks .= << <eod<br>pt{$i}:
    	set link type pptp
    	set pptp enable incoming
    	set pptp disable originate
    	set pptp disable windowing
    	set pptp self 127.0.0.1
    
    EOD;
    			}
    
    			fwrite($fd, $mpdlinks);
    			fclose($fd);
    
    			/* write mpd.secret */
    			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "w");
    			if (!$fd) {
    				printf("Error: cannot open mpd.secret in vpn_pptpd_configure().\n");
    				return 1;
    			}
    
    			$mpdsecret = "";
    
    			if (is_array($pptpdcfg['user'])) {
    				foreach ($pptpdcfg['user'] as $user)
    					$mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n";
    			}
    
    			fwrite($fd, $mpdsecret);
    			fclose($fd);
    			chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600);
    
    			/* fire up mpd */
    			mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid pptpd");
    
    			break;
    
    		case 'redir':
    			break;
    	}
    
    	if (!$g['booting']) {
    		/* reload the filter */
    		filter_configure();
    	}
    
    	if ($g['booting'])
    		echo "done\n";
    
    	return 0;
    }
    
    function vpn_localnet_determine($adr, &$sa, &$sn) {
    	global $config, $g;
    
    	if (isset($adr)) {
    		if ($adr['network']) {
    			switch ($adr['network']) {
    				case 'lan':
    					$sn = $config['interfaces']['lan']['subnet'];
    					$sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn);
    					break;
    			}
    		} else if ($adr['address']) {
    			list($sa,$sn) = explode("/", $adr['address']);
    			if (is_null($sn))
    				$sn = 32;
    		}
    	} else {
    		$sn = $config['interfaces']['lan']['subnet'];
    		$sa = gen_subnet($config['interfaces']['lan']['ipaddr'], $sn);
    	}
    }
    
    function vpn_endpoint_determine($tunnel, $curwanip) {
    
    	global $g, $config;
    
    	if ((!$tunnel['interface']) || ($tunnel['interface'] == "wan")) {
    		if ($curwanip)
    			return $curwanip;
    		else
    			return null;
    	} else if ($tunnel['interface'] == "lan") {
    		return $config['interfaces']['lan']['ipaddr'];
    	} else {
    		$oc = $config['interfaces'][$tunnel['interface']];
    
    		if (isset($oc['enable']) && $oc['if']) {
    			return $oc['ipaddr'];
    		}
    	}
    
    	return null;
    }
    
    function vpn_pppoe_configure() {
    	global $config, $g;
    
    	$syscfg = $config['system'];
    	$pppoecfg = $config['pppoe'];
    
    	/* create directory if it does not exist */
    	if(!is_dir("{$g['varetc_path']}/mpd-vpn"))
    		mkdir("{$g['varetc_path']}/mpd-vpn");
    
    	if ($g['booting']) {
    		if (!$pppoecfg['mode'] || ($pppoecfg['mode'] == "off"))
    			return 0;
    
    		echo "Configuring PPPoE VPN service... ";
    	}
    
    	/* make sure mpd-vpn directory exists */
    	if (!file_exists("{$g['varetc_path']}/mpd-vpn"))
    		mkdir("{$g['varetc_path']}/mpd-vpn");
    
    	switch ($pppoecfg['mode']) {
    
    		case 'server':
    
    			$pppoe_interface = filter_translate_type_to_real_interface($pppoecfg['interface']);
    
    			/* write mpd.conf */
    			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.conf", "a");
    			if (!$fd) {
    				printf("Error: cannot open mpd.conf in vpn_pppoe_configure().\n");
    				return 1;
    			}
    			$mpdconf = "\n\n";
    			$mpdconf .= <<<eod<br>pppoe:
    
    EOD;
    
    			for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
    				$mpdconf .= "	load pppoe{$i}\n";
    			}
    
    			for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
    
    				$clientip = long2ip(ip2long($pppoecfg['remoteip']) + $i);
    				$ngif = "ng" . ($i+1);
    
    				if(isset($pppoecfg['radius']['radiusissueips']) && isset($pppoecfg['radius']['enable'])) {
    					$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0";
    					$isssue_ip_type .="\n\tset ipcp yes radius-ip";
    				} else {
    					$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 {$clientip}/32";
    				}
    
    				$mpdconf .= << <eod<br>pppoe{$i}:
    	new -i {$ngif} pppoe{$i} pppoe{$i}
    	{$isssue_ip_type}
    	load pppoe_standart
    
    EOD;
    			}
    
    			$mpdconf .= << <eod<br>pppoe_standart:
    	set link type pppoe
    	set pppoe iface {$pppoe_interface}
    	set pppoe service "*"
    	set pppoe disable originate
    	set pppoe enable incoming
    	set bundle no multilink
    	set bundle enable compression
    	set bundle max-logins 1
    	set iface idle 0
    	set iface disable on-demand
    	set iface disable proxy-arp
    	set iface enable tcpmssfix
    	set iface mtu 1500
    	set link no pap chap
    	set link enable chap
    	set link keep-alive 60 180
    	set ipcp yes vjcomp
    	set ipcp no vjcomp
    	set link max-redial -1
    	set link mtu 1492
    	set link mru 1492
    	set ccp yes mpp-e40
    	set ccp yes mpp-e128
    	set ccp yes mpp-stateless
    	set link latency 1
    	#set ipcp dns 10.10.1.3
    	#set bundle accept encryption
    
    EOD;
    
    			if (isset($config['dnsmasq']['enable'])) {
    				$mpdconf .= "	set ipcp dns " . $config['interfaces']['lan']['ipaddr'];
    				if ($syscfg['dnsserver'][0])
    					$mpdconf .= " " . $syscfg['dnsserver'][0];
    				$mpdconf .= "\n";
    			} else if (is_array($syscfg['dnsserver']) && ($syscfg['dnsserver'][0])) {
    				$mpdconf .= "	set ipcp dns " . join(" ", $syscfg['dnsserver']) . "\n";
    			}
    
    			if (isset($pppoecfg['radius']['enable'])) {
    				$mpdconf .= << <eod<br>set radius server {$pppoecfg['radius']['server']} "{$pppoecfg['radius']['secret']}"
    	set radius retries 3
    	set radius timeout 10
    	set bundle enable radius-auth
    	set bundle disable radius-fallback
    
    EOD;
    
    				if (isset($pppoecfg['radius']['accounting'])) {
    					$mpdconf .= << <eod<br>set bundle enable radius-acct
    
    EOD;
    				}
    			}
    
    			fwrite($fd, $mpdconf);
    			fclose($fd);
    
    			/* write mpd.links */
    			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.links", "a");
    			if (!$fd) {
    				printf("Error: cannot open mpd.links in vpn_pppoe_configure().\n");
    				return 1;
    			}
    
    			$mpdlinks = "";
    
    			for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
    				$mpdlinks .= << <eod<br>pppoe:
    	set link type pppoe
    	set pppoe iface {$pppoe_interface}
    
    EOD;
    			}
    
    			fwrite($fd, $mpdlinks);
    			fclose($fd);
    
    			/* write mpd.secret */
    			$fd = fopen("{$g['varetc_path']}/mpd-vpn/mpd.secret", "a");
    			if (!$fd) {
    				printf("Error: cannot open mpd.secret in vpn_pppoe_configure().\n");
    				return 1;
    			}
    
    			$mpdsecret = "\n\n";
    
    			if (is_array($pppoecfg['user'])) {
    				foreach ($pppoecfg['user'] as $user)
    					$mpdsecret .= "{$user['name']} \"{$user['password']}\" {$user['ip']}\n";
    			}
    
    			fwrite($fd, $mpdsecret);
    			fclose($fd);
    			chmod("{$g['varetc_path']}/mpd-vpn/mpd.secret", 0600);
    
    			/* fire up mpd */
    			mwexec("/usr/local/sbin/mpd -b -d {$g['varetc_path']}/mpd-vpn -p {$g['varrun_path']}/mpd-vpn.pid pppoe");
    
    			break;
    
    		case 'redir':
    			break;
    	}
    
    	touch("{$g["tmp_path"]}/filter_dirty");
    
    	if ($g['booting'])
    		echo "done\n";
    
    	return 0;
    }
    
    ?></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></eod<br></developer></mk@neon1.net>
    

    It would be better that this modification be reflected on embedded version as well. The embedded user can use this fuction with other radius server even if they cannot use pfsense's freeradius package.



  • Here is vpn_pptp.php

    /*
    	vpn_pptp.php
    	part of m0n0wall (http://m0n0.ch/wall)
    
    	Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>.
    	All rights reserved.
    
    	Redistribution and use in source and binary forms, with or without
    	modification, are permitted provided that the following conditions are met:
    
    	1\. Redistributions of source code must retain the above copyright notice,
    	   this list of conditions and the following disclaimer.
    
    	2\. Redistributions in binary form must reproduce the above copyright
    	   notice, this list of conditions and the following disclaimer in the
    	   documentation and/or other materials provided with the distribution.
    
    	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
    	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
    	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
    	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
    	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
    	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
    	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
    	POSSIBILITY OF SUCH DAMAGE.
    */
    
    require("guiconfig.inc");
    
    if (!is_array($config['pptpd']['radius'])) {
    	$config['pptpd']['radius'] = array();
    }
    $pptpcfg = &$config['pptpd'];
    
    $pconfig['remoteip'] = $pptpcfg['remoteip'];
    $pconfig['localip'] = $pptpcfg['localip'];
    $pconfig['redir'] = $pptpcfg['redir'];
    $pconfig['mode'] = $pptpcfg['mode'];
    $pconfig['wins'] = $pptpcfg['wins'];
    $pconfig['req128'] = isset($pptpcfg['req128']);
    $pconfig['radiusenable'] = isset($pptpcfg['radius']['enable']);
    $pconfig['radacct_enable'] = isset($pptpcfg['radius']['accounting']);
    $pconfig['radiusserver'] = $pptpcfg['radius']['server'];
    $pconfig['radiussecret'] = $pptpcfg['radius']['secret'];
    $pconfig['radiusissueips'] = isset($pptpcfg['radius']['radiusissueips']);
    
    if ($_POST) {
    
    	unset($input_errors);
    	$pconfig = $_POST;
    
    	/* input validation */
    	if ($_POST['mode'] == "server") {
    		$reqdfields = explode(" ", "localip remoteip");
    		$reqdfieldsn = explode(",", "Server address,Remote start address");
    
    		if ($_POST['radiusenable']) {
    			$reqdfields = array_merge($reqdfields, explode(" ", "radiusserver radiussecret"));
    			$reqdfieldsn = array_merge($reqdfieldsn, 
    				explode(",", "RADIUS server address,RADIUS shared secret"));
    		}
    
    		do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
    
    		if (($_POST['localip'] && !is_ipaddr($_POST['localip']))) {
    			$input_errors[] = "A valid server address must be specified.";
    		}
    		if (($_POST['subnet'] && !is_ipaddr($_POST['remoteip']))) {
    			$input_errors[] = "A valid remote start address must be specified.";
    		}
    		if (($_POST['radiusserver'] && !is_ipaddr($_POST['radiusserver']))) {
    			$input_errors[] = "A valid RADIUS server address must be specified.";
    		}
    
    		if (!$input_errors) {	
    			$_POST['remoteip'] = $pconfig['remoteip'] = gen_subnet($_POST['remoteip'], $g['pptp_subnet']);
    			$subnet_start = ip2long($_POST['remoteip']);
    			$subnet_end = ip2long($_POST['remoteip']) + $g['n_pptp_units'] - 1;
    
    			if ((ip2long($_POST['localip']) >= $subnet_start) && 
    			    (ip2long($_POST['localip']) <= $subnet_end)) {
    				$input_errors[] = "The specified server address lies in the remote subnet.";	
    			}
    			if ($_POST['localip'] == $config['interfaces']['lan']['ipaddr']) {
    				$input_errors[] = "The specified server address is equal to the LAN interface address.";	
    			}
    		}
    	} else if ($_POST['mode'] == "redir") {
    		$reqdfields = explode(" ", "redir");
    		$reqdfieldsn = explode(",", "PPTP redirection target address");
    
    		do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
    
    		if (($_POST['redir'] && !is_ipaddr($_POST['redir']))) {
    			$input_errors[] = "A valid target address must be specified.";
    		}
    	} else {
    		/* turning pptp off, lets dump any custom rules */
    		$rules = &$config['filter']['rule'];
    		for($x=0; $x <count($rules); $x++)="" {<br="">if($rules[$x]['interface'] == "pptp") { 
    				unset($rules[$x]);
    			}
    		}
    		unset($config['pptpd']['mode']);
    		write_config();
    	}
    
    	if (!$input_errors) {
    		$pptpcfg['remoteip'] = $_POST['remoteip'];
    		$pptpcfg['redir'] = $_POST['redir'];
    		$pptpcfg['localip'] = $_POST['localip'];
    		$pptpcfg['mode'] = $_POST['mode'];
    		$pptpcfg['wins'] = $_POST['wins'];
    		$pptpcfg['radius']['server'] = $_POST['radiusserver'];
    		$pptpcfg['radius']['secret'] = $_POST['radiussecret'];
    
    		if($_POST['req128'] == "yes") 
    			$pptpcfg['req128'] = true;
    		else
    			unset($pptpcfg['req128']);
    
    		if($_POST['radiusenable'] == "yes") 
    			$pptpcfg['radius']['enable'] = true;
    		else 
    			unset($pptpcfg['radius']['enable']);
    
    		if($_POST['radacct_enable'] == "yes") 
    			$pptpcfg['radius']['accounting'] = true;
    		else 
    			unset($pptpcfg['radius']['accounting']);
    
            if($_POST['radiusissueips'] == "yes") {
    			$pptpcfg['radius']['radiusissueips'] = true;
    		} else
    			unset($pptpcfg['radius']['radiusissueips']);
    
    		write_config();
    
    		$retval = 0;
    
    		config_lock();
    		$retval = vpn_setup();
    		config_unlock();
    
    		$savemsg = get_std_save_message($retval);
    
    		filter_configure();
    	}
    }
    
    $pgtitle = "VPN PPTP";
    include("head.inc");
    
    ?>
    
    <form action="vpn_pptp.php" method="post" name="iform" id="iform">
    
    | 
    	$tab_array = array();
    	$tab_array[0] = array("Configuration", true, "vpn_pptp.php");
    	$tab_array[1] = array("Users", false, "vpn_pptp_users.php");
    	display_top_tabs($tab_array);
    ?>  
       |
    
        |  
                        				  	>
                        Off |
        | 
    >
                        Redirect incoming PPTP connections to: |
      PPTP redirection |  
    
                        Enter the IP address of a host which will accept incoming 
                        PPTP connections. |
        | 
    >
                        Enable PPTP server |
      Max. concurrent 
                        connections |  
    
                       |
      Server address |  
    
                        Enter the IP address the PPTP server should use on its side 
                        for all clients. |
      Remote address 
                        range |  
    
                        / 
    
                        Specify the starting address for the client IP address subnet.
    
                        The PPTP server will assign 
    
                        addresses, starting at the address entered above, to clients. |
      RADIUS |  
                          >
                          **Use a RADIUS server for authentication** When set, all users will be authenticated using 
                          the RADIUS server specified below. The local user database 
                          will not be used.
    
                          >
                          **Enable RADIUS accounting** Sends accounting packets to the RADIUS server. |
      RADIUS server  | 
    
                          Enter the IP address of the RADIUS server. |
      RADIUS shared secret | 
    
                          Enter the shared secret that will be used to authenticate 
                          to the RADIUS server. |
      RADIUS issued IP's | 
                          >
    
    Issue IP Addresses via RADIUS server.
    
                       |		
      WINS Server | 
    
                       |
       |
        |  
                        > 
                        **Require 128-bit encryption**
    
                        When set, 128-bit encryption will be accepted. Otherwise, 
                        40-bit and 56-bit encryption will be accepted, too. Note that 
                        encryption will always be forced on PPTP connections (i.e. 
                        unencrypted connections will not be accepted). |
        |  
    
                       |
        | **Note:** don't forget to [add a firewall rule](firewall_rules.php?if=pptp) to permit 
                        traffic from PPTP clients! |
    
    			 |	
    
    </form>
    
    ![pptp.jpg_thumb](/public/_imported_attachments_/1/pptp.jpg_thumb)
    ![pptp.jpg](/public/_imported_attachments_/1/pptp.jpg)
    ![pptp.jpg_thumb](/public/_imported_attachments_/1/pptp.jpg_thumb)[/i][/i]</count($rules);></mk@neon1.net>
    


  • :D WOW its looking good guys! ;)



  • Nice, but we need the files as diffs against the latest revisions of the files you changed to merge them into the pfSense code. Can you attach diffs?



  • here are my diff's for freeradius.xml and freeradius.inc

    on the weekend i will add counter atrr. to freeradius.xml and freeradius.inc
    the counters are already eneabled in radiusd.conf

    freeradius.inc.diff.txt
    freeradius.xml.dif.txt



  • I have a problem. I don't know how to make the diffs file.

    Pls adv me how to make the diffs file so that I can make diffs for vpn_pptp.php and vpn.inc.





  • Here are the diffs for vpn.inc and vpn_pptp.php.
    I used vpn.inc version 1.12 and vpn_pptp.php version 1.38.

    vpn.inc.diff.txt
    vpn_pptp.php.diff.txt



  • Dear Jeroen,

    Could you add the description column for freeradius users? I think it is needed for users contact number, email address or his real name.

    Thank you.



  • oke than i will add it in frond of the username
    there are comming 4 more colom's in the weekend
    and suport for 3 more in the future ( upload en download speed settings and wisp redirect url)



  • Hi All,

    I haven;t checked the forums for a while since I posted this initial thread.

    However, I am pleasantly surpised that some work has been done on the freeradius package  :)

    Just wanted to ask whether the new freeradius package is now available. I checked the package version and the latest one was 1.1.2 - so I installed this. However, I did not get any changes to the interface to allow config of the IP address in the account configuration.

    Is the 1.1.2 version meant to include this feature - or is this feature still needs to be patched in and released?

    Thanks for all your hard work.

    Regards,

    Mon



  • Have the radius extensions made it into CVS yet?



  • the last time i looked they were not yett in



  • Any updates on when these new features will be available?



  • Now I'm using it and it works great. PPTP users are now given the ip address from freeradius.

    I tried 1.0.1-SNAPSHOT-01-13-2007 today but I found that this feature does not added on this snapshot.

    Is there some problem to add this function into future pfsense version???



  • Not sure what you mean?  Can you send a patch?



  • Jeroen and I already attached the diffs files for this functions on this thread. Pls read previous posts.@sbyoon:

    Here are the diffs for vpn.inc and vpn_pptp.php.
    I used vpn.inc version 1.12 and vpn_pptp.php version 1.38.



  • That is not the proper sequence for sending patches.  Please read:

    http://wiki.pfsense.com/wikka.php?wakka=SubmittingPatches



  • Sorry, if the sequece was wrong. I checked the link but it does not meantion how to make patch. Could adv me how to make the patch?



  • from the console.

    pkg_add -r diffutils
    rehash
    gdiff -urN <original file=""><new file="">And to put it into a file

    gdiff -urN <original file=""><new file="">> patch.txt

    Then you can download or fetch the file from the diagnostics menu.</new></original></new></original>



  • I'm confused. What is the difference between 'diff' and 'patch'?
    I've made the diff files with "diff -rub oldfile newfile > file.diff" and attached it this thread as requested by Hoba.

    I made the diff files as instructed in below link.
    http://forum.pfsense.org/index.php/topic,2972.0.html
    And I used the latest files from pfsense cvs and made the diff file with it.

    I think your instruction is also for just making diff files. Then, are diff and patch same thing?

    Now I attached the diff files again and am sending them to coreteam@pfsense.com as well.

    vpn.inc.diff.txt
    vpn_pptp.php.diff.txt
    freeradius.inc.diff.txt
    freeradius.xml.dif.txt


Log in to reply