@@ -177,3 +226,4 @@
{{ partial("layout_partials/base_dialog",['fields':formDialogLayer4,'id':'DialogLayer4','label':lang._('Edit Layer4 Route')])}}
+{{ partial("layout_partials/base_dialog",['fields':formDialogLayer4Openvpn,'id':'DialogLayer4Openvpn','label':lang._('Edit OpenVPN Static Key')])}}
diff --git a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
index f65ef168cf..a8e6c36cf1 100755
--- a/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
+++ b/www/caddy/src/opnsense/scripts/OPNsense/Caddy/caddy_certs.php
@@ -36,22 +36,22 @@
// Traverse through certificates
foreach ($configObj->cert as $cert) {
- $cert_refid = (string) $cert->refid;
- $cert_content = base64_decode((string) $cert->crt);
- $key_content = base64_decode((string) $cert->prv);
+ $cert_refid = (string)$cert->refid;
+ $cert_content = base64_decode((string)$cert->crt);
+ $key_content = base64_decode((string)$cert->prv);
$cert_chain = $cert_content;
// Handle CA and possible intermediate CA to create a certificate bundle
if (!empty($cert->caref)) {
foreach ($configObj->ca as $ca) {
- if ((string) $cert->caref === (string) $ca->refid) {
- $ca_content = base64_decode((string) $ca->crt);
+ if ((string)$cert->caref === (string)$ca->refid) {
+ $ca_content = base64_decode((string)$ca->crt);
$cert_chain .= "\n" . $ca_content;
if (!empty($ca->caref)) {
foreach ($configObj->ca as $parent_ca) {
- if ((string) $ca->caref === (string) $parent_ca->refid) {
- $parent_ca_content = base64_decode((string) $parent_ca->crt);
+ if ((string)$ca->caref === (string)$parent_ca->refid) {
+ $parent_ca_content = base64_decode((string)$parent_ca->crt);
$cert_chain .= "\n" . $parent_ca_content;
break;
}
@@ -68,9 +68,20 @@
// Traverse through CA certificates and save them
foreach ($configObj->ca as $ca) {
- $ca_refid = (string) $ca->refid;
- $ca_content = base64_decode((string) $ca->crt);
+ $ca_refid = (string)$ca->refid;
+ $ca_content = base64_decode((string)$ca->crt);
// Save the CA certificate
file_put_contents($temp_dir . $ca_refid . '.pem', $ca_content);
}
+
+// Traverse through layer4 OpenVPN static keys and save them as files
+if (isset($configObj->Pischem->caddy->reverseproxy->layer4openvpn)) {
+ foreach ($configObj->Pischem->caddy->reverseproxy->layer4openvpn as $openvpn) {
+ $uuid = (string) $openvpn['uuid'];
+ $static_key = (string) $openvpn->StaticKey;
+
+ // Save the static key
+ file_put_contents($temp_dir . $uuid . '.key', $static_key);
+ }
+}
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4 b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
index defaf2528f..c6058ccd70 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/includeLayer4
@@ -70,6 +70,66 @@
{{ invert_prefix }}http host {{ layer4.FromDomain.replace(',', ' ') }}
{% elif layer4.Matchers == 'tlssni' %}
{{ invert_prefix }}tls sni {{ layer4.FromDomain.replace(',', ' ') }}
+ {% elif layer4.Matchers == 'quicsni' %}
+ {{ invert_prefix }}quic sni {{ layer4.FromDomain.replace(',', ' ') }}
+ {% elif layer4.Matchers == 'openvpn' and layer4.FromOpenvpnModes %}
+ {% for mode in layer4.FromOpenvpnModes.split(',') %}
+ {% set mode_clean = mode.strip() %}
+ {% if layer4.FromOpenvpnStaticKey %}
+ {% set key_list = layer4.FromOpenvpnStaticKey.split(',') %}
+ {% endif %}
+ {% if mode_clean.startswith('auth') %}
+ {% if key_list|length > 1 %}
+ {% set key_list = key_list[:1] %}
+ {% endif %}
+ {% set digest = 'sha256' if 'sha256' in mode_clean else 'sha512' %}
+ {% set direction = 'normal' if 'normal' in mode_clean else 'inverse' %}
+ {{ invert_prefix }}openvpn {
+ modes auth
+ auth_digest {{ digest }}
+ {% if layer4.FromOpenvpnStaticKey %}
+ group_key_direction {{ direction }}
+ {% for key_uuid in key_list %}
+ group_key_file /var/db/caddy/data/caddy/certificates/temp/{{ key_uuid.strip() }}.key
+ {% endfor %}
+ {% endif %}
+ }
+ {% elif mode_clean == 'crypt' %}
+ {% if key_list|length > 1 %}
+ {% set key_list = key_list[:1] %}
+ {% endif %}
+ {{ invert_prefix }}openvpn {
+ modes crypt
+ {% if layer4.FromOpenvpnStaticKey %}
+ {% for key_uuid in key_list %}
+ group_key_file /var/db/caddy/data/caddy/certificates/temp/{{ key_uuid.strip() }}.key
+ {% endfor %}
+ {% endif %}
+ }
+ {% elif mode_clean == 'crypt2_client' %}
+ {# Multiple keys are allowed for crypt2_client #}
+ {{ invert_prefix }}openvpn {
+ modes crypt2
+ {% if layer4.FromOpenvpnStaticKey %}
+ {% for key_uuid in key_list %}
+ client_key_file /var/db/caddy/data/caddy/certificates/temp/{{ key_uuid.strip() }}.key
+ {% endfor %}
+ {% endif %}
+ }
+ {% elif mode_clean == 'crypt2_server' %}
+ {% if key_list|length > 1 %}
+ {% set key_list = key_list[:1] %}
+ {% endif %}
+ {{ invert_prefix }}openvpn {
+ modes crypt2
+ {% if layer4.FromOpenvpnStaticKey %}
+ {% for key_uuid in key_list %}
+ server_key_file /var/db/caddy/data/caddy/certificates/temp/{{ key_uuid.strip() }}.key
+ {% endfor %}
+ {% endif %}
+ }
+ {% endif %}
+ {% endfor %}
{% else %}
{{ invert_prefix }}{{ layer4.Matchers }}
{% endif %}