From 050771f592f46ebb673e1f26838653b1a3b30071 Mon Sep 17 00:00:00 2001
From: Jean-Yves Avenard <jean-yves@avenard.org>
Date: Wed, 16 Nov 2011 12:09:56 +0700
Subject: [PATCH] OpenVPN GUI: * Add support for username&password only
 authentication * Some fixes and logging changes

---
 release/src/router/rc/vpn.c           | 117 +++++++++++++++++++++++++++-------
 release/src/router/rc/wan.c           |   1 +
 release/src/router/www/vpn-client.asp |  85 ++++++++++++++++--------
 release/src/router/www/vpn-server.asp |   4 +-
 4 files changed, 154 insertions(+), 53 deletions(-)

diff --git a/release/src/router/rc/vpn.c b/release/src/router/rc/vpn.c
index 44bdaaa26b..00156ee99e 100644
--- a/release/src/router/rc/vpn.c
+++ b/release/src/router/rc/vpn.c
@@ -58,6 +58,7 @@ void start_vpnclient(int clientNum)
 	int nvi, ip[4], nm[4];
 	long int nvl;
 	int pid;
+	int userauth, useronly;
 
 	sprintf(&buffer[0], "vpnclient%d", clientNum);
 	if (getpid() != 1) {
@@ -167,6 +168,11 @@ void start_vpnclient(int clientNum)
 		}
 	}
 
+	sprintf(&buffer[0], "vpn_client%d_userauth", clientNum);
+	userauth = nvram_get_int(&buffer[0]);
+	sprintf(&buffer[0], "vpn_client%d_useronly", clientNum);
+	useronly = userauth && nvram_get_int(&buffer[0]);
+
 	// Build and write config file
 	vpnlog(VPN_LOG_EXTRA,"Writing config file");
 	sprintf(&buffer[0], "/etc/openvpn/client%d/config.ovpn", clientNum);
@@ -252,12 +258,23 @@ void start_vpnclient(int clientNum)
 		sprintf(&buffer[0], "vpn_client%d_ca", clientNum);
 		if ( !nvram_is_empty(&buffer[0]) )
 			fprintf(fp, "ca ca.crt\n");
-		sprintf(&buffer[0], "vpn_client%d_crt", clientNum);
-		if ( !nvram_is_empty(&buffer[0]) )
-			fprintf(fp, "cert client.crt\n");
-		sprintf(&buffer[0], "vpn_client%d_key", clientNum);
-		if ( !nvram_is_empty(&buffer[0]) )
-			fprintf(fp, "key client.key\n");
+		if (!useronly)
+		{
+			sprintf(&buffer[0], "vpn_client%d_crt", clientNum);
+			if ( !nvram_is_empty(&buffer[0]) )
+				fprintf(fp, "cert client.crt\n");
+			sprintf(&buffer[0], "vpn_client%d_key", clientNum);
+			if ( !nvram_is_empty(&buffer[0]) )
+				fprintf(fp, "key client.key\n");
+		}
+		sprintf(&buffer[0], "vpn_client%d_tlsremote", clientNum);
+		if (nvram_get_int(&buffer[0]))
+		{
+			sprintf(&buffer[0], "vpn_client%d_cn", clientNum);
+			fprintf(fp, "tls-remote %s\n", nvram_safe_get(&buffer[0]));
+		}
+		if (userauth)
+			fprintf(fp, "auth-user-pass up\n");
 	}
 	else if ( cryptMode == SECRET )
 	{
@@ -288,25 +305,39 @@ void start_vpnclient(int clientNum)
 			fclose(fp);
 		}
 
-		sprintf(&buffer[0], "vpn_client%d_key", clientNum);
-		if ( !nvram_is_empty(&buffer[0]) )
+		if (!useronly)
 		{
-			sprintf(&buffer[0], "/etc/openvpn/client%d/client.key", clientNum);
-			fp = fopen(&buffer[0], "w");
-			chmod(&buffer[0], S_IRUSR|S_IWUSR);
 			sprintf(&buffer[0], "vpn_client%d_key", clientNum);
-			fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
-			fclose(fp);
-		}
+			if ( !nvram_is_empty(&buffer[0]) )
+			{
+				sprintf(&buffer[0], "/etc/openvpn/client%d/client.key", clientNum);
+				fp = fopen(&buffer[0], "w");
+				chmod(&buffer[0], S_IRUSR|S_IWUSR);
+				sprintf(&buffer[0], "vpn_client%d_key", clientNum);
+				fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
+				fclose(fp);
+			}
 
-		sprintf(&buffer[0], "vpn_client%d_crt", clientNum);
-		if ( !nvram_is_empty(&buffer[0]) )
+			sprintf(&buffer[0], "vpn_client%d_crt", clientNum);
+			if ( !nvram_is_empty(&buffer[0]) )
+			{
+				sprintf(&buffer[0], "/etc/openvpn/client%d/client.crt", clientNum);
+				fp = fopen(&buffer[0], "w");
+				chmod(&buffer[0], S_IRUSR|S_IWUSR);
+				sprintf(&buffer[0], "vpn_client%d_crt", clientNum);
+				fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
+				fclose(fp);
+			}
+		}
+		if (userauth)
 		{
-			sprintf(&buffer[0], "/etc/openvpn/client%d/client.crt", clientNum);
+			sprintf(&buffer[0], "/etc/openvpn/client%d/up", clientNum);
 			fp = fopen(&buffer[0], "w");
 			chmod(&buffer[0], S_IRUSR|S_IWUSR);
-			sprintf(&buffer[0], "vpn_client%d_crt", clientNum);
-			fprintf(fp, "%s", nvram_safe_get(&buffer[0]));
+			sprintf(&buffer[0], "vpn_client%d_username", clientNum);
+			fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
+			sprintf(&buffer[0], "vpn_client%d_password", clientNum);
+			fprintf(fp, "%s\n", nvram_safe_get(&buffer[0]));
 			fclose(fp);
 		}
 	}
@@ -1022,7 +1053,7 @@ void start_vpn_eas()
 
 	// Parse and start servers
 	strlcpy(&buffer[0], nvram_safe_get("vpn_server_eas"), sizeof(buffer));
-	if ( strlen(&buffer[0]) != 0 ) vpnlog(VPN_LOG_INFO, "Starting servers (eas): %s", &buffer[0]);
+	if ( strlen(&buffer[0]) != 0 ) vpnlog(VPN_LOG_INFO, "Starting OpenVPN servers (eas): %s", &buffer[0]);
 	i = 0;
 	for( cur = strtok(&buffer[0],","); cur != NULL && i < 4; cur = strtok(NULL, ",")) { nums[i++] = atoi(cur); }
 	nums[i] = 0;
@@ -1031,11 +1062,11 @@ void start_vpn_eas()
 		sprintf(&buffer[0], "vpnserver%d", nums[i]);
 		if ( pidof(&buffer[0]) >= 0 )
 		{
-			vpnlog(VPN_LOG_INFO, "Stopping server %d (eas)", nums[i]);
+			vpnlog(VPN_LOG_INFO, "Stopping OpenVPN server %d (eas)", nums[i]);
 			stop_vpnserver(nums[i]);
 		}
 
-		vpnlog(VPN_LOG_INFO, "Starting server %d (eas)", nums[i]);
+		vpnlog(VPN_LOG_INFO, "Starting OpenVPN server %d (eas)", nums[i]);
 		start_vpnserver(nums[i]);
 	}
 
@@ -1050,15 +1081,53 @@ void start_vpn_eas()
 		sprintf(&buffer[0], "vpnclient%d", nums[i]);
 		if ( pidof(&buffer[0]) >= 0 )
 		{
-			vpnlog(VPN_LOG_INFO, "Stopping client %d (eas)", nums[i]);
+			vpnlog(VPN_LOG_INFO, "Stopping OpenVPN client %d (eas)", nums[i]);
 			stop_vpnclient(nums[i]);
 		}
 
-		vpnlog(VPN_LOG_INFO, "Starting client %d (eas)", nums[i]);
+		vpnlog(VPN_LOG_INFO, "Starting OpenVPN client %d (eas)", nums[i]);
 		start_vpnclient(nums[i]);
 	}
 }
 
+void stop_vpn_eas()
+{
+	char buffer[16], *cur;
+	int nums[4], i;
+	
+	// Parse and stop servers
+	strlcpy(&buffer[0], nvram_safe_get("vpn_server_eas"), sizeof(buffer));
+	if ( strlen(&buffer[0]) != 0 ) vpnlog(VPN_LOG_INFO, "Stopping OpenVPN servers (eas): %s", &buffer[0]);
+	i = 0;
+	for( cur = strtok(&buffer[0],","); cur != NULL && i < 4; cur = strtok(NULL, ",")) { nums[i++] = atoi(cur); }
+	nums[i] = 0;
+	for( i = 0; nums[i] > 0; i++ )
+	{
+		sprintf(&buffer[0], "vpnserver%d", nums[i]);
+		if ( pidof(&buffer[0]) >= 0 )
+		{
+			vpnlog(VPN_LOG_INFO, "Stopping OpenVPN server %d (eas)", nums[i]);
+			stop_vpnserver(nums[i]);
+		}
+	}
+
+	// Parse and stop clients
+	strlcpy(&buffer[0], nvram_safe_get("vpn_client_eas"), sizeof(buffer));
+	if ( strlen(&buffer[0]) != 0 ) vpnlog(VPN_LOG_INFO, "Stopping OpenVPN clients (eas): %s", &buffer[0]);
+	i = 0;
+	for( cur = strtok(&buffer[0],","); cur != NULL && i < 4; cur = strtok(NULL, ",")) { nums[i++] = atoi(cur); }
+	nums[i] = 0;
+	for( i = 0; nums[i] > 0; i++ )
+	{
+		sprintf(&buffer[0], "vpnclient%d", nums[i]);
+		if ( pidof(&buffer[0]) >= 0 )
+		{
+			vpnlog(VPN_LOG_INFO, "Stopping OpenVPN client %d (eas)", nums[i]);
+			stop_vpnclient(nums[i]);
+		}
+	}
+}
+
 void run_vpn_firewall_scripts()
 {
 	DIR *dir;
diff --git a/release/src/router/rc/wan.c b/release/src/router/rc/wan.c
index f06a5f2c66..94c16d56d2 100644
--- a/release/src/router/rc/wan.c
+++ b/release/src/router/rc/wan.c
@@ -936,6 +936,7 @@ void stop_wan(void)
 	stop_pppoe();
 	stop_ppp();
 	stop_dhcpc();
+	stop_vpn_eas();
 	if (nvram_get_int("pptp_client_enable"))
 		stop_pptp_client();
 	clear_resolv();
diff --git a/release/src/router/www/vpn-client.asp b/release/src/router/www/vpn-client.asp
index b36b0aea20..273814cb13 100644
--- a/release/src/router/www/vpn-client.asp
+++ b/release/src/router/www/vpn-client.asp
@@ -5,6 +5,7 @@
 	http://www.polarcloud.com/tomato/
 
 	Portions Copyright (C) 2008-2010 Keith Moyer, tomatovpn@keithmoyer.com
+	Portions Copyright (C) 2010-2011 Jean-Yves Avenard, jean-yves@avenard.org
 
 	For use with Tomato Firmware only.
 	No part of this file may be used without permission.
@@ -13,14 +14,14 @@
 <head>
 <meta http-equiv='content-type' content='text/html;charset=utf-8'>
 <meta name='robots' content='noindex,nofollow'>
-<title>[<% ident(); %>] VPN: Client</title>
+<title>[<% ident(); %>] OpenVPN: Client</title>
 <link rel='stylesheet' type='text/css' href='tomato.css'>
 <link rel='stylesheet' type='text/css' href='color.css'>
 <script type='text/javascript' src='tomato.js'></script>
 <script type='text/javascript' src='vpn.js'></script>
 <script type='text/javascript'>
 
-//	<% nvram("vpn_client_eas,vpn_client1_poll,vpn_client1_if,vpn_client1_bridge,vpn_client1_nat,vpn_client1_proto,vpn_client1_addr,vpn_client1_port,vpn_client1_retry,vpn_client1_firewall,vpn_client1_crypt,vpn_client1_comp,vpn_client1_cipher,vpn_client1_local,vpn_client1_remote,vpn_client1_nm,vpn_client1_reneg,vpn_client1_hmac,vpn_client1_adns,vpn_client1_rgw,vpn_client1_gw,vpn_client1_custom,vpn_client1_static,vpn_client1_ca,vpn_client1_crt,vpn_client1_key,vpn_client2_poll,vpn_client2_if,vpn_client2_bridge,vpn_client2_nat,vpn_client2_proto,vpn_client2_addr,vpn_client2_port,vpn_client2_retry,vpn_client2_firewall,vpn_client2_crypt,vpn_client2_comp,vpn_client2_cipher,vpn_client2_local,vpn_client2_remote,vpn_client2_nm,vpn_client2_reneg,vpn_client2_hmac,vpn_client2_adns,vpn_client2_rgw,vpn_client2_gw,vpn_client2_custom,vpn_client2_static,vpn_client2_ca,vpn_client2_crt,vpn_client2_key"); %>
+//	<% nvram("vpn_client_eas,vpn_client1_poll,vpn_client1_if,vpn_client1_bridge,vpn_client1_nat,vpn_client1_proto,vpn_client1_addr,vpn_client1_port,vpn_client1_retry,vpn_client1_firewall,vpn_client1_crypt,vpn_client1_comp,vpn_client1_cipher,vpn_client1_local,vpn_client1_remote,vpn_client1_nm,vpn_client1_reneg,vpn_client1_hmac,vpn_client1_adns,vpn_client1_rgw,vpn_client1_gw,vpn_client1_custom,vpn_client1_static,vpn_client1_ca,vpn_client1_crt,vpn_client1_key,vpn_client1_userauth,vpn_client1_username,vpn_client1_password,vpn_client1_useronly,vpn_client1_tlsremote,vpn_client1_cn,vpn_client2_poll,vpn_client2_if,vpn_client2_bridge,vpn_client2_nat,vpn_client2_proto,vpn_client2_addr,vpn_client2_port,vpn_client2_retry,vpn_client2_firewall,vpn_client2_crypt,vpn_client2_comp,vpn_client2_cipher,vpn_client2_local,vpn_client2_remote,vpn_client2_nm,vpn_client2_reneg,vpn_client2_hmac,vpn_client2_adns,vpn_client2_rgw,vpn_client2_gw,vpn_client2_custom,vpn_client2_static,vpn_client2_ca,vpn_client2_crt,vpn_client2_key,vpn_client2_userauth,vpn_client2_username,vpn_client2_password,vpn_client2_useronly,vpn_client2_tlsremote,vpn_client2_cn"); %>
 
 tabs = [['client1', 'Client 1'],['client2', 'Client 2']];
 sections = [['basic', 'Basic'],['advanced', 'Advanced'],['keys','Keys'],['status','Status']];
@@ -151,28 +152,44 @@ function verifyFields(focused, quiet)
 	{
 		t = tabs[i][0];
 
-		fw = E('_vpn_'+t+'_firewall');
-		auth = E('_vpn_'+t+'_crypt');
-		iface = E('_vpn_'+t+'_if');
-		bridge = E('_f_vpn_'+t+'_bridge');
-		nat = E('_f_vpn_'+t+'_nat');
-		hmac = E('_vpn_'+t+'_hmac');
-		rgw = E('_f_vpn_'+t+'_rgw');
-
-		elem.display(PR('_vpn_'+t+'_ca'), PR('_vpn_'+t+'_crt'), PR('_vpn_'+t+'_key'), PR('_vpn_'+t+'_hmac'),
-		             PR('_vpn_'+t+'_adns'), PR('_vpn_'+t+'_reneg'), auth.value == "tls");
-		elem.display(PR('_vpn_'+t+'_static'), auth.value == "secret" || (auth.value == "tls" && hmac.value >= 0));
-		elem.display(E(t+'_custom_crypto_text'), auth.value == "custom");
-		elem.display(PR('_f_vpn_'+t+'_bridge'), iface.value == "tap");
-		elem.display(E(t+'_bridge_warn_text'), !bridge.checked);
-		elem.display(PR('_f_vpn_'+t+'_nat'), fw.value != "custom" && (iface.value == "tun" || !bridge.checked));
-		elem.display(E(t+'_nat_warn_text'), fw.value != "custom" && (!nat.checked || (auth.value == "secret" && iface.value == "tun")));
-		elem.display(PR('_vpn_'+t+'_local'), auth.value == "secret" && iface.value == "tun");
-		elem.display(PR('_f_vpn_'+t+'_local'), auth.value == "secret" && (iface.value == "tap" && !bridge.checked));
-		elem.display(E(t+'_gateway'), iface.value == "tap" && rgw.checked);
+		fw = E('_vpn_'+t+'_firewall').value;
+		auth = E('_vpn_'+t+'_crypt').value;
+		iface = E('_vpn_'+t+'_if').value;
+		bridge = E('_f_vpn_'+t+'_bridge').checked;
+		nat = E('_f_vpn_'+t+'_nat').checked;
+		hmac = E('_vpn_'+t+'_hmac').value;
+		rgw = E('_f_vpn_'+t+'_rgw').checked;
+
+		userauth =  E('_f_vpn_'+t+'_userauth').checked && auth == "tls";
+		useronly = userauth && E('_f_vpn_'+t+'_useronly').checked;
+
+		// Page Basic
+		elem.display(PR('_f_vpn_'+t+'_userauth'), auth == "tls");
+		elem.display(PR('_vpn_'+t+'_username'), PR('_vpn_'+t+'_password'), userauth );
+		elem.display(PR('_f_vpn_'+t+'_useronly'), userauth);
+		elem.display(E(t+'_ca_warn_text'), useronly);
+		elem.display(PR('_vpn_'+t+'_hmac'), auth == "tls");
+		elem.display(E(t+'_custom_crypto_text'), auth == "custom");
+		elem.display(PR('_f_vpn_'+t+'_bridge'), iface == "tap");
+		elem.display(E(t+'_bridge_warn_text'), !bridge);
+		elem.display(PR('_f_vpn_'+t+'_nat'), fw != "custom" && (iface == "tun" || !bridge));
+		elem.display(E(t+'_nat_warn_text'), fw != "custom" && (!nat || (auth == "secret" && iface == "tun")));
+		elem.display(PR('_vpn_'+t+'_local'), iface == "tun" && auth == "secret");
+		elem.display(PR('_f_vpn_'+t+'_local'), iface == "tap" && !bridge && auth == "secret");
+
+		// Page Advanced
+		elem.display(PR('_vpn_'+t+'_adns'), PR('_vpn_'+t+'_reneg'), auth == "tls");
+		elem.display(E(t+'_gateway'), iface == "tap" && rgw > 0);
+
+		// Page Key
+		elem.display(PR('_vpn_'+t+'_static'), auth == "secret" || (auth == "tls" && hmac >= 0));
+		elem.display(PR('_vpn_'+t+'_ca'), auth == "tls");
+		elem.display(PR('_vpn_'+t+'_crt'), PR('_vpn_'+t+'_key'), auth == "tls" && !useronly);
+		elem.display(PR('_f_vpn_'+t+'_tlsremote'), auth == "tls");
+		elem.display(E(t+'_cn'), auth == "tls" && E('_f_vpn_'+t+'_tlsremote').checked);
 
 		keyHelp = E(t+'-keyhelp');
-		switch (auth.value)
+		switch (auth)
 		{
 		case "tls":
 			keyHelp.href = helpURL['TLSKeys'];
@@ -207,6 +224,9 @@ function save()
 		E('vpn_'+t+'_bridge').value = E('_f_vpn_'+t+'_bridge').checked ? 1 : 0;
 		E('vpn_'+t+'_nat').value = E('_f_vpn_'+t+'_nat').checked ? 1 : 0;
 		E('vpn_'+t+'_rgw').value = E('_f_vpn_'+t+'_rgw').checked ? 1 : 0;
+		E('vpn_'+t+'_userauth').value = E('_f_vpn_'+t+'_userauth').checked ? 1 : 0;
+		E('vpn_'+t+'_useronly').value = E('_f_vpn_'+t+'_useronly').checked ? 1 : 0;
+		E('vpn_'+t+'_tlsremote').value = E('_f_vpn_'+t+'_tlsremote').checked ? 1 : 0;
 	}
 
 	form.submit(fom, 1);
@@ -215,7 +235,7 @@ function save()
 }
 
 function init()
- {
+{
 	tabSelect(cookie.get('vpn_client_tab') || tabs[0][0]);
 
  	for (i = 0; i < tabs.length; ++i)
@@ -273,7 +293,7 @@ table.status-table
 <input type='hidden' name='_service' value=''>
 <input type='hidden' name='vpn_client_eas' id='vpn_client_eas' value=''>
 
-<div class='section-title'>VPN Client Configuration</div>
+<div class='section-title'>OpenVPN Client Configuration</div>
 <div class='section'>
 <script type='text/javascript'>
 tabCreate.apply(this, tabs);
@@ -285,6 +305,9 @@ for (i = 0; i < tabs.length; ++i)
 	W('<input type=\'hidden\' id=\'vpn_'+t+'_bridge\' name=\'vpn_'+t+'_bridge\'>');
 	W('<input type=\'hidden\' id=\'vpn_'+t+'_nat\' name=\'vpn_'+t+'_nat\'>');
 	W('<input type=\'hidden\' id=\'vpn_'+t+'_rgw\' name=\'vpn_'+t+'_rgw\'>');
+	W('<input type=\'hidden\' id=\'vpn_'+t+'_userauth\' name=\'vpn_'+t+'_userauth\'>');
+	W('<input type=\'hidden\' id=\'vpn_'+t+'_useronly\' name=\'vpn_'+t+'_useronly\'>');
+	W('<input type=\'hidden\' id=\'vpn_'+t+'_tlsremote\' name=\'vpn_'+t+'_tlsremote\'>');
 
 	W('<ul class="tabs">');
 	for (j = 0; j < sections.length; j++)
@@ -304,6 +327,11 @@ for (i = 0; i < tabs.length; ++i)
 		{ title: 'Firewall', name: 'vpn_'+t+'_firewall', type: 'select', options: [ ['auto', 'Automatic'], ['custom', 'Custom'] ], value: eval( 'nvram.vpn_'+t+'_firewall' ) },
 		{ title: 'Authorization Mode', name: 'vpn_'+t+'_crypt', type: 'select', options: [ ['tls', 'TLS'], ['secret', 'Static Key'], ['custom', 'Custom'] ], value: eval( 'nvram.vpn_'+t+'_crypt' ),
 			suffix: '<span id=\''+t+'_custom_crypto_text\'>&nbsp;<small>(must configure manually...)</small></span>' },
+		{ title: 'Username/Password Authentication', name: 'f_vpn_'+t+'_userauth', type: 'checkbox', value: eval( 'nvram.vpn_'+t+'_userauth' ) != 0 },
+		{ title: 'Username: ', indent: 2, name: 'vpn_'+t+'_username', type: 'text', maxlen: 50, size: 54, value: eval( 'nvram.vpn_'+t+'_username' ) },
+		{ title: 'Password: ', indent: 2, name: 'vpn_'+t+'_password', type: 'password', maxlen: 50, size: 54, value: eval( 'nvram.vpn_'+t+'_password' ) },
+		{ title: 'Username Authen. Only', indent: 2, name: 'f_vpn_'+t+'_useronly', type: 'checkbox', value: eval( 'nvram.vpn_'+t+'_useronly' ) != 0,
+			suffix: '<span style="color: red" id=\''+t+'_ca_warn_text\'>&nbsp<small>Warning: Must define Certificate Authority.<small></span>' },
 		{ title: 'Extra HMAC authorization (tls-auth)', name: 'vpn_'+t+'_hmac', type: 'select', options: [ [-1, 'Disabled'], [2, 'Bi-directional'], [0, 'Incoming (0)'], [1, 'Outgoing (1)'] ], value: eval( 'nvram.vpn_'+t+'_hmac' ) },
 		{ title: 'Server is on the same subnet', name: 'f_vpn_'+t+'_bridge', type: 'checkbox', value: eval( 'nvram.vpn_'+t+'_bridge' ) != 0,
 			suffix: '<span style="color: red" id=\''+t+'_bridge_warn_text\'>&nbsp<small>Warning: Cannot bridge distinct subnets. Defaulting to routed mode.<small></span>' },
@@ -322,7 +350,7 @@ for (i = 0; i < tabs.length; ++i)
 		{ title: 'Poll Interval', name: 'vpn_'+t+'_poll', type: 'text', maxlen: 4, size: 5, value: eval( 'nvram.vpn_'+t+'_poll' ), suffix: '&nbsp;<small>(in minutes, 0 to disable)</small>' }, 
 		{ title: 'Redirect Internet traffic', multi: [
 			{ name: 'f_vpn_'+t+'_rgw', type: 'checkbox', value: eval( 'nvram.vpn_'+t+'_rgw' ) != 0 },
-			{ name: 'vpn_'+t+'_gw', type: 'text', maxlen: 15, size: 17, value: eval( 'nvram.vpn_'+t+'_gw' ), prefix: '<span id=\''+t+'_gateway\'>Gateway:&nbsp', suffix: '</span>'} ] },
+			{ name: 'vpn_'+t+'_gw', type: 'text', maxlen: 15, size: 17, value: eval( 'nvram.vpn_'+t+'_gw' ), prefix: '<span id=\''+t+'_gateway\'> Gateway:&nbsp', suffix: '</span>'} ] },
 		{ title: 'Accept DNS configuration', name: 'vpn_'+t+'_adns', type: 'select', options: [[0, 'Disabled'],[1, 'Relaxed'],[2, 'Strict'],[3, 'Exclusive']], value: eval( 'nvram.vpn_'+t+'_adns' ) },
 		{ title: 'Encryption cipher', name: 'vpn_'+t+'_cipher', type: 'select', options: ciphers, value: eval( 'nvram.vpn_'+t+'_cipher' ) },
 		{ title: 'Compression', name: 'vpn_'+t+'_comp', type: 'select', options: [ ['-1', 'Disabled'], ['no', 'None'], ['yes', 'Enabled'], ['adaptive', 'Adaptive'] ], value: eval( 'nvram.vpn_'+t+'_comp' ) },
@@ -330,6 +358,10 @@ for (i = 0; i < tabs.length; ++i)
 			suffix: '&nbsp;<small>(in seconds, -1 for default)</small>' },
 		{ title: 'Connection retry', name: 'vpn_'+t+'_retry', type: 'text', maxlen: 5, size: 7, value: eval( 'nvram.vpn_'+t+'_retry' ),
 			suffix: '&nbsp;<small>(in seconds; -1 for infinite)</small>' },
+		{ title: 'Verify server certificate (tls-remote)', multi: [
+			{ name: 'f_vpn_'+t+'_tlsremote', type: 'checkbox', value: eval( 'nvram.vpn_'+t+'_tlsremote' ) != 0 },
+			{ name: 'vpn_'+t+'_cn', type: 'text', maxlen: 64, size: 54,
+				value: eval( 'nvram.vpn_'+t+'_cn' ), prefix: '<span id=\''+t+'_cn\'> Common Name:&nbsp', suffix: '</span>'} ] },
 		{ title: 'Custom Configuration', name: 'vpn_'+t+'_custom', type: 'textarea', value: eval( 'nvram.vpn_'+t+'_custom' ) }
 	]);
 	W('</div>');
@@ -339,7 +371,7 @@ for (i = 0; i < tabs.length; ++i)
 		{ title: 'Static Key', name: 'vpn_'+t+'_static', type: 'textarea', value: eval( 'nvram.vpn_'+t+'_static' ) },
 		{ title: 'Certificate Authority', name: 'vpn_'+t+'_ca', type: 'textarea', value: eval( 'nvram.vpn_'+t+'_ca' ) },
 		{ title: 'Client Certificate', name: 'vpn_'+t+'_crt', type: 'textarea', value: eval( 'nvram.vpn_'+t+'_crt' ) },
-		{ title: 'Client Key', name: 'vpn_'+t+'_key', type: 'textarea', value: eval( 'nvram.vpn_'+t+'_key' ) }
+		{ title: 'Client Key', name: 'vpn_'+t+'_key', type: 'textarea', value: eval( 'nvram.vpn_'+t+'_key' ) },
 	]);
 	W('</div>');
 	W('<div id=\''+t+'-status\'>');
@@ -369,4 +401,3 @@ for (i = 0; i < tabs.length; ++i)
 <script type='text/javascript'>init();</script>
 </body>
 </html>
-
diff --git a/release/src/router/www/vpn-server.asp b/release/src/router/www/vpn-server.asp
index e67e0c303b..8c3e2ac398 100644
--- a/release/src/router/www/vpn-server.asp
+++ b/release/src/router/www/vpn-server.asp
@@ -13,7 +13,7 @@
 <head>
 <meta http-equiv='content-type' content='text/html;charset=utf-8'>
 <meta name='robots' content='noindex,nofollow'>
-<title>[<% ident(); %>] VPN: Server</title>
+<title>[<% ident(); %>] OpenVPN: Server</title>
 <link rel='stylesheet' type='text/css' href='tomato.css'>
 <link rel='stylesheet' type='text/css' href='color.css'>
 <script type='text/javascript' src='tomato.js'></script>
@@ -398,7 +398,7 @@ table.status-table
 <input type='hidden' name='vpn_server_eas' id='vpn_server_eas' value=''>
 <input type='hidden' name='vpn_server_dns' id='vpn_server_dns' value=''>
 
-<div class='section-title'>VPN Server Configuration</div>
+<div class='section-title'>OpenVPN Server Configuration</div>
 <div class='section'>
 <script type='text/javascript'>
 tabCreate.apply(this, tabs);
-- 
2.11.4.GIT