From bfdac88f6ddaf4bf3204cc6f3591c4488fe958c2 Mon Sep 17 00:00:00 2001
From: Zhiqiang Wang <wang.9264@gmail.com>
Date: Thu, 25 Jul 2013 12:11:24 -0400
Subject: [PATCH] add openvpn username/password auth

---
 release/src/router/Makefile                        |  5 +-
 release/src/router/httpd/tomato.c                  |  6 ++
 .../src/router/openvpn_plugin_auth_nvram/Makefile  | 35 ++++++++
 .../openvpn_plugin_auth_nvram.c                    | 99 ++++++++++++++++++++++
 release/src/router/rc/vpn.c                        | 15 ++++
 release/src/router/www/about.asp                   |  2 +
 release/src/router/www/vpn-server.asp              | 89 ++++++++++++++++++-
 7 files changed, 249 insertions(+), 2 deletions(-)
 create mode 100644 release/src/router/openvpn_plugin_auth_nvram/Makefile
 create mode 100644 release/src/router/openvpn_plugin_auth_nvram/openvpn_plugin_auth_nvram.c

diff --git a/release/src/router/Makefile b/release/src/router/Makefile
index bc192288c6..cb36dd296c 100644
--- a/release/src/router/Makefile
+++ b/release/src/router/Makefile
@@ -167,6 +167,7 @@ obj-$(TCONFIG_ZEBRA) += zebra
 #	obj-$(TCONFIG_IPP2P) += ipp2p
 obj-$(TCONFIG_LZO) += lzo
 obj-$(TCONFIG_OPENVPN) += openvpn
+obj-$(TCONFIG_OPENVPN) += openvpn_plugin_auth_nvram
 obj-$(TCONFIG_EMF) += emf
 obj-$(TCONFIG_EMF) += igs
 
@@ -1606,7 +1607,7 @@ openvpn/.conf: openssl lzo
 	CPPFLAGS="-I$(TOP)/lzo/include -I$(TOP)/openssl/include" \
 	$(CONFIGURE) --prefix= \
 	--with-crypto-library=openssl \
-	--disable-debug --disable-plugins --enable-management --enable-small \
+	--disable-debug --disable-plugin-auth-pam --disable-plugin-down-root --with-plugindir=/lib --enable-management --enable-small \
 	--disable-selinux --disable-socks --enable-password-save \
 	OPENSSL_SSL_CFLAGS="-I$(TOP)/openssl/include" \
 	OPENSSL_SSL_LIBS="-L$(TOP)/openssl -lssl" \
@@ -1625,6 +1626,8 @@ openvpn-install: openvpn
 	$(STRIP) -s $(INSTALLDIR)/openvpn/usr/sbin/openvpn
 	chmod 0500 $(INSTALLDIR)/openvpn/usr/sbin/openvpn
 
+openvpn_plugin_auth_nvram:nvram
+
 #shibby
 libcurl/stamp-h1: zlib openssl
 	cd libcurl && CC=$(CC) STRIP='mipsel-uclibc-strip' \
diff --git a/release/src/router/httpd/tomato.c b/release/src/router/httpd/tomato.c
index 923957f67b..c2886de430 100644
--- a/release/src/router/httpd/tomato.c
+++ b/release/src/router/httpd/tomato.c
@@ -1320,6 +1320,9 @@ static const nvset_t nvset_list[] = {
 	{ "vpn_server1_ccd_val",  V_NONE              },
 	{ "vpn_server1_pdns",     V_01                },
 	{ "vpn_server1_rgw",      V_01                },
+	{ "vpn_server1_userpass", V_01                },
+	{ "vpn_server1_nocert",   V_01                },
+	{ "vpn_server1_users_val",V_NONE              },
 	{ "vpn_server1_custom",   V_NONE              },
 	{ "vpn_server1_static",   V_NONE              },
 	{ "vpn_server1_ca",       V_NONE              },
@@ -1346,6 +1349,9 @@ static const nvset_t nvset_list[] = {
 	{ "vpn_server2_plan",     V_01                },
 	{ "vpn_server2_pdns",     V_01                },
 	{ "vpn_server2_rgw",      V_01                },
+	{ "vpn_server2_userpass", V_01                },
+	{ "vpn_server2_nocert",   V_01                },
+	{ "vpn_server2_users_val",V_NONE              },
 	{ "vpn_server2_custom",   V_NONE              },
 	{ "vpn_server2_ccd",      V_01                },
 	{ "vpn_server2_c2c",      V_01                },
diff --git a/release/src/router/openvpn_plugin_auth_nvram/Makefile b/release/src/router/openvpn_plugin_auth_nvram/Makefile
new file mode 100644
index 0000000000..a3fb5b7617
--- /dev/null
+++ b/release/src/router/openvpn_plugin_auth_nvram/Makefile
@@ -0,0 +1,35 @@
+include ../common.mak
+
+CFLAGS	= -Os -Wall $(EXTRACFLAGS)
+CFLAGS	+= -I$(SRCBASE)/include -I$(TOP)/openvpn/include
+LDFLAGS = -L$(TOP)/nvram -lnvram
+OBJS = openvpn_plugin_auth_nvram.o
+
+all: openvpn_plugin_auth_nvram.so
+
+openvpn_plugin_auth_nvram.so: $(OBJS)
+	@echo " [] CC -o $@"
+	@$(CC) -shared $(LDFLAGS) -o $@ $(OBJS) $(LDFLAGS)
+
+	$(SIZECHECK)
+	$(CPTMP)
+
+install: all
+	install -D openvpn_plugin_auth_nvram.so $(INSTALLDIR)/lib/openvpn_plugin_auth_nvram.so
+	$(STRIP) $(INSTALLDIR)/lib/openvpn_plugin_auth_nvram.so
+	chmod 0500 $(INSTALLDIR)/lib/openvpn_plugin_auth_nvram.so
+
+clean:
+	rm -f openvpn_plugin_auth_nvram.so .*.depend *.o
+	
+%.o: %.c .%.depend
+	@echo " [ntpc] CC $@"
+	@$(CC) $(CFLAGS) -c $<
+	
+.depend: $(OBJS:%.o=%.c)
+	@$(CC) $(CFLAGS) -M $^ > .depend
+
+.%.depend: %.c
+	@$(CC) $(CFLAGS) -M $< > $@
+
+-include $(OBJS:%.o=.%.depend)
diff --git a/release/src/router/openvpn_plugin_auth_nvram/openvpn_plugin_auth_nvram.c b/release/src/router/openvpn_plugin_auth_nvram/openvpn_plugin_auth_nvram.c
new file mode 100644
index 0000000000..360c80e870
--- /dev/null
+++ b/release/src/router/openvpn_plugin_auth_nvram/openvpn_plugin_auth_nvram.c
@@ -0,0 +1,99 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <openvpn-plugin.h>
+#include <bcmnvram.h>
+#define NVRAM_KEY_MAX_LEN 32
+
+struct nvram_context {
+    char nvarm_key[NVRAM_KEY_MAX_LEN + 1];
+};
+static const char *get_env(const char *key, const char *env[]) {
+        int i;
+                
+        if (!env)
+                return (NULL);
+
+        for (i = 0; env[i]; i++) {
+                int keylen = strlen(key);
+
+                if (keylen > strlen(env[i]))
+                        continue;
+
+                if (!strncmp(key, env[i], keylen)) {
+                        const char *p = env[i] + keylen;
+                        if (*p == '=')
+                                return (p + 1);
+                }
+        }
+
+        return (NULL);
+}
+/**
+find password ptr of username.
+*/
+static int nv_verify_pass(const char *nv_key,const char *username,const char *password) {
+    int i;
+    if(!nv_key || !username || !password)
+        return 0;
+    const char *nv = nvram_safe_get(nv_key);
+    const char *start = nv;
+    int to_verify_len = strlen(username) + strlen(password) + 3; // 1<username<password, add 3 bytes:'1 < <'
+    char *to_verify = malloc(to_verify_len + 1);
+    sprintf(to_verify,"1<%s<%s",username,password);//snprintf is not necessary.
+    for(i = 0 ; ;i++){
+        if(nv[i] == '>'){
+            if(to_verify_len == nv + i - start && !memcmp(to_verify,start,to_verify_len)){
+                free(to_verify);
+                return 1;
+            }
+            start = nv + i + 1;
+        }
+        else if(nv[i] == 0){
+            free(to_verify);
+            return 0;
+        }
+    }
+    free(to_verify);
+    return 0;
+}
+int string_array_len (const char *array[])
+{
+  int i = 0;
+  if (array)
+    {
+      while (array[i])
+        ++i;
+    }
+  return i;
+}
+OPENVPN_EXPORT openvpn_plugin_handle_t openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[]) {
+    struct nvram_context *context = calloc(1,sizeof(struct nvram_context));
+    *type_mask = OPENVPN_PLUGIN_MASK(OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY);
+    if (string_array_len (argv) < 2) {
+        fprintf (stderr, "AUTH-NVRAM: need NVRAM KEY parameter\n");
+        goto error;
+    }
+    else {
+        strncpy(context->nvarm_key,argv[1],NVRAM_KEY_MAX_LEN);
+    }
+    return (openvpn_plugin_handle_t) context;
+    error:
+        if(context) free(context);
+        return NULL;
+}
+OPENVPN_EXPORT void openvpn_plugin_close_v1(openvpn_plugin_handle_t handle)
+{
+    free (handle);
+}
+OPENVPN_EXPORT int openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]) {
+    struct nvram_context *context = (struct nvram_context *)handle;
+    if (type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY){
+        const char *username = get_env ("username", envp);
+        const char *password = get_env ("password", envp);
+        if(username && password && nv_verify_pass(context->nvarm_key,username,password)){
+             return OPENVPN_PLUGIN_FUNC_SUCCESS;
+        }
+    }
+    return OPENVPN_PLUGIN_FUNC_ERROR;
+}
diff --git a/release/src/router/rc/vpn.c b/release/src/router/rc/vpn.c
index bd4104128e..dddfb5a4fe 100644
--- a/release/src/router/rc/vpn.c
+++ b/release/src/router/rc/vpn.c
@@ -520,6 +520,7 @@ void start_vpnserver(int serverNum)
 	long int nvl;
 	int pid;
 
+	int current_security_level = 1;
 	sprintf(&buffer[0], "vpnserver%d", serverNum);
 	if (getpid() != 1) {
 		start_service(&buffer[0]);
@@ -764,6 +765,20 @@ void start_vpnserver(int serverNum)
 			vpnlog(VPN_LOG_EXTRA,"CCD processing complete");
 		}
 
+		sprintf(&buffer[0], "vpn_server%d_userpass", serverNum);
+		if ( nvram_get_int(&buffer[0]) )
+		{
+			fprintf(fp, "plugin /lib/openvpn_plugin_auth_nvram.so vpn_server%d_users_val\n",serverNum);
+			if(current_security_level < 2){
+				fprintf(fp, "script-security 2\n");
+				current_security_level = 2;
+			}
+			fprintf(fp, "username-as-common-name\n");
+			sprintf(&buffer[0], "vpn_server%d_nocert", serverNum);
+			if ( nvram_get_int(&buffer[0]) )
+				fprintf(fp, "client-cert-not-required\n");
+		}
+
 		sprintf(&buffer[0], "vpn_server%d_pdns", serverNum);
 		if ( nvram_get_int(&buffer[0]) )
 		{
diff --git a/release/src/router/www/about.asp b/release/src/router/www/about.asp
index a6e560f4ea..b8fcc8f76a 100644
--- a/release/src/router/www/about.asp
+++ b/release/src/router/www/about.asp
@@ -111,6 +111,8 @@ Copyright (C) 2010 Keith Moyer,<br>
 <a href='mailto:tomatovpn@keithmoyer.com'>tomatovpn@keithmoyer.com</a><br>
 <br>
 <!-- OPENVPN-END -->
+<b>"TomatoEgg" Features:</b><br>
+- Openvpn username/password verify feature and configure GUI.<br>
 
 <b>"Shibby" features:</b><br>
 <!-- BBT-BEGIN -->
diff --git a/release/src/router/www/vpn-server.asp b/release/src/router/www/vpn-server.asp
index 8c3e2ac398..4803a9bd27 100644
--- a/release/src/router/www/vpn-server.asp
+++ b/release/src/router/www/vpn-server.asp
@@ -20,18 +20,24 @@
 <script type='text/javascript' src='vpn.js'></script>
 <script type='text/javascript'>
 
-//	<% nvram("vpn_server_eas,vpn_server_dns,vpn_server1_poll,vpn_server1_if,vpn_server1_proto,vpn_server1_port,vpn_server1_firewall,vpn_server1_sn,vpn_server1_nm,vpn_server1_local,vpn_server1_remote,vpn_server1_dhcp,vpn_server1_r1,vpn_server1_r2,vpn_server1_crypt,vpn_server1_comp,vpn_server1_cipher,vpn_server1_reneg,vpn_server1_hmac,vpn_server1_plan,vpn_server1_ccd,vpn_server1_c2c,vpn_server1_ccd_excl,vpn_server1_ccd_val,vpn_server1_pdns,vpn_server1_rgw,vpn_server1_custom,vpn_server1_static,vpn_server1_ca,vpn_server1_crt,vpn_server1_key,vpn_server1_dh,vpn_server2_poll,vpn_server2_if,vpn_server2_proto,vpn_server2_port,vpn_server2_firewall,vpn_server2_sn,vpn_server2_nm,vpn_server2_local,vpn_server2_remote,vpn_server2_dhcp,vpn_server2_r1,vpn_server2_r2,vpn_server2_crypt,vpn_server2_comp,vpn_server2_cipher,vpn_server2_reneg,vpn_server2_hmac,vpn_server2_plan,vpn_server2_ccd,vpn_server2_c2c,vpn_server2_ccd_excl,vpn_server2_ccd_val,vpn_server2_pdns,vpn_server2_rgw,vpn_server2_custom,vpn_server2_static,vpn_server2_ca,vpn_server2_crt,vpn_server2_key,vpn_server2_dh"); %>
+//	<% nvram("vpn_server_eas,vpn_server_dns,vpn_server1_poll,vpn_server1_if,vpn_server1_proto,vpn_server1_port,vpn_server1_firewall,vpn_server1_sn,vpn_server1_nm,vpn_server1_local,vpn_server1_remote,vpn_server1_dhcp,vpn_server1_r1,vpn_server1_r2,vpn_server1_crypt,vpn_server1_comp,vpn_server1_cipher,vpn_server1_reneg,vpn_server1_hmac,vpn_server1_plan,vpn_server1_ccd,vpn_server1_c2c,vpn_server1_ccd_excl,vpn_server1_ccd_val,vpn_server1_pdns,vpn_server1_rgw,vpn_server1_userpass,vpn_server1_nocert,vpn_server1_users_val,vpn_server1_custom,vpn_server1_static,vpn_server1_ca,vpn_server1_crt,vpn_server1_key,vpn_server1_dh,vpn_server2_poll,vpn_server2_if,vpn_server2_proto,vpn_server2_port,vpn_server2_firewall,vpn_server2_sn,vpn_server2_nm,vpn_server2_local,vpn_server2_remote,vpn_server2_dhcp,vpn_server2_r1,vpn_server2_r2,vpn_server2_crypt,vpn_server2_comp,vpn_server2_cipher,vpn_server2_reneg,vpn_server2_hmac,vpn_server2_plan,vpn_server2_ccd,vpn_server2_c2c,vpn_server2_ccd_excl,vpn_server2_ccd_val,vpn_server2_pdns,vpn_server2_rgw,vpn_server2_userpass,vpn_server2_nocert,vpn_server2_users_val,vpn_server2_custom,vpn_server2_static,vpn_server2_ca,vpn_server2_crt,vpn_server2_key,vpn_server2_dh"); %>
 
 function CCDGrid() { return this; }
 CCDGrid.prototype = new TomatoGrid;
 
+function UsersGrid() {return this;}
+UsersGrid.prototype = new TomatoGrid;
+
 tabs = [['server1', 'Server 1'],['server2', 'Server 2']];
 sections = [['basic', 'Basic'],['advanced', 'Advanced'],['keys','Keys'],['status','Status']];
 ccdTables = [];
+usersTables = [];
 statusUpdaters = [];
 for (i = 0; i < tabs.length; ++i)
 {
 	ccdTables.push(new CCDGrid());
+	usersTables.push(new UsersGrid());
+	usersTables[i].servername = tabs[i][0];
 	statusUpdaters.push(new StatusUpdater());
 }
 ciphers = [['default','Use Default'],['none','None']];
@@ -166,6 +172,7 @@ function verifyFields(focused, quiet)
 		hmac = E('_vpn_'+t+'_hmac');
 		dhcp = E('_f_vpn_'+t+'_dhcp');
 		ccd = E('_f_vpn_'+t+'_ccd');
+		userpass = E('_f_vpn_'+t+'_userpass');
 		dns = E('_f_vpn_'+t+'_dns');
 
 		elem.display(PR('_vpn_'+t+'_ca'), PR('_vpn_'+t+'_crt'), PR('_vpn_'+t+'_dh'), PR('_vpn_'+t+'_key'),
@@ -177,6 +184,8 @@ function verifyFields(focused, quiet)
 		elem.display(E(t+'_range'), !dhcp.checked);
 		elem.display(PR('_vpn_'+t+'_local'), auth.value == "secret" && iface.value == "tun");
 		elem.display(PR('_f_vpn_'+t+'_ccd'), auth.value == "tls");
+		elem.display(PR('_f_vpn_'+t+'_userpass'), auth.value == "tls");
+		elem.display(PR('_f_vpn_'+t+'_nocert'),PR('table_'+t+'_users'), auth.value == "tls" && userpass.checked);
 		elem.display(PR('_f_vpn_'+t+'_c2c'),PR('_f_vpn_'+t+'_ccd_excl'),PR('table_'+t+'_ccd'), auth.value == "tls" && ccd.checked);
 		elem.display(PR('_f_vpn_'+t+'_pdns'), auth.value == "tls" && dns.checked );
 
@@ -278,6 +287,54 @@ CCDGrid.prototype.reDraw = function()
 	}
 }
 
+UsersGrid.prototype.verifyFields = function(row, quiet)
+{
+	var ret = 1;
+	var fom = E('_fom');
+	var servernum = 1;
+	for (i = 0; i < tabs.length; ++i)
+	{
+		if (usersTables[i] == this)
+		{
+			servernum = i+1;
+			if (eval('vpn'+(i+1)+'up') && fom._service.value.indexOf('server'+(i+1)) < 0)
+			{
+				if ( fom._service.value != "" )
+					fom._service.value += ",";
+				fom._service.value += 'vpnserver'+(i+1)+'-restart';
+			}
+		}
+	}
+	var f = fields.getAll(row);
+
+	// Verify fields in this row of the table
+	if (f[1].value == "") { ferror.set(f[1], "username is mandatory.", quiet); ret = 0; }
+	if (f[1].value.indexOf('>') >= 0 || f[1].value.indexOf('<') >= 0) { ferror.set(f[1], "user name cannot contain '<' or '>' characters.", quiet); ret = 0; }
+	if (f[2].value == "" ) { ferror.set(f[2], "password is mandatory.", quiet); ret = 0; }
+	if (f[2].value.indexOf('>') >= 0 || f[1].value.indexOf('<') >= 0) { ferror.set(f[2], "password cannot contain '<' or '>' characters.", quiet); ret = 0; }
+	return ret;
+}
+UsersGrid.prototype.fieldValuesToData = function(row)
+{
+	var f = fields.getAll(row);
+	return [f[0].checked?1:0, f[1].value, f[2].value];
+}
+UsersGrid.prototype.dataToView = function(data){
+	var temp = ['<input type=\'checkbox\' style="opacity:1" disabled'+(data[0]!=0?' checked':'')+'>',
+	            data[1],
+	            'secert'
+                ];
+
+	var v = [];
+	for (var i = 0; i < temp.length; ++i){
+		v.push(i==0?temp[i]:escapeHTML('' + temp[i]));
+    }
+	return v;
+}
+UsersGrid.prototype.dataToFieldValues = function(data)
+{
+	return [data[0] == 1, data[1], data[2]];
+}
 function save()
 {
 	if (!verifyFields(null, false)) return;
@@ -290,6 +347,7 @@ function save()
 	for (i = 0; i < tabs.length; ++i)
 	{
 		if (ccdTables[i].isEditing()) return;
+		if (usersTables[i].isEditing()) return;
 
 		t = tabs[i][0];
 
@@ -304,6 +362,10 @@ function save()
 
 		for (j = 0; j < data.length; ++j)
 			ccd += data[j].join('<') + '>';
+		var userdata = usersTables[i].getAllData();
+		var users = '';
+		for (j = 0; j < userdata.length; ++j)
+			users += userdata[j].join('<') + '>';
 
 		E('vpn_'+t+'_dhcp').value = E('_f_vpn_'+t+'_dhcp').checked ? 1 : 0;
 		E('vpn_'+t+'_plan').value = E('_f_vpn_'+t+'_plan').checked ? 1 : 0;
@@ -311,6 +373,9 @@ function save()
 		E('vpn_'+t+'_c2c').value = E('_f_vpn_'+t+'_c2c').checked ? 1 : 0;
 		E('vpn_'+t+'_ccd_excl').value = E('_f_vpn_'+t+'_ccd_excl').checked ? 1 : 0;
 		E('vpn_'+t+'_ccd_val').value = ccd;
+		E('vpn_'+t+'_userpass').value = E('_f_vpn_'+t+'_userpass').checked ? 1 : 0;
+		E('vpn_'+t+'_nocert').value = E('_f_vpn_'+t+'_nocert').checked ? 1 : 0;
+		E('vpn_'+t+'_users_val').value = users;
 		E('vpn_'+t+'_pdns').value = E('_f_vpn_'+t+'_pdns').checked ? 1 : 0;
 		E('vpn_'+t+'_rgw').value = E('_f_vpn_'+t+'_rgw').checked ? 1 : 0;
 	}
@@ -347,6 +412,22 @@ function init()
 		ccdTables[i].showNewEditor();
 		ccdTables[i].resetNewEditor();
 
+		usersTables[i].init('table_' + t + '_users','sort', 0, [{ type: 'checkbox' }, { type: 'text' }, { type: 'text', maxlen: 15 }]);
+		usersTables[i].headerSet(['Enable', 'username', 'password']);
+		var usersVal = eval('nvram.vpn_' + t + '_users_val');
+		if(usersVal.length) {
+			var s = usersVal.split('>');
+			for (var j = 0; j < s.length; ++j)
+			{
+				if (!s[j].length) continue;
+				var row = s[j].split('<');
+				if (row.length == 3)
+					usersTables[i].insertData(-1, row);
+			}
+		}
+		usersTables[i].showNewEditor();
+		usersTables[i].resetNewEditor();
+
 		statusUpdaters[i].init(t+'-status-clients-table',t+'-status-routing-table',t+'-status-stats-table',t+'-status-time',t+'-status-content',t+'-no-status',t+'-status-errors');
 		updateStatus(i);
 	}
@@ -413,6 +494,9 @@ for (i = 0; i < tabs.length; ++i)
 	W('<input type=\'hidden\' id=\'vpn_'+t+'_c2c\' name=\'vpn_'+t+'_c2c\'>');
 	W('<input type=\'hidden\' id=\'vpn_'+t+'_ccd_excl\' name=\'vpn_'+t+'_ccd_excl\'>');
 	W('<input type=\'hidden\' id=\'vpn_'+t+'_ccd_val\' name=\'vpn_'+t+'_ccd_val\'>');
+	W('<input type=\'hidden\' id=\'vpn_'+t+'_userpass\' name=\'vpn_'+t+'_userpass\'>');
+	W('<input type=\'hidden\' id=\'vpn_'+t+'_nocert\' name=\'vpn_'+t+'_nocert\'>');
+	W('<input type=\'hidden\' id=\'vpn_'+t+'_users_val\' name=\'vpn_'+t+'_users_val\'>');
 	W('<input type=\'hidden\' id=\'vpn_'+t+'_pdns\' name=\'vpn_'+t+'_pdns\'>');
 	W('<input type=\'hidden\' id=\'vpn_'+t+'_rgw\' name=\'vpn_'+t+'_rgw\'>');
 
@@ -460,6 +544,9 @@ for (i = 0; i < tabs.length; ++i)
 		{ title: 'Allow Client<->Client', name: 'f_vpn_'+t+'_c2c', type: 'checkbox', value: eval( 'nvram.vpn_'+t+'_c2c' ) != 0 },
 		{ title: 'Allow Only These Clients', name: 'f_vpn_'+t+'_ccd_excl', type: 'checkbox', value: eval( 'nvram.vpn_'+t+'_ccd_excl' ) != 0 },
 		{ title: '', suffix: '<table class=\'tomato-grid\' id=\'table_'+t+'_ccd\'></table>' },
+		{ title: 'Allow User/Pass Auth', name: 'f_vpn_'+t+'_userpass', type: 'checkbox', value: eval( 'nvram.vpn_'+t+'_userpass' ) != 0 },
+		{ title: 'Allow Only User/Pass(Without cert) Auth', name: 'f_vpn_'+t+'_nocert', type: 'checkbox', value: eval( 'nvram.vpn_'+t+'_nocert' ) != 0 },
+		{ title: '', suffix: '<table class=\'tomato-grid\' id=\'table_'+t+'_users\'></table>' },
 		{ title: 'Custom Configuration', name: 'vpn_'+t+'_custom', type: 'textarea', value: eval( 'nvram.vpn_'+t+'_custom' ) }
 	]);
 	W('</div>');
-- 
2.11.4.GIT