* [PATCH 1/4] OpenVPN: Update to version 2.6.9 .
@ 2024-03-21 12:24 Erik Kapfer
2024-03-21 12:24 ` [PATCH 2/4] OpenVPN: Integration of the Negotiation Cipher Protocol (NCP) Erik Kapfer
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Erik Kapfer @ 2024-03-21 12:24 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2485 bytes --]
This update enters the 2.6.x series and needs configuration changes since
NCP is now a requirement.
Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
config/rootfiles/common/openvpn | 1 -
lfs/openvpn | 9 +++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
index d9848a579..91c702bd5 100644
--- a/config/rootfiles/common/openvpn
+++ b/config/rootfiles/common/openvpn
@@ -15,7 +15,6 @@ usr/sbin/openvpn-authenticator
#usr/share/doc/openvpn/COPYRIGHT.GPL
#usr/share/doc/openvpn/Changes.rst
#usr/share/doc/openvpn/README
-#usr/share/doc/openvpn/README.IPv6
#usr/share/doc/openvpn/README.auth-pam
#usr/share/doc/openvpn/README.down-root
#usr/share/doc/openvpn/README.mbedtls
diff --git a/lfs/openvpn b/lfs/openvpn
index b71b4ccc9..7899894be 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -1,7 +1,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2023 IPFire Team <info(a)ipfire.org> #
+# Copyright (C) 2007-2024 IPFire Team <info(a)ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -24,7 +24,7 @@
include Config
-VER = 2.5.9
+VER = 2.6.9
THISAPP = openvpn-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = e5110ebb9149121c11de45f085f66d30a89fb674ad96c5792d83b16dc29c95215a91e682adb3c800b91ed4d88d6d24b5bcae0799cdb855a284832f0668ffcb82
+$(DL_FILE)_BLAKE2 = 22289b32f2b9afc2aed59f6fc66dc25b3043b8c82858b7857e4f904a25c6cf0f21a41551ed4f8d8869c0e7248e4e060779f760dd606e99cdc02203fbff886536
install : $(TARGET)
@@ -76,7 +76,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
--enable-iproute2 \
--enable-plugins \
--enable-plugin-auth-pam \
- --enable-plugin-down-root
+ --enable-plugin-down-root \
+ --disable-dco
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
--
2.43.0
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 2/4] OpenVPN: Integration of the Negotiation Cipher Protocol (NCP) .
2024-03-21 12:24 [PATCH 1/4] OpenVPN: Update to version 2.6.9 Erik Kapfer
@ 2024-03-21 12:24 ` Erik Kapfer
2024-03-21 12:24 ` [PATCH 3/4] OpenVPN: Introduce --data-cipher-fallback to substitude the deprecated --cipher directive Erik Kapfer
2024-03-21 12:24 ` [PATCH 4/4] update.sh: Add and change new directives for OpenVPN 2.6.x Erik Kapfer
2 siblings, 0 replies; 7+ messages in thread
From: Erik Kapfer @ 2024-03-21 12:24 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 10612 bytes --]
- The new directive '--data-ciphers algs' has been introduced for RWs with
OpenVPN version 2.5.0. This directive negotiates with the clients the
best but also available cipher. The selection for '--data-ciphers algs' is
between the GCM family and the new CHACHA20-POLY1305 (all AEAD ciphers). All ciphers
can be combined with another or can also be selected separately.
- The new directive '--data-ciphers algs' substitutes '--ncp-disable', therefor
'--ncp-disable' has been removed which fixes the deprecation warning in
the OpenVPN-2.5.0 server instance.
- A new section in ovpnmain.cgi has been added under the "Advanced server options"
where this changes takes affect. Since all crytographic options should step-by-step
belong to the "Advanced server options" (like in IPSec) the name of this section
"Cryptographic options" is the same as in the "Global Settings".
- New CHACHA-POLY1305 cipher is integrated.
Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
html/cgi-bin/ovpnmain.cgi | 91 ++++++++++++++++++++++++++++++++++++++-
langs/de/cgi-bin/de.pl | 4 ++
langs/en/cgi-bin/en.pl | 4 ++
3 files changed, 97 insertions(+), 2 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index c92d0237d..833ce8247 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -80,6 +80,7 @@ my $col="";
my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";
my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";
my $dhparameter = "/etc/ssl/ffdhe4096.pem";
+my @advcipherchar=();
&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
$cgiparams{'ENABLED'} = 'off';
@@ -101,6 +102,7 @@ $cgiparams{'number'} = '';
$cgiparams{'DCIPHER'} = '';
$cgiparams{'DAUTH'} = '';
$cgiparams{'TLSAUTH'} = '';
+$cgiparams{'DATACIPHERS'} = '';
$routes_push_file = "${General::swroot}/ovpn/routes_push";
# Perform crypto and configration test
&pkiconfigcheck;
@@ -329,7 +331,12 @@ sub writeserverconf {
}
print CONF "status-version 1\n";
print CONF "status /var/run/ovpnserver.log 30\n";
- print CONF "ncp-disable\n";
+
+ # Data channel encryption
+ # Set seperator ':' for data ciphers
+ @advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
+ print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n";
+
print CONF "cipher $sovpnsettings{DCIPHER}\n";
print CONF "auth $sovpnsettings{'DAUTH'}\n";
# Set TLSv2 as minimum
@@ -811,8 +818,15 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
$vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'};
$vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
$vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'};
+ $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
my @temp=();
+ # data-ciphers needs at least one cipher
+ if ($cgiparams{'DATACIPHERS'} eq '') {
+ $errormessage = $Lang::tr{'ovpn errmsg invalid data cipher input'};
+ goto ADV_ERROR;
+ }
+
if ($cgiparams{'FRAGMENT'} eq '') {
delete $vpnsettings{'FRAGMENT'};
} else {
@@ -2291,7 +2305,12 @@ else
$zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
}
- print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
+
+ # Data cipher negotiation
+ # Set seperator ':' for --data-ciphers algorithms
+ @advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
+ print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n";
+
print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
if ($vpnsettings{'TLSAUTH'} eq 'on') {
@@ -2644,6 +2663,7 @@ END
%cahash = ();
%confighash = ();
my $disabled;
+ my @temp=();
&General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
read_routepushfile;
@@ -2652,6 +2672,18 @@ END
# $cgiparams{'CLIENT2CLIENT'} = 'on';
# }
ADV_ERROR:
+
+ # Set default data channel ciphers
+ if ($cgiparams{'DATACIPHERS'} eq '') {
+ $cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM';
+ }
+ $checked{'DATACIPHERS'}{'AES-256-GCM'} = '';
+ $checked{'DATACIPHERS'}{'AES-192-GCM'} = '';
+ $checked{'DATACIPHERS'}{'AES-128-GCM'} = '';
+ $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = '';
+ @temp = split('\|', $cgiparams{'DATACIPHERS'});
+ foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
+
if ($cgiparams{'MAX_CLIENTS'} eq '') {
$cgiparams{'MAX_CLIENTS'} = '100';
}
@@ -2706,9 +2738,64 @@ ADV_ERROR:
&Header::closebox();
}
&Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'});
+
+ # Set default data channel ciphers
+ if ($cgiparams{'DATACIPHERS'} eq '') {
+ $cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM';
+ }
+ $checked{'DATACIPHERS'}{'AES-256-GCM'} = '';
+ $checked{'DATACIPHERS'}{'AES-192-GCM'} = '';
+ $checked{'DATACIPHERS'}{'AES-128-GCM'} = '';
+ $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = '';
+ @temp = split('\|', $cgiparams{'DATACIPHERS'});
+ foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
+
+ if ($cgiparams{'MAX_CLIENTS'} eq '') {
+ $cgiparams{'MAX_CLIENTS'} = '100';
+ }
+@@ -2706,9 +2738,45 @@
+ &Header::closebox();
+ }
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'});
+ print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>";
+ print<<END
+ <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
+ <table width='100%'>
+ <tr>
+ <td style='width:18em'><b>$Lang::tr{'ovpn advanced encryption'}</b></td>
+ </tr>
+ </table>
+ <div class="ADVANCED_ENCRYPTION">
+ <table width='100%'>
+ <thead>
+ <tr>
+ <th width="15%"></th>
+ <th>$Lang::tr{'ovpn data channel'}</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td class='boldbase' width="24%">$Lang::tr{'ovpn data encryption'}</td>
+ <td class='boldbase'>
+ <select name='DATACIPHERS' multiple='multiple' size='6' style='width: 100%'>
+ <option value='ChaCha20-Poly1305' $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'}>256 bit ChaCha20-Poly1305</option>
+ <option value='AES-256-GCM' $checked{'DATACIPHERS'}{'AES-256-GCM'}>256 $Lang::tr{'bit'} AES-GCM</option>
+ <option value='AES-192-GCM' $checked{'DATACIPHERS'}{'AES-192-GCM'}>192 $Lang::tr{'bit'} AES-GCM</option>
+ <option value='AES-128-GCM' $checked{'DATACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option>
+ </select>
+ </td>
+ </tr>
+ </tbody>
+ </table>
+ </div>
+END
+;
+
print <<END;
<form method='post' enctype='multipart/form-data'>
<table width='100%' border=0>
+ <hr>
<tr>
<td colspan='4'><b>$Lang::tr{'dhcp-options'}</b></td>
</tr>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index f13bddf4b..7c8287510 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1952,14 +1952,18 @@
'override mtu' => 'Überschreibe Standard-MTU',
'ovpn' => 'OpenVPN',
'ovpn add conf' => 'Erweiterte Konfiguration',
+'ovpn advanced encryption' => 'Kryptografie Optionen',
'ovpn con stat' => 'OpenVPN Verbindungs-Statistik',
'ovpn config' => 'OVPN-Konfiguration',
'ovpn connection name' => 'Verbindungs-Name',
'ovpn crypt options' => 'Kryptografieoptionen',
+'ovpn data encryption' => 'Daten-Kanal Verschlüsselung',
+'ovpn data channel' => 'Daten-Kanal',
'ovpn device' => 'OpenVPN-Gerät',
'ovpn dl' => 'OVPN-Konfiguration downloaden',
'ovpn engines' => 'Krypto Engine',
'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt',
+'ovpn errmsg invalid data cipher input' => 'Die Daten-Kanal Verschlüsselung benötigt mindestens einen Algorithmus',
'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske',
'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 0113f8811..cfa826245 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2013,14 +2013,18 @@
'override mtu' => 'Override default MTU',
'ovpn' => 'OpenVPN',
'ovpn add conf' => 'Additional configuration',
+'ovpn advanced encryption' => 'Cryptographic options',
'ovpn con stat' => 'OpenVPN Connection Statistics',
'ovpn config' => 'OVPN-Config',
'ovpn connection name' => 'Connection Name',
'ovpn crypt options' => 'Cryptographic options',
+'ovpn data encryption' => 'Data-Channel encryption',
+'ovpn data channel' => 'Data-Channel',
'ovpn device' => 'OpenVPN device:',
'ovpn dl' => 'OVPN-Config Download',
'ovpn engines' => 'Crypto engine',
'ovpn errmsg green already pushed' => 'Route for green network is always set',
+'ovpn errmsg invalid data cipher input' => 'The data-channel encryption needs at least one cipher',
'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
'ovpn generating the root and host certificates' => 'Generating the root and host certificate can take a long time.',
--
2.43.0
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 3/4] OpenVPN: Introduce --data-cipher-fallback to substitude the deprecated --cipher directive .
2024-03-21 12:24 [PATCH 1/4] OpenVPN: Update to version 2.6.9 Erik Kapfer
2024-03-21 12:24 ` [PATCH 2/4] OpenVPN: Integration of the Negotiation Cipher Protocol (NCP) Erik Kapfer
@ 2024-03-21 12:24 ` Erik Kapfer
2024-03-21 12:24 ` [PATCH 4/4] update.sh: Add and change new directives for OpenVPN 2.6.x Erik Kapfer
2 siblings, 0 replies; 7+ messages in thread
From: Erik Kapfer @ 2024-03-21 12:24 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 11737 bytes --]
- Since the '--cipher' directive is with OpenVPN version 2.5.0 deprecated and will be handled now via
'--data-cipher-fallback' to keep the compatibility with already existing clients until version 2.3.x.
The old 'DCIPHER' variable name has been kept and uses also the old setting file but
the directive has now be renamed from '--cipher' to '--data-cipher-fallback'.
All new clients needs to be at least at OpenVPN version 2.5.0 since the '--cipher' directive
will no longer be printed into client.ovpn but uses instead only NCP.
- All old CBC ciphers except the GCM familiy and CHACHA20-POLY1305 (AEAD ciphers),
are now included in the '--data-ciphers-fallback' table which is located beneath the
data-channel ciphers in a separate table.
- With this patch all ciphers are now located under the "Advanced server options" and no longer under
the "Global settings" therefor, tls-auth needed to be rearranged in the "Global settings".
Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
html/cgi-bin/ovpnmain.cgi | 92 +++++++++++++++++++++------------------
langs/de/cgi-bin/de.pl | 1 +
langs/en/cgi-bin/en.pl | 1 +
3 files changed, 51 insertions(+), 43 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 833ce8247..49ddae4ce 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -337,7 +337,10 @@ sub writeserverconf {
@advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n";
- print CONF "cipher $sovpnsettings{DCIPHER}\n";
+ # The "--cipher" directive has been renamed to "--data-cipher-fallback"
+ # but uses the old setting files. This should deliver compatibility
+ # for already existing old clients back to OpenVPN version 2.3.x
+ print CONF "data-ciphers-fallback $sovpnsettings{DCIPHER}\n";
print CONF "auth $sovpnsettings{'DAUTH'}\n";
# Set TLSv2 as minimum
print CONF "tls-version-min 1.2\n";
@@ -819,6 +822,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
$vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
$vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'};
$vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
+ $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
my @temp=();
# data-ciphers needs at least one cipher
@@ -1243,7 +1247,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
$vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
$vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
$vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
- $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
$vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
$vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
#wrtie enable
@@ -2306,6 +2309,12 @@ else
$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
}
+ # !!! With the update to version 2.6.x all new configured clients
+ # needs to be at least at OpenVPN version >= 2.5.0 cause the cipher
+ # directive is deprecated and reach his EOL with 2.7.x so only the
+ # following NCP will be used !!!
+ #print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
+
# Data cipher negotiation
# Set seperator ':' for --data-ciphers algorithms
@advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
@@ -2684,6 +2693,26 @@ ADV_ERROR:
@temp = split('\|', $cgiparams{'DATACIPHERS'});
foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
+ # Set default for data-cipher-fallback (the old --cipher directive)
+ if ($cgiparams{'DCIPHER'} eq '') {
+ $cgiparams{'DCIPHER'} = 'AES-256-CBC';
+ }
+ # All CBC ciphers are now in data-cipher-fallback section
+ $selected{'DCIPHER'}{'AES-256-CBC'} = '';
+ $selected{'DCIPHER'}{'AES-192-CBC'} = '';
+ $selected{'DCIPHER'}{'AES-128-CBC'} = '';
+ $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
+ $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
+ $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
+ $selected{'DCIPHER'}{'SEED-CBC'} = '';
+ $selected{'DCIPHER'}{'DES-CBC'} = '';
+ $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
+ $selected{'DCIPHER'}{'DESX-CBC'} = '';
+ $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
+ $selected{'DCIPHER'}{'BF-CBC'} = '';
+ $selected{'DCIPHER'}{'CAST5-CBC'} = '';
+ $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
+
if ($cgiparams{'MAX_CLIENTS'} eq '') {
$cgiparams{'MAX_CLIENTS'} = '100';
}
@@ -2772,6 +2801,7 @@ ADV_ERROR:
<tr>
<th width="15%"></th>
<th>$Lang::tr{'ovpn data channel'}</th>
+ <th>$Lang::tr{'ovpn data channel fallback'}</th>
</tr>
</thead>
<tbody>
@@ -2785,6 +2815,23 @@ ADV_ERROR:
<option value='AES-128-GCM' $checked{'DATACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option>
</select>
</td>
+
+ <td class='boldbase'>
+ <select name='DCIPHER' size='6' style='width: 100%'>
+ <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>256 $Lang::tr{'bit'} AES-CBC</option>
+ <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>192 $Lang::tr{'bit'} AES-CBC</option>
+ <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>128 bit AES-CBC</option>
+ <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>256 $Lang::tr{'bit'} Camellia-CBC</option>
+ <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>192 $Lang::tr{'bit'} CAMELLIA-CBC</option>
+ <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>128 $Lang::tr{'bit'} Camellia-CBC</option>
+ <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>128 $Lang::tr{'bit'} SEED-CBC</option>
+ <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+ <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+ <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+ <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+ <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC 128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option>
+ </select>
+ </td>
</tr>
</tbody>
</table>
@@ -5250,24 +5297,6 @@ END
$selected{'DPROTOCOL'}{'tcp'} = '';
$selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
- $selected{'DCIPHER'}{'AES-256-GCM'} = '';
- $selected{'DCIPHER'}{'AES-192-GCM'} = '';
- $selected{'DCIPHER'}{'AES-128-GCM'} = '';
- $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
- $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
- $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
- $selected{'DCIPHER'}{'AES-256-CBC'} = '';
- $selected{'DCIPHER'}{'AES-192-CBC'} = '';
- $selected{'DCIPHER'}{'AES-128-CBC'} = '';
- $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
- $selected{'DCIPHER'}{'DESX-CBC'} = '';
- $selected{'DCIPHER'}{'SEED-CBC'} = '';
- $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
- $selected{'DCIPHER'}{'CAST5-CBC'} = '';
- $selected{'DCIPHER'}{'BF-CBC'} = '';
- $selected{'DCIPHER'}{'DES-CBC'} = '';
- $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
-
$selected{'DAUTH'}{'whirlpool'} = '';
$selected{'DAUTH'}{'SHA512'} = '';
$selected{'DAUTH'}{'SHA384'} = '';
@@ -5391,29 +5420,6 @@ END
</select>
</td>
- <td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
- <td><select name='DCIPHER'>
- <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
- <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
- <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
- <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
- <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
- <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
- <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
- <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
- <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
- <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
- <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
- <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
- <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
- <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
- <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
- </select>
- </td>
- </tr>
-
- <tr><td colspan='4'><br></td></tr>
- <tr>
<td class='base'>$Lang::tr{'ovpn tls auth'}</td>
<td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td>
</tr>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 7c8287510..92bacc0ef 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1959,6 +1959,7 @@
'ovpn crypt options' => 'Kryptografieoptionen',
'ovpn data encryption' => 'Daten-Kanal Verschlüsselung',
'ovpn data channel' => 'Daten-Kanal',
+'ovpn data channel fallback' => 'Daten-Kanal Fallback',
'ovpn device' => 'OpenVPN-Gerät',
'ovpn dl' => 'OVPN-Konfiguration downloaden',
'ovpn engines' => 'Krypto Engine',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index cfa826245..2f517e79c 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2020,6 +2020,7 @@
'ovpn crypt options' => 'Cryptographic options',
'ovpn data encryption' => 'Data-Channel encryption',
'ovpn data channel' => 'Data-Channel',
+'ovpn data channel fallback' => 'Data-Channel fallback',
'ovpn device' => 'OpenVPN device:',
'ovpn dl' => 'OVPN-Config Download',
'ovpn engines' => 'Crypto engine',
--
2.43.0
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 4/4] update.sh: Add and change new directives for OpenVPN 2.6.x .
2024-03-21 12:24 [PATCH 1/4] OpenVPN: Update to version 2.6.9 Erik Kapfer
2024-03-21 12:24 ` [PATCH 2/4] OpenVPN: Integration of the Negotiation Cipher Protocol (NCP) Erik Kapfer
2024-03-21 12:24 ` [PATCH 3/4] OpenVPN: Introduce --data-cipher-fallback to substitude the deprecated --cipher directive Erik Kapfer
@ 2024-03-21 12:24 ` Erik Kapfer
2024-03-21 12:29 ` ummeegge
2 siblings, 1 reply; 7+ messages in thread
From: Erik Kapfer @ 2024-03-21 12:24 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1305 bytes --]
This process may should be continued with some of the following updates to make sure the directives are
included even the update with this changes has over jumped ?! otherwise, the "Advanced server options" page
needs to be saved via WUI to bring OpenVPN to life.
Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
config/rootfiles/core/185/update.sh | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/config/rootfiles/core/185/update.sh b/config/rootfiles/core/185/update.sh
index 2c95c4102..247661481 100644
--- a/config/rootfiles/core/185/update.sh
+++ b/config/rootfiles/core/185/update.sh
@@ -35,6 +35,17 @@ done
/etc/init.d/ntp stop
/etc/init.d/squid stop
+# OpenVPN add and change new 2.6.x directives for NCP.
+if pgrep openvpn > /dev/null; then
+ /usr/local/bin/openvpnctrl -k > /dev/null
+ sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES-256-GCM/' /var/ipfire/ovpn/server.conf
+ sed -i 's/^cipher/data-ciphers-fallback/' /var/ipfire/ovpn/server.conf
+ /usr/local/bin/openvpnctrl -s > /dev/null
+else
+ sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES-256-GCM/' /var/ipfire/ovpn/server.conf
+ sed -i 's/^cipher/data-ciphers-fallback/' /var/ipfire/ovpn/server.conf
+fi
+
# Extract files
extract_files
--
2.43.0
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 4/4] update.sh: Add and change new directives for OpenVPN 2.6.x .
2024-03-21 12:24 ` [PATCH 4/4] update.sh: Add and change new directives for OpenVPN 2.6.x Erik Kapfer
@ 2024-03-21 12:29 ` ummeegge
2024-03-21 15:14 ` Michael Tremer
0 siblings, 1 reply; 7+ messages in thread
From: ummeegge @ 2024-03-21 12:29 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1656 bytes --]
Hi all,
this is a minimal solution of an update to OpenVPN 2.6.x IMO . This
patch series should be a help for mainly Adolf (might be great if you
go for a checkout) but please give it all a try and test it if it
reaches the goal.
Best,
Erik
Am Donnerstag, dem 21.03.2024 um 13:24 +0100 schrieb Erik Kapfer:
> This process may should be continued with some of the following
> updates to make sure the directives are
> included even the update with this changes has over jumped ?!
> otherwise, the "Advanced server options" page
> needs to be saved via WUI to bring OpenVPN to life.
>
> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> ---
> config/rootfiles/core/185/update.sh | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/config/rootfiles/core/185/update.sh
> b/config/rootfiles/core/185/update.sh
> index 2c95c4102..247661481 100644
> --- a/config/rootfiles/core/185/update.sh
> +++ b/config/rootfiles/core/185/update.sh
> @@ -35,6 +35,17 @@ done
> /etc/init.d/ntp stop
> /etc/init.d/squid stop
>
> +# OpenVPN add and change new 2.6.x directives for NCP.
> +if pgrep openvpn > /dev/null; then
> + /usr/local/bin/openvpnctrl -k > /dev/null
> + sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES-
> 256-GCM/' /var/ipfire/ovpn/server.conf
> + sed -i 's/^cipher/data-ciphers-fallback/'
> /var/ipfire/ovpn/server.conf
> + /usr/local/bin/openvpnctrl -s > /dev/null
> +else
> + sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES-
> 256-GCM/' /var/ipfire/ovpn/server.conf
> + sed -i 's/^cipher/data-ciphers-fallback/'
> /var/ipfire/ovpn/server.conf
> +fi
> +
> # Extract files
> extract_files
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 4/4] update.sh: Add and change new directives for OpenVPN 2.6.x .
2024-03-21 12:29 ` ummeegge
@ 2024-03-21 15:14 ` Michael Tremer
2024-03-21 15:50 ` ummeegge
0 siblings, 1 reply; 7+ messages in thread
From: Michael Tremer @ 2024-03-21 15:14 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2716 bytes --]
Hello Erik,
Thank you for the patchiest, but I have been working this week on implementing this.
You can find more details about this here:
https://www.ipfire.org/docs/roadmap/openvpn-26
I asked Adolf to post the patches that he had and which include parts of your previous work to finally get this over the line. Various people have been working on the OpenVPN code over the years creating an absolute mess. The CGI file is by far the longest we have and very difficult to edit without breaking anything else. So I have started a large refactor (not rewrite) to get it into some state where we can work on things better.
That will be needed to implement the things outlined on the roadmap page. NCP is only one of them.
On that page, you can find my current development branch linked which includes many changes so far, but it is not done, yet.
-Michael
> On 21 Mar 2024, at 12:29, ummeegge <ummeegge(a)ipfire.org> wrote:
>
> Hi all,
> this is a minimal solution of an update to OpenVPN 2.6.x IMO . This
> patch series should be a help for mainly Adolf (might be great if you
> go for a checkout) but please give it all a try and test it if it
> reaches the goal.
>
> Best,
>
> Erik
>
> Am Donnerstag, dem 21.03.2024 um 13:24 +0100 schrieb Erik Kapfer:
>> This process may should be continued with some of the following
>> updates to make sure the directives are
>> included even the update with this changes has over jumped ?!
>> otherwise, the "Advanced server options" page
>> needs to be saved via WUI to bring OpenVPN to life.
>>
>> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
>> ---
>> config/rootfiles/core/185/update.sh | 11 +++++++++++
>> 1 file changed, 11 insertions(+)
>>
>> diff --git a/config/rootfiles/core/185/update.sh
>> b/config/rootfiles/core/185/update.sh
>> index 2c95c4102..247661481 100644
>> --- a/config/rootfiles/core/185/update.sh
>> +++ b/config/rootfiles/core/185/update.sh
>> @@ -35,6 +35,17 @@ done
>> /etc/init.d/ntp stop
>> /etc/init.d/squid stop
>>
>> +# OpenVPN add and change new 2.6.x directives for NCP.
>> +if pgrep openvpn > /dev/null; then
>> + /usr/local/bin/openvpnctrl -k > /dev/null
>> + sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES-
>> 256-GCM/' /var/ipfire/ovpn/server.conf
>> + sed -i 's/^cipher/data-ciphers-fallback/'
>> /var/ipfire/ovpn/server.conf
>> + /usr/local/bin/openvpnctrl -s > /dev/null
>> +else
>> + sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES-
>> 256-GCM/' /var/ipfire/ovpn/server.conf
>> + sed -i 's/^cipher/data-ciphers-fallback/'
>> /var/ipfire/ovpn/server.conf
>> +fi
>> +
>> # Extract files
>> extract_files
>>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 4/4] update.sh: Add and change new directives for OpenVPN 2.6.x .
2024-03-21 15:14 ` Michael Tremer
@ 2024-03-21 15:50 ` ummeegge
0 siblings, 0 replies; 7+ messages in thread
From: ummeegge @ 2024-03-21 15:50 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2945 bytes --]
Great idea Michael.
Am Donnerstag, dem 21.03.2024 um 15:14 +0000 schrieb Michael Tremer:
> Hello Erik,
>
> Thank you for the patchiest, but I have been working this week on
> implementing this.
>
> You can find more details about this here:
>
> https://www.ipfire.org/docs/roadmap/openvpn-26
>
> I asked Adolf to post the patches that he had and which include parts
> of your previous work to finally get this over the line. Various
> people have been working on the OpenVPN code over the years creating
> an absolute mess. The CGI file is by far the longest we have and very
> difficult to edit without breaking anything else. So I have started a
> large refactor (not rewrite) to get it into some state where we can
> work on things better.
>
> That will be needed to implement the things outlined on the roadmap
> page. NCP is only one of them.
>
> On that page, you can find my current development branch linked which
> includes many changes so far, but it is not done, yet.
>
> -Michael
>
> > On 21 Mar 2024, at 12:29, ummeegge <ummeegge(a)ipfire.org> wrote:
> >
> > Hi all,
> > this is a minimal solution of an update to OpenVPN 2.6.x IMO . This
> > patch series should be a help for mainly Adolf (might be great if
> > you
> > go for a checkout) but please give it all a try and test it if it
> > reaches the goal.
> >
> > Best,
> >
> > Erik
> >
> > Am Donnerstag, dem 21.03.2024 um 13:24 +0100 schrieb Erik Kapfer:
> > > This process may should be continued with some of the following
> > > updates to make sure the directives are
> > > included even the update with this changes has over jumped ?!
> > > otherwise, the "Advanced server options" page
> > > needs to be saved via WUI to bring OpenVPN to life.
> > >
> > > Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> > > ---
> > > config/rootfiles/core/185/update.sh | 11 +++++++++++
> > > 1 file changed, 11 insertions(+)
> > >
> > > diff --git a/config/rootfiles/core/185/update.sh
> > > b/config/rootfiles/core/185/update.sh
> > > index 2c95c4102..247661481 100644
> > > --- a/config/rootfiles/core/185/update.sh
> > > +++ b/config/rootfiles/core/185/update.sh
> > > @@ -35,6 +35,17 @@ done
> > > /etc/init.d/ntp stop
> > > /etc/init.d/squid stop
> > >
> > > +# OpenVPN add and change new 2.6.x directives for NCP.
> > > +if pgrep openvpn > /dev/null; then
> > > + /usr/local/bin/openvpnctrl -k > /dev/null
> > > + sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES-
> > > 256-GCM/' /var/ipfire/ovpn/server.conf
> > > + sed -i 's/^cipher/data-ciphers-fallback/'
> > > /var/ipfire/ovpn/server.conf
> > > + /usr/local/bin/openvpnctrl -s > /dev/null
> > > +else
> > > + sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES-
> > > 256-GCM/' /var/ipfire/ovpn/server.conf
> > > + sed -i 's/^cipher/data-ciphers-fallback/'
> > > /var/ipfire/ovpn/server.conf
> > > +fi
> > > +
> > > # Extract files
> > > extract_files
> > >
> >
>
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2024-03-21 15:50 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-03-21 12:24 [PATCH 1/4] OpenVPN: Update to version 2.6.9 Erik Kapfer
2024-03-21 12:24 ` [PATCH 2/4] OpenVPN: Integration of the Negotiation Cipher Protocol (NCP) Erik Kapfer
2024-03-21 12:24 ` [PATCH 3/4] OpenVPN: Introduce --data-cipher-fallback to substitude the deprecated --cipher directive Erik Kapfer
2024-03-21 12:24 ` [PATCH 4/4] update.sh: Add and change new directives for OpenVPN 2.6.x Erik Kapfer
2024-03-21 12:29 ` ummeegge
2024-03-21 15:14 ` Michael Tremer
2024-03-21 15:50 ` ummeegge
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox