[PATCH] OpenVPN: Added needed directive for v2.4 update

[PATCH] OpenVPN: Added needed directive for v2.4 update

[Erik Kapfer]

[-- Attachment #1: Type: text/plain, Size: 1412 bytes --]

script-security: The support for the 'system' flag has been removed due to security implications
    with shell expansions when executing scripts via system() call.
    For more informations: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage .

ncp-disable: Negotiable crypto parameters has been disabled for the first.

Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 0a18ec7..a7daf89 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -216,7 +216,7 @@ sub writeserverconf {
     print CONF "dev tun\n";
     print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
     print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
-    print CONF "script-security 3 system\n";
+    print CONF "script-security 3\n";
     print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n";
     print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
     print CONF "tls-server\n";
@@ -289,6 +289,7 @@ sub writeserverconf {
     }	
     print CONF "status-version 1\n";
     print CONF "status /var/run/ovpnserver.log 30\n";
+    print CONF "ncp-disable\n";
     print CONF "cipher $sovpnsettings{DCIPHER}\n";
     if ($sovpnsettings{'DAUTH'} eq '') {
         print CONF "";
-- 
2.7.4

Re: [PATCH] OpenVPN: Added needed directive for v2.4 update

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1641 bytes --]

Hi,

this looks good. I will merge this soon.

How do we convert existing configuration files?

-Michael

On Thu, 2018-02-15 at 05:43 +0100, Erik Kapfer wrote:
> script-security: The support for the 'system' flag has been removed due to
> security implications
>     with shell expansions when executing scripts via system() call.
>     For more informations: https://community.openvpn.net/openvpn/wiki/Openvpn2
> 4ManPage .
> 
> ncp-disable: Negotiable crypto parameters has been disabled for the first.
> 
> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> ---
>  html/cgi-bin/ovpnmain.cgi | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index 0a18ec7..a7daf89 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -216,7 +216,7 @@ sub writeserverconf {
>      print CONF "dev tun\n";
>      print CONF "proto $sovpnsettings{'DPROTOCOL'}\n";
>      print CONF "port $sovpnsettings{'DDEST_PORT'}\n";
> -    print CONF "script-security 3 system\n";
> +    print CONF "script-security 3\n";
>      print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db
> 3600\n";
>      print CONF "client-config-dir /var/ipfire/ovpn/ccd\n";
>      print CONF "tls-server\n";
> @@ -289,6 +289,7 @@ sub writeserverconf {
>      }	
>      print CONF "status-version 1\n";
>      print CONF "status /var/run/ovpnserver.log 30\n";
> +    print CONF "ncp-disable\n";
>      print CONF "cipher $sovpnsettings{DCIPHER}\n";
>      if ($sovpnsettings{'DAUTH'} eq '') {
>          print CONF "";

Re: [PATCH] OpenVPN: Added needed directive for v2.4 update

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 1198 bytes --]

Hi Michael,


Am Donnerstag, den 15.02.2018, 10:40 +0000 schrieb Michael Tremer:
> Hi,
> 
> this looks good. I will merge this soon.
> 
> How do we convert existing configuration files?

i would do it like this:

#!/bin/bash

# Changed and new OpenVPN-2.4 directives will wrote to server.conf and renew CRL while update an core update
if [ -e /var/ipfire/ovpn/server.conf ]; then
	if pgrep openvpn >/dev/null; then
		openvpnctrl -k
		sed -i -e 's/script-security 3 system/script-security 3/' -e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf
		openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /var/ipfire/ovpn/openssl/ovpn.cnf
		openvpnctrl -s
	else
		sed -i -e 's/script-security 3 system/script-security 3/' -e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf
		openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config /var/ipfire/ovpn/openssl/ovpn.cnf
        fi
fi

# EOF


which includes also an update of the CRL to stay save also in that
manner


Best,

Erik

Re: [PATCH] OpenVPN: Added needed directive for v2.4 update

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1395 bytes --]

Hi,

okay, that's fine. I will add this to the update script of that core update
then.

-Michael

On Thu, 2018-02-15 at 11:56 +0100, ummeegge wrote:
> Hi Michael,
> 
> 
> Am Donnerstag, den 15.02.2018, 10:40 +0000 schrieb Michael Tremer:
> > Hi,
> > 
> > this looks good. I will merge this soon.
> > 
> > How do we convert existing configuration files?
> 
> i would do it like this:
> 
> #!/bin/bash
> 
> # Changed and new OpenVPN-2.4 directives will wrote to server.conf and renew
> CRL while update an core update
> if [ -e /var/ipfire/ovpn/server.conf ]; then
> 	if pgrep openvpn >/dev/null; then
> 		openvpnctrl -k
> 		sed -i -e 's/script-security 3 system/script-security 3/' -e
> '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf
> 		openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert
> /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config
> /var/ipfire/ovpn/openssl/ovpn.cnf
> 		openvpnctrl -s
> 	else
> 		sed -i -e 's/script-security 3 system/script-security 3/' -e
> '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf
> 		openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem -cert
> /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem -config
> /var/ipfire/ovpn/openssl/ovpn.cnf
>         fi
> fi
> 
> # EOF
> 
> 
> which includes also an update of the CRL to stay save also in that
> manner
> 
> 
> Best,
> 
> Erik

Re: [PATCH] OpenVPN: Added needed directive for v2.4 update

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 1688 bytes --]

Am Donnerstag, den 15.02.2018, 11:00 +0000 schrieb Michael Tremer:
> Hi,
> 
> okay, that's fine. I will add this to the update script of that core
> update
> then.

Great thanks. I think we should be then OpenVPN-2.4 ready for the
first...

> 
> -Michael
> 
> On Thu, 2018-02-15 at 11:56 +0100, ummeegge wrote:
> > 
> > Hi Michael,
> > 
> > 
> > Am Donnerstag, den 15.02.2018, 10:40 +0000 schrieb Michael Tremer:
> > > 
> > > Hi,
> > > 
> > > this looks good. I will merge this soon.
> > > 
> > > How do we convert existing configuration files?
> > i would do it like this:
> > 
> > #!/bin/bash
> > 
> > # Changed and new OpenVPN-2.4 directives will wrote to server.conf
> > and renew
> > CRL while update an core update
> > if [ -e /var/ipfire/ovpn/server.conf ]; then
> > 	if pgrep openvpn >/dev/null; then
> > 		openvpnctrl -k
> > 		sed -i -e 's/script-security 3 system/script-security
> > 3/' -e
> > '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf
> > 		openssl ca -gencrl -keyfile
> > /var/ipfire/ovpn/ca/cakey.pem -cert
> > /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem
> > -config
> > /var/ipfire/ovpn/openssl/ovpn.cnf
> > 		openvpnctrl -s
> > 	else
> > 		sed -i -e 's/script-security 3 system/script-security
> > 3/' -e
> > '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf
> > 		openssl ca -gencrl -keyfile
> > /var/ipfire/ovpn/ca/cakey.pem -cert
> > /var/ipfire/ovpn/ca/cacert.pem -out /var/ipfire/ovpn/crls/cacrl.pem
> > -config
> > /var/ipfire/ovpn/openssl/ovpn.cnf
> >         fi
> > fi
> > 
> > # EOF
> > 
> > 
> > which includes also an update of the CRL to stay save also in that
> > manner
> > 
> > 
> > Best,
> > 
> > Erik