From: Erik Kapfer <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 2/4] OpenVPN: Integration of the Negotiation Cipher Protocol (NCP) .
Date: Thu, 21 Mar 2024 13:24:49 +0100 [thread overview]
Message-ID: <20240321122511.3287692-2-erik.kapfer@ipfire.org> (raw)
In-Reply-To: <20240321122511.3287692-1-erik.kapfer@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 10612 bytes --]
- The new directive '--data-ciphers algs' has been introduced for RWs with
OpenVPN version 2.5.0. This directive negotiates with the clients the
best but also available cipher. The selection for '--data-ciphers algs' is
between the GCM family and the new CHACHA20-POLY1305 (all AEAD ciphers). All ciphers
can be combined with another or can also be selected separately.
- The new directive '--data-ciphers algs' substitutes '--ncp-disable', therefor
'--ncp-disable' has been removed which fixes the deprecation warning in
the OpenVPN-2.5.0 server instance.
- A new section in ovpnmain.cgi has been added under the "Advanced server options"
where this changes takes affect. Since all crytographic options should step-by-step
belong to the "Advanced server options" (like in IPSec) the name of this section
"Cryptographic options" is the same as in the "Global Settings".
- New CHACHA-POLY1305 cipher is integrated.
Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
html/cgi-bin/ovpnmain.cgi | 91 ++++++++++++++++++++++++++++++++++++++-
langs/de/cgi-bin/de.pl | 4 ++
langs/en/cgi-bin/en.pl | 4 ++
3 files changed, 97 insertions(+), 2 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index c92d0237d..833ce8247 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -80,6 +80,7 @@ my $col="";
my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";
my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";
my $dhparameter = "/etc/ssl/ffdhe4096.pem";
+my @advcipherchar=();
&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
$cgiparams{'ENABLED'} = 'off';
@@ -101,6 +102,7 @@ $cgiparams{'number'} = '';
$cgiparams{'DCIPHER'} = '';
$cgiparams{'DAUTH'} = '';
$cgiparams{'TLSAUTH'} = '';
+$cgiparams{'DATACIPHERS'} = '';
$routes_push_file = "${General::swroot}/ovpn/routes_push";
# Perform crypto and configration test
&pkiconfigcheck;
@@ -329,7 +331,12 @@ sub writeserverconf {
}
print CONF "status-version 1\n";
print CONF "status /var/run/ovpnserver.log 30\n";
- print CONF "ncp-disable\n";
+
+ # Data channel encryption
+ # Set seperator ':' for data ciphers
+ @advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
+ print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n";
+
print CONF "cipher $sovpnsettings{DCIPHER}\n";
print CONF "auth $sovpnsettings{'DAUTH'}\n";
# Set TLSv2 as minimum
@@ -811,8 +818,15 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
$vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'};
$vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
$vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'};
+ $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
my @temp=();
+ # data-ciphers needs at least one cipher
+ if ($cgiparams{'DATACIPHERS'} eq '') {
+ $errormessage = $Lang::tr{'ovpn errmsg invalid data cipher input'};
+ goto ADV_ERROR;
+ }
+
if ($cgiparams{'FRAGMENT'} eq '') {
delete $vpnsettings{'FRAGMENT'};
} else {
@@ -2291,7 +2305,12 @@ else
$zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
}
- print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
+
+ # Data cipher negotiation
+ # Set seperator ':' for --data-ciphers algorithms
+ @advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
+ print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n";
+
print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
if ($vpnsettings{'TLSAUTH'} eq 'on') {
@@ -2644,6 +2663,7 @@ END
%cahash = ();
%confighash = ();
my $disabled;
+ my @temp=();
&General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
read_routepushfile;
@@ -2652,6 +2672,18 @@ END
# $cgiparams{'CLIENT2CLIENT'} = 'on';
# }
ADV_ERROR:
+
+ # Set default data channel ciphers
+ if ($cgiparams{'DATACIPHERS'} eq '') {
+ $cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM';
+ }
+ $checked{'DATACIPHERS'}{'AES-256-GCM'} = '';
+ $checked{'DATACIPHERS'}{'AES-192-GCM'} = '';
+ $checked{'DATACIPHERS'}{'AES-128-GCM'} = '';
+ $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = '';
+ @temp = split('\|', $cgiparams{'DATACIPHERS'});
+ foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
+
if ($cgiparams{'MAX_CLIENTS'} eq '') {
$cgiparams{'MAX_CLIENTS'} = '100';
}
@@ -2706,9 +2738,64 @@ ADV_ERROR:
&Header::closebox();
}
&Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'});
+
+ # Set default data channel ciphers
+ if ($cgiparams{'DATACIPHERS'} eq '') {
+ $cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM';
+ }
+ $checked{'DATACIPHERS'}{'AES-256-GCM'} = '';
+ $checked{'DATACIPHERS'}{'AES-192-GCM'} = '';
+ $checked{'DATACIPHERS'}{'AES-128-GCM'} = '';
+ $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = '';
+ @temp = split('\|', $cgiparams{'DATACIPHERS'});
+ foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
+
+ if ($cgiparams{'MAX_CLIENTS'} eq '') {
+ $cgiparams{'MAX_CLIENTS'} = '100';
+ }
+@@ -2706,9 +2738,45 @@
+ &Header::closebox();
+ }
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'});
+ print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>";
+ print<<END
+ <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
+ <table width='100%'>
+ <tr>
+ <td style='width:18em'><b>$Lang::tr{'ovpn advanced encryption'}</b></td>
+ </tr>
+ </table>
+ <div class="ADVANCED_ENCRYPTION">
+ <table width='100%'>
+ <thead>
+ <tr>
+ <th width="15%"></th>
+ <th>$Lang::tr{'ovpn data channel'}</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td class='boldbase' width="24%">$Lang::tr{'ovpn data encryption'}</td>
+ <td class='boldbase'>
+ <select name='DATACIPHERS' multiple='multiple' size='6' style='width: 100%'>
+ <option value='ChaCha20-Poly1305' $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'}>256 bit ChaCha20-Poly1305</option>
+ <option value='AES-256-GCM' $checked{'DATACIPHERS'}{'AES-256-GCM'}>256 $Lang::tr{'bit'} AES-GCM</option>
+ <option value='AES-192-GCM' $checked{'DATACIPHERS'}{'AES-192-GCM'}>192 $Lang::tr{'bit'} AES-GCM</option>
+ <option value='AES-128-GCM' $checked{'DATACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option>
+ </select>
+ </td>
+ </tr>
+ </tbody>
+ </table>
+ </div>
+END
+;
+
print <<END;
<form method='post' enctype='multipart/form-data'>
<table width='100%' border=0>
+ <hr>
<tr>
<td colspan='4'><b>$Lang::tr{'dhcp-options'}</b></td>
</tr>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index f13bddf4b..7c8287510 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1952,14 +1952,18 @@
'override mtu' => 'Überschreibe Standard-MTU',
'ovpn' => 'OpenVPN',
'ovpn add conf' => 'Erweiterte Konfiguration',
+'ovpn advanced encryption' => 'Kryptografie Optionen',
'ovpn con stat' => 'OpenVPN Verbindungs-Statistik',
'ovpn config' => 'OVPN-Konfiguration',
'ovpn connection name' => 'Verbindungs-Name',
'ovpn crypt options' => 'Kryptografieoptionen',
+'ovpn data encryption' => 'Daten-Kanal Verschlüsselung',
+'ovpn data channel' => 'Daten-Kanal',
'ovpn device' => 'OpenVPN-Gerät',
'ovpn dl' => 'OVPN-Konfiguration downloaden',
'ovpn engines' => 'Krypto Engine',
'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt',
+'ovpn errmsg invalid data cipher input' => 'Die Daten-Kanal Verschlüsselung benötigt mindestens einen Algorithmus',
'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske',
'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 0113f8811..cfa826245 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2013,14 +2013,18 @@
'override mtu' => 'Override default MTU',
'ovpn' => 'OpenVPN',
'ovpn add conf' => 'Additional configuration',
+'ovpn advanced encryption' => 'Cryptographic options',
'ovpn con stat' => 'OpenVPN Connection Statistics',
'ovpn config' => 'OVPN-Config',
'ovpn connection name' => 'Connection Name',
'ovpn crypt options' => 'Cryptographic options',
+'ovpn data encryption' => 'Data-Channel encryption',
+'ovpn data channel' => 'Data-Channel',
'ovpn device' => 'OpenVPN device:',
'ovpn dl' => 'OVPN-Config Download',
'ovpn engines' => 'Crypto engine',
'ovpn errmsg green already pushed' => 'Route for green network is always set',
+'ovpn errmsg invalid data cipher input' => 'The data-channel encryption needs at least one cipher',
'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
'ovpn generating the root and host certificates' => 'Generating the root and host certificate can take a long time.',
--
2.43.0
next prev parent reply other threads:[~2024-03-21 12:24 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-21 12:24 [PATCH 1/4] OpenVPN: Update to version 2.6.9 Erik Kapfer
2024-03-21 12:24 ` Erik Kapfer [this message]
2024-03-21 12:24 ` [PATCH 3/4] OpenVPN: Introduce --data-cipher-fallback to substitude the deprecated --cipher directive Erik Kapfer
2024-03-21 12:24 ` [PATCH 4/4] update.sh: Add and change new directives for OpenVPN 2.6.x Erik Kapfer
2024-03-21 12:29 ` ummeegge
2024-03-21 15:14 ` Michael Tremer
2024-03-21 15:50 ` ummeegge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240321122511.3287692-2-erik.kapfer@ipfire.org \
--to=erik.kapfer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox