Re: IPFire 2.29 - Core Update 197 is available for testing

Re: IPFire 2.29 - Core Update 197 is available for testing

[Adolf Belka]

Hi All,

Have found a little issue. Not sure if it is critical or not.

My existing connections on OpenVPN are working fine and the network topology has been changed in most places but not in the ccd files.

I have a connection called ipfiretesting which before the upgrade had 10.110.30.5 and 10.110.30.6.

After the upgrade to 197 if I edit the entry it shows that it is using 10.110.30.6

However if I look in /var/ipfire/ovpn/ccd/ipfiretesting it still has the line

ifconfig-push 10.110.26.6 10.110.26.5

If I then create a new client connection then all the ccd files get updated and ipfiretesting now contains

ifconfig-push 10.110.30.6 255.255.255.0

So if a user upgrades but doesn't create a new client connection all the ccd files will stay with the old format. Not sure what this would or wouldn't do for the connection but I think after the upgrade it would be good to update all the ccd files but not sure how to make that happen.

Regards,

Adolf.

On 11/08/2025 11:28, IPFire Project wrote:
> **IPFire 2.29 – Core Update 197** is now available for testing. This release introduces a significant overhaul of OpenVPN, upgrading to version 2.6 with improved security, broader client compatibility, and a modernised codebase — all without requiring changes to existing configurations. System performance has also been optimised to allow the CPU to remain in power-saving states more often, reducing energy consumption. As with every release, this update includes a large number of package updates to ensure your system remains secure and reliable.
> ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌
> 
> 
>   IPFire_
> 
> 
>   IPFire 2.29 - Core Update 197 is available for testing
> 
> **IPFire 2.29 – Core Update 197** is now available for testing. This release introduces a significant overhaul of OpenVPN, upgrading to version 2.6 with improved security, broader client compatibility, and a modernised codebase — all without requiring changes to existing configurations. System performance has also been optimised to allow the CPU to remain in power-saving states more often, reducing energy consumption. As with every release, this update includes a large number of package updates to ensure your system remains secure and reliable.
> 
> Read The Full Post On Our Blog <https://www.ipfire.org/blog/ipfire-2-29-core-update-197-is-available-for-testing?utm_medium=email&utm_source=blog-announcement>
> 
> The IPFire Project, c/o Lightning Wire Labs GmbH, Gerhardstraße 8, 45711 Datteln, Germany
> 
> Unsubscribe <https://www.ipfire.org/unsubscribe>
> 

Re: IPFire 2.29 - Core Update 197 is available for testing

[Adolf Belka]

Hi All,

Further testing feedback of OpenVPN-2.6

I tested out the existing client connections to my android phone and my linux laptop.

Both connections connected. Ping worked on the laptop but not on the android. Accessing the IPFire WUI via the openvpn rw tunnel worked for both android and laptop.

I then created new client connections.

The linux laptop connection worked without any issues.

The android client did not want to work with the .ovpn file with the certificates built in. It said that it had obtained the required info from inline but the connection failed within a couple of lines in the log, so some problem.

I then removed the inline certificate lines from the .ovpn file and used the .p12 and ta.key files, adding the appropriate lines into the .ovpn file to reference them.

The connection worked without any problem. In addition the ping now worked with this android connection.

Regards,

Adolf.


On 11/08/2025 16:01, Adolf Belka wrote:
> Hi All,
> 
> Have found a little issue. Not sure if it is critical or not.
> 
> My existing connections on OpenVPN are working fine and the network topology has been changed in most places but not in the ccd files.
> 
> I have a connection called ipfiretesting which before the upgrade had 10.110.30.5 and 10.110.30.6.
> 
> After the upgrade to 197 if I edit the entry it shows that it is using 10.110.30.6
> 
> However if I look in /var/ipfire/ovpn/ccd/ipfiretesting it still has the line
> 
> ifconfig-push 10.110.26.6 10.110.26.5
> 
> If I then create a new client connection then all the ccd files get updated and ipfiretesting now contains
> 
> ifconfig-push 10.110.30.6 255.255.255.0
> 
> So if a user upgrades but doesn't create a new client connection all the ccd files will stay with the old format. Not sure what this would or wouldn't do for the connection but I think after the upgrade it would be good to update all the ccd files but not sure how to make that happen.
> 
> Regards,
> 
> Adolf.
> 
> On 11/08/2025 11:28, IPFire Project wrote:
>> **IPFire 2.29 – Core Update 197** is now available for testing. This release introduces a significant overhaul of OpenVPN, upgrading to version 2.6 with improved security, broader client compatibility, and a modernised codebase — all without requiring changes to existing configurations. System performance has also been optimised to allow the CPU to remain in power-saving states more often, reducing energy consumption. As with every release, this update includes a large number of package updates to ensure your system remains secure and reliable.
>> ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌
>>
>>
>>   IPFire_
>>
>>
>>   IPFire 2.29 - Core Update 197 is available for testing
>>
>> **IPFire 2.29 – Core Update 197** is now available for testing. This release introduces a significant overhaul of OpenVPN, upgrading to version 2.6 with improved security, broader client compatibility, and a modernised codebase — all without requiring changes to existing configurations. System performance has also been optimised to allow the CPU to remain in power-saving states more often, reducing energy consumption. As with every release, this update includes a large number of package updates to ensure your system remains secure and reliable.
>>
>> Read The Full Post On Our Blog <https://www.ipfire.org/blog/ipfire-2-29-core-update-197-is-available-for-testing?utm_medium=email&utm_source=blog-announcement>
>>
>> The IPFire Project, c/o Lightning Wire Labs GmbH, Gerhardstraße 8, 45711 Datteln, Germany
>>
>> Unsubscribe <https://www.ipfire.org/unsubscribe>
>>
> 

Re: IPFire 2.29 - Core Update 197 is available for testing

[Peer Dietzmann]

Hi All, hi Adolf,

I am experiencing a similar issue as you. But first I would like to say 
that I find it very very (!) sad that the openvpn WUI does not have any 
separation of the subnets anymore! This feature was very helpful and 
clean. Now all certificates are mixed together, and it's not that easy 
anymore to see which client is in which network! It would be very nice, 
if this feature could be brought back to IPFire! Especially for setups 
with multiple subnets this separation was helpful!

But now to the connection issues:

The new CU seems to push a wrong gateway. I have several subnets running 
my dynamic pool is 10.22.0.0/24, the first subnet uses 10.22.1.0/24, an 
two other subnets are using 10.22.2.0/24. All clients that aren't in the 
dynamic pool have static IPs.

Which the CU 196 a client in 10.22.2.0/24 gets the following routes:

2025-08-11 21:04:44 net_addr_ptp_v4_add: 10.22.2.2 peer 10.22.2.1 dev tun0
2025-08-11 21:04:44 net_route_v4_add: 10.22.0.1/32 via 10.22.2.1 dev 
[NULL] table 0 metric -1
2025-08-11 21:04:44 net_route_v4_add: 10.99.0.0/24 via 10.22.2.1 dev 
[NULL] table 0 metric -1

This is all correct an works, but with the new CU 197 the following 
route is pushed:

2025-08-11 20:53:23 net_addr_v4_add: 10.22.2.2/24 dev tun0
2025-08-11 20:53:23 net_route_v4_add: 10.99.0.0/24 via 10.22.0.1 dev 
[NULL] table 0 metric -1
2025-08-11 20:53:23 sitnl_send: rtnl: generic error (-101): Network is 
unreachable
2025-08-11 20:53:23 ERROR: Linux route add command failed

Obvioulsy this can't work.

Best regards,
Peer

On 11/08/2025 16:51, Adolf Belka wrote:
> Hi All,
>
> Further testing feedback of OpenVPN-2.6
>
> I tested out the existing client connections to my android phone and 
> my linux laptop.
>
> Both connections connected. Ping worked on the laptop but not on the 
> android. Accessing the IPFire WUI via the openvpn rw tunnel worked for 
> both android and laptop.
>
> I then created new client connections.
>
> The linux laptop connection worked without any issues.
>
> The android client did not want to work with the .ovpn file with the 
> certificates built in. It said that it had obtained the required info 
> from inline but the connection failed within a couple of lines in the 
> log, so some problem.
>
> I then removed the inline certificate lines from the .ovpn file and 
> used the .p12 and ta.key files, adding the appropriate lines into the 
> .ovpn file to reference them.
>
> The connection worked without any problem. In addition the ping now 
> worked with this android connection.
>
> Regards,
>
> Adolf.
>
>
> On 11/08/2025 16:01, Adolf Belka wrote:
>> Hi All,
>>
>> Have found a little issue. Not sure if it is critical or not.
>>
>> My existing connections on OpenVPN are working fine and the network 
>> topology has been changed in most places but not in the ccd files.
>>
>> I have a connection called ipfiretesting which before the upgrade had 
>> 10.110.30.5 and 10.110.30.6.
>>
>> After the upgrade to 197 if I edit the entry it shows that it is 
>> using 10.110.30.6
>>
>> However if I look in /var/ipfire/ovpn/ccd/ipfiretesting it still has 
>> the line
>>
>> ifconfig-push 10.110.26.6 10.110.26.5
>>
>> If I then create a new client connection then all the ccd files get 
>> updated and ipfiretesting now contains
>>
>> ifconfig-push 10.110.30.6 255.255.255.0
>>
>> So if a user upgrades but doesn't create a new client connection all 
>> the ccd files will stay with the old format. Not sure what this would 
>> or wouldn't do for the connection but I think after the upgrade it 
>> would be good to update all the ccd files but not sure how to make 
>> that happen.
>>
>> Regards,
>>
>> Adolf.
>>
>> On 11/08/2025 11:28, IPFire Project wrote:
>>> **IPFire 2.29 – Core Update 197** is now available for testing. This 
>>> release introduces a significant overhaul of OpenVPN, upgrading to 
>>> version 2.6 with improved security, broader client compatibility, 
>>> and a modernised codebase — all without requiring changes to 
>>> existing configurations. System performance has also been optimised 
>>> to allow the CPU to remain in power-saving states more often, 
>>> reducing energy consumption. As with every release, this update 
>>> includes a large number of package updates to ensure your system 
>>> remains secure and reliable.
>>> ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌
>>>
>>>
>>>   IPFire_
>>>
>>>
>>>   IPFire 2.29 - Core Update 197 is available for testing
>>>
>>> **IPFire 2.29 – Core Update 197** is now available for testing. This 
>>> release introduces a significant overhaul of OpenVPN, upgrading to 
>>> version 2.6 with improved security, broader client compatibility, 
>>> and a modernised codebase — all without requiring changes to 
>>> existing configurations. System performance has also been optimised 
>>> to allow the CPU to remain in power-saving states more often, 
>>> reducing energy consumption. As with every release, this update 
>>> includes a large number of package updates to ensure your system 
>>> remains secure and reliable.
>>>
>>> Read The Full Post On Our Blog 
>>> <https://www.ipfire.org/blog/ipfire-2-29-core-update-197-is-available-for-testing?utm_medium=email&utm_source=blog-announcement>
>>>
>>> The IPFire Project, c/o Lightning Wire Labs GmbH, Gerhardstraße 8, 
>>> 45711 Datteln, Germany
>>>
>>> Unsubscribe <https://www.ipfire.org/unsubscribe>
>>>
>>
>
>
-- 
Mit freundlichem Gruß
Peer Dietzmann

Brecht-IT  | Administration und Support

Brecht-Schule Hamburg GmbH
Norderstrasse 163-165 | 20097 Hamburg
Tel.: +49 40 21 11 12 - 37 | Fax: +49 40 21 11 12 - 20
E-Mail: dietzmann@brecht-schule.hamburg | www.brecht-schule.hamburg

Diese Email enthält ggfs. vertrauliche und/oder rechtlich geschützte Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese Email irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Email.
Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Email ist nicht gestattet.

Re: IPFire 2.29 - Core Update 197 is available for testing

[Adolf Belka]

Hi All,

On 11/08/2025 16:51, Adolf Belka wrote:
> Hi All,
> 
> Further testing feedback of OpenVPN-2.6
> 
> I tested out the existing client connections to my android phone and my linux laptop.
> 
> Both connections connected. Ping worked on the laptop but not on the android. Accessing the IPFire WUI via the openvpn rw tunnel worked for both android and laptop.
> 
> I then created new client connections.
> 
> The linux laptop connection worked without any issues.
> 
> The android client did not want to work with the .ovpn file with the certificates built in. It said that it had obtained the required info from inline but the connection failed within a couple of lines in the log, so some problem.
> 
> I then removed the inline certificate lines from the .ovpn file and used the .p12 and ta.key files, adding the appropriate lines into the .ovpn file to reference them.
> 
> The connection worked without any problem. In addition the ping now worked with this android connection.
> 
> Regards,
> 
> Adolf.
> 
> 
> On 11/08/2025 16:01, Adolf Belka wrote:
>> Hi All,
>>
>> Have found a little issue. Not sure if it is critical or not.
>>
>> My existing connections on OpenVPN are working fine and the network topology has been changed in most places but not in the ccd files.
>>
>> I have a connection called ipfiretesting which before the upgrade had 10.110.30.5 and 10.110.30.6.
>>
>> After the upgrade to 197 if I edit the entry it shows that it is using 10.110.30.6
>>
>> However if I look in /var/ipfire/ovpn/ccd/ipfiretesting it still has the line
>>
>> ifconfig-push 10.110.26.6 10.110.26.5
>>
>> If I then create a new client connection then all the ccd files get updated and ipfiretesting now contains
>>
>> ifconfig-push 10.110.30.6 255.255.255.0
>>
>> So if a user upgrades but doesn't create a new client connection all the ccd files will stay with the old format. Not sure what this would or wouldn't do for the connection but I think after the upgrade it would be good to update all the ccd files but not sure how to make that happen.

I can confirm that the recent commits on ovpnmain.cgi have resolved the issue of the ccd files not being updated during the update.

I also noted that backup.pl was modified to do the same thing. I had not thought about testing an old backup yet. It seems obvious but it just hadn't come to my mind.

However with this backup.pl commit it triggered me to test out doing a restore from CU106 into CU197 and I can confirm that the ccd settings are updated as are the client connection .ovpn contents.

I can also confirm that my CU196 client connection that was restored and updated to the CU197 openvpn-2.6 settings connected successfully.

So this issue that I reported can be considered fixed.

Regards,

Adolf.


>>
>> Regards,
>>
>> Adolf.
>>
>> On 11/08/2025 11:28, IPFire Project wrote:
>>> **IPFire 2.29 – Core Update 197** is now available for testing. This release introduces a significant overhaul of OpenVPN, upgrading to version 2.6 with improved security, broader client compatibility, and a modernised codebase — all without requiring changes to existing configurations. System performance has also been optimised to allow the CPU to remain in power-saving states more often, reducing energy consumption. As with every release, this update includes a large number of package updates to ensure your system remains secure and reliable.
>>> ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌
>>>
>>>
>>>   IPFire_
>>>
>>>
>>>   IPFire 2.29 - Core Update 197 is available for testing
>>>
>>> **IPFire 2.29 – Core Update 197** is now available for testing. This release introduces a significant overhaul of OpenVPN, upgrading to version 2.6 with improved security, broader client compatibility, and a modernised codebase — all without requiring changes to existing configurations. System performance has also been optimised to allow the CPU to remain in power-saving states more often, reducing energy consumption. As with every release, this update includes a large number of package updates to ensure your system remains secure and reliable.
>>>
>>> Read The Full Post On Our Blog <https://www.ipfire.org/blog/ipfire-2-29-core-update-197-is-available-for-testing?utm_medium=email&utm_source=blog-announcement>
>>>
>>> The IPFire Project, c/o Lightning Wire Labs GmbH, Gerhardstraße 8, 45711 Datteln, Germany
>>>
>>> Unsubscribe <https://www.ipfire.org/unsubscribe>
>>>
>>
> 

Re: IPFire 2.29 - Core Update 197 is available for testing

[Michael Tremer]

Very good!

Is it correct to assume that we have no more outstanding issues regarding the OpenVPN changes in this update, or did I overlook anything?

Best,
-Michael

> On 14 Aug 2025, at 20:00, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> Hi All,
> 
> On 11/08/2025 16:51, Adolf Belka wrote:
>> Hi All,
>> Further testing feedback of OpenVPN-2.6
>> I tested out the existing client connections to my android phone and my linux laptop.
>> Both connections connected. Ping worked on the laptop but not on the android. Accessing the IPFire WUI via the openvpn rw tunnel worked for both android and laptop.
>> I then created new client connections.
>> The linux laptop connection worked without any issues.
>> The android client did not want to work with the .ovpn file with the certificates built in. It said that it had obtained the required info from inline but the connection failed within a couple of lines in the log, so some problem.
>> I then removed the inline certificate lines from the .ovpn file and used the .p12 and ta.key files, adding the appropriate lines into the .ovpn file to reference them.
>> The connection worked without any problem. In addition the ping now worked with this android connection.
>> Regards,
>> Adolf.
>> On 11/08/2025 16:01, Adolf Belka wrote:
>>> Hi All,
>>> 
>>> Have found a little issue. Not sure if it is critical or not.
>>> 
>>> My existing connections on OpenVPN are working fine and the network topology has been changed in most places but not in the ccd files.
>>> 
>>> I have a connection called ipfiretesting which before the upgrade had 10.110.30.5 and 10.110.30.6.
>>> 
>>> After the upgrade to 197 if I edit the entry it shows that it is using 10.110.30.6
>>> 
>>> However if I look in /var/ipfire/ovpn/ccd/ipfiretesting it still has the line
>>> 
>>> ifconfig-push 10.110.26.6 10.110.26.5
>>> 
>>> If I then create a new client connection then all the ccd files get updated and ipfiretesting now contains
>>> 
>>> ifconfig-push 10.110.30.6 255.255.255.0
>>> 
>>> So if a user upgrades but doesn't create a new client connection all the ccd files will stay with the old format. Not sure what this would or wouldn't do for the connection but I think after the upgrade it would be good to update all the ccd files but not sure how to make that happen.
> 
> I can confirm that the recent commits on ovpnmain.cgi have resolved the issue of the ccd files not being updated during the update.
> 
> I also noted that backup.pl was modified to do the same thing. I had not thought about testing an old backup yet. It seems obvious but it just hadn't come to my mind.
> 
> However with this backup.pl commit it triggered me to test out doing a restore from CU106 into CU197 and I can confirm that the ccd settings are updated as are the client connection .ovpn contents.
> 
> I can also confirm that my CU196 client connection that was restored and updated to the CU197 openvpn-2.6 settings connected successfully.
> 
> So this issue that I reported can be considered fixed.
> 
> Regards,
> 
> Adolf.
> 
> 
>>> 
>>> Regards,
>>> 
>>> Adolf.
>>> 
>>> On 11/08/2025 11:28, IPFire Project wrote:
>>>> **IPFire 2.29 – Core Update 197** is now available for testing. This release introduces a significant overhaul of OpenVPN, upgrading to version 2.6 with improved security, broader client compatibility, and a modernised codebase — all without requiring changes to existing configurations. System performance has also been optimised to allow the CPU to remain in power-saving states more often, reducing energy consumption. As with every release, this update includes a large number of package updates to ensure your system remains secure and reliable.
>>>> ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌
>>>> 
>>>> 
>>>>   IPFire_
>>>> 
>>>> 
>>>>   IPFire 2.29 - Core Update 197 is available for testing
>>>> 
>>>> **IPFire 2.29 – Core Update 197** is now available for testing. This release introduces a significant overhaul of OpenVPN, upgrading to version 2.6 with improved security, broader client compatibility, and a modernised codebase — all without requiring changes to existing configurations. System performance has also been optimised to allow the CPU to remain in power-saving states more often, reducing energy consumption. As with every release, this update includes a large number of package updates to ensure your system remains secure and reliable.
>>>> 
>>>> Read The Full Post On Our Blog <https://www.ipfire.org/blog/ipfire-2-29-core-update-197-is-available-for-testing?utm_medium=email&utm_source=blog-announcement>
>>>> 
>>>> The IPFire Project, c/o Lightning Wire Labs GmbH, Gerhardstraße 8, 45711 Datteln, Germany
>>>> 
>>>> Unsubscribe <https://www.ipfire.org/unsubscribe>

Re: IPFire 2.29 - Core Update 197 is available for testing

[Adolf Belka]

Hi Michael,

On 19/08/2025 17:11, Michael Tremer wrote:
> Very good!
> 
> Is it correct to assume that we have no more outstanding issues regarding the OpenVPN changes in this update, or did I overlook anything?

I am afraid there is still something open. It was raised as a bug by a user on the forum and I confirmed it. I added you to the copy list but you might have missed it with your internet connection issues.

https://bugzilla.ipfire.org/show_bug.cgi?id=13869

If you go to the advanced settings page and change something and save it and then later on go back to the advanced settings page then it does not show the change that was made but in the /var/ipfire/ovpn/settings file it has the changed settings.

So for example if I go into the advanced settings page and check the checkbox for TLS Channel Protection and set the hash algorithm to SHA1 (160 bit, Weak) and then press the save advanced settings button then in the settings file it has

TLSAUTH=on
DAUTH=SHA1

but if I now go back to the advanced settings page it shows TLS Channel Protection checkbox unchecked and the hash algorithm as Whirlpool (512 bit).

My quick checks show that selections made in the Ciphers settings mssfix checkbox, port and some others are remembered as the selections that were made but at least the hash algorithm, TLS Channel Protection checkbox and the Fallback Cipher, all go back to showing their original settings - Whirlpool, unchecked and Disabled but the settings will will have the settings for all three of those entries as they were made.


Regards,

Adolf.

> 
> Best,
> -Michael
> 
>> On 14 Aug 2025, at 20:00, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>
>> Hi All,
>>
>> On 11/08/2025 16:51, Adolf Belka wrote:
>>> Hi All,
>>> Further testing feedback of OpenVPN-2.6
>>> I tested out the existing client connections to my android phone and my linux laptop.
>>> Both connections connected. Ping worked on the laptop but not on the android. Accessing the IPFire WUI via the openvpn rw tunnel worked for both android and laptop.
>>> I then created new client connections.
>>> The linux laptop connection worked without any issues.
>>> The android client did not want to work with the .ovpn file with the certificates built in. It said that it had obtained the required info from inline but the connection failed within a couple of lines in the log, so some problem.
>>> I then removed the inline certificate lines from the .ovpn file and used the .p12 and ta.key files, adding the appropriate lines into the .ovpn file to reference them.
>>> The connection worked without any problem. In addition the ping now worked with this android connection.
>>> Regards,
>>> Adolf.
>>> On 11/08/2025 16:01, Adolf Belka wrote:
>>>> Hi All,
>>>>
>>>> Have found a little issue. Not sure if it is critical or not.
>>>>
>>>> My existing connections on OpenVPN are working fine and the network topology has been changed in most places but not in the ccd files.
>>>>
>>>> I have a connection called ipfiretesting which before the upgrade had 10.110.30.5 and 10.110.30.6.
>>>>
>>>> After the upgrade to 197 if I edit the entry it shows that it is using 10.110.30.6
>>>>
>>>> However if I look in /var/ipfire/ovpn/ccd/ipfiretesting it still has the line
>>>>
>>>> ifconfig-push 10.110.26.6 10.110.26.5
>>>>
>>>> If I then create a new client connection then all the ccd files get updated and ipfiretesting now contains
>>>>
>>>> ifconfig-push 10.110.30.6 255.255.255.0
>>>>
>>>> So if a user upgrades but doesn't create a new client connection all the ccd files will stay with the old format. Not sure what this would or wouldn't do for the connection but I think after the upgrade it would be good to update all the ccd files but not sure how to make that happen.
>>
>> I can confirm that the recent commits on ovpnmain.cgi have resolved the issue of the ccd files not being updated during the update.
>>
>> I also noted that backup.pl was modified to do the same thing. I had not thought about testing an old backup yet. It seems obvious but it just hadn't come to my mind.
>>
>> However with this backup.pl commit it triggered me to test out doing a restore from CU106 into CU197 and I can confirm that the ccd settings are updated as are the client connection .ovpn contents.
>>
>> I can also confirm that my CU196 client connection that was restored and updated to the CU197 openvpn-2.6 settings connected successfully.
>>
>> So this issue that I reported can be considered fixed.
>>
>> Regards,
>>
>> Adolf.
>>
>>
>>>>
>>>> Regards,
>>>>
>>>> Adolf.
>>>>
>>>> On 11/08/2025 11:28, IPFire Project wrote:
>>>>> **IPFire 2.29 – Core Update 197** is now available for testing. This release introduces a significant overhaul of OpenVPN, upgrading to version 2.6 with improved security, broader client compatibility, and a modernised codebase — all without requiring changes to existing configurations. System performance has also been optimised to allow the CPU to remain in power-saving states more often, reducing energy consumption. As with every release, this update includes a large number of package updates to ensure your system remains secure and reliable.
>>>>> ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌
>>>>>
>>>>>
>>>>>    IPFire_
>>>>>
>>>>>
>>>>>    IPFire 2.29 - Core Update 197 is available for testing
>>>>>
>>>>> **IPFire 2.29 – Core Update 197** is now available for testing. This release introduces a significant overhaul of OpenVPN, upgrading to version 2.6 with improved security, broader client compatibility, and a modernised codebase — all without requiring changes to existing configurations. System performance has also been optimised to allow the CPU to remain in power-saving states more often, reducing energy consumption. As with every release, this update includes a large number of package updates to ensure your system remains secure and reliable.
>>>>>
>>>>> Read The Full Post On Our Blog <https://www.ipfire.org/blog/ipfire-2-29-core-update-197-is-available-for-testing?utm_medium=email&utm_source=blog-announcement>
>>>>>
>>>>> The IPFire Project, c/o Lightning Wire Labs GmbH, Gerhardstraße 8, 45711 Datteln, Germany
>>>>>
>>>>> Unsubscribe <https://www.ipfire.org/unsubscribe>
> 
> 
> 

[PATCH] ovpnmain.cgi: Apply default settings when neccessary

[Stefan Schantl]

Only apply the default settings in case nothing has been configured yet,
otherwise existing settings may get overwritten.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 83f9fdc02..a2f95dc9a 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -132,7 +132,7 @@ my $col="";
 	"MAX_CLIENTS"  => 100,
 	"MSSFIX"       => "off",
 	"TLSAUTH"      => "on",
-});
+}) unless (%vpnsettings);
 
 # Load CGI parameters
 &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
-- 
2.47.2

Re: IPFire 2.29 - Core Update 197 is available for testing

[Adolf Belka]

Hi Michael,

On 19/08/2025 17:56, Adolf Belka wrote:
> Hi Michael,
> 
> On 19/08/2025 17:11, Michael Tremer wrote:
>> Very good!
>>
>> Is it correct to assume that we have no more outstanding issues regarding the OpenVPN changes in this update, or did I overlook anything?
> 
> I am afraid there is still something open. It was raised as a bug by a user on the forum and I confirmed it. I added you to the copy list but you might have missed it with your internet connection issues.
> 
> https://bugzilla.ipfire.org/show_bug.cgi?id=13869
> 
> If you go to the advanced settings page and change something and save it and then later on go back to the advanced settings page then it does not show the change that was made but in the /var/ipfire/ovpn/settings file it has the changed settings.
> 
> So for example if I go into the advanced settings page and check the checkbox for TLS Channel Protection and set the hash algorithm to SHA1 (160 bit, Weak) and then press the save advanced settings button then in the settings file it has
> 
> TLSAUTH=on
> DAUTH=SHA1
> 
> but if I now go back to the advanced settings page it shows TLS Channel Protection checkbox unchecked and the hash algorithm as Whirlpool (512 bit).
> 
> My quick checks show that selections made in the Ciphers settings mssfix checkbox, port and some others are remembered as the selections that were made but at least the hash algorithm, TLS Channel Protection checkbox and the Fallback Cipher, all go back to showing their original settings - Whirlpool, unchecked and Disabled but the settings will will have the settings for all three of those entries as they were made.

I have submitted a patch to fix this. Tested successfully on my vm testbed system.

https://patchwork.ipfire.org/project/ipfire/list/?series=5102

Regards,

Adolf.

> 
> 
> Regards,
> 
> Adolf.
> 
>>
>> Best,
>> -Michael
>>
>>> On 14 Aug 2025, at 20:00, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>>
>>> Hi All,
>>>
>>> On 11/08/2025 16:51, Adolf Belka wrote:
>>>> Hi All,
>>>> Further testing feedback of OpenVPN-2.6
>>>> I tested out the existing client connections to my android phone and my linux laptop.
>>>> Both connections connected. Ping worked on the laptop but not on the android. Accessing the IPFire WUI via the openvpn rw tunnel worked for both android and laptop.
>>>> I then created new client connections.
>>>> The linux laptop connection worked without any issues.
>>>> The android client did not want to work with the .ovpn file with the certificates built in. It said that it had obtained the required info from inline but the connection failed within a couple of lines in the log, so some problem.
>>>> I then removed the inline certificate lines from the .ovpn file and used the .p12 and ta.key files, adding the appropriate lines into the .ovpn file to reference them.
>>>> The connection worked without any problem. In addition the ping now worked with this android connection.
>>>> Regards,
>>>> Adolf.
>>>> On 11/08/2025 16:01, Adolf Belka wrote:
>>>>> Hi All,
>>>>>
>>>>> Have found a little issue. Not sure if it is critical or not.
>>>>>
>>>>> My existing connections on OpenVPN are working fine and the network topology has been changed in most places but not in the ccd files.
>>>>>
>>>>> I have a connection called ipfiretesting which before the upgrade had 10.110.30.5 and 10.110.30.6.
>>>>>
>>>>> After the upgrade to 197 if I edit the entry it shows that it is using 10.110.30.6
>>>>>
>>>>> However if I look in /var/ipfire/ovpn/ccd/ipfiretesting it still has the line
>>>>>
>>>>> ifconfig-push 10.110.26.6 10.110.26.5
>>>>>
>>>>> If I then create a new client connection then all the ccd files get updated and ipfiretesting now contains
>>>>>
>>>>> ifconfig-push 10.110.30.6 255.255.255.0
>>>>>
>>>>> So if a user upgrades but doesn't create a new client connection all the ccd files will stay with the old format. Not sure what this would or wouldn't do for the connection but I think after the upgrade it would be good to update all the ccd files but not sure how to make that happen.
>>>
>>> I can confirm that the recent commits on ovpnmain.cgi have resolved the issue of the ccd files not being updated during the update.
>>>
>>> I also noted that backup.pl was modified to do the same thing. I had not thought about testing an old backup yet. It seems obvious but it just hadn't come to my mind.
>>>
>>> However with this backup.pl commit it triggered me to test out doing a restore from CU106 into CU197 and I can confirm that the ccd settings are updated as are the client connection .ovpn contents.
>>>
>>> I can also confirm that my CU196 client connection that was restored and updated to the CU197 openvpn-2.6 settings connected successfully.
>>>
>>> So this issue that I reported can be considered fixed.
>>>
>>> Regards,
>>>
>>> Adolf.
>>>
>>>
>>>>>
>>>>> Regards,
>>>>>
>>>>> Adolf.
>>>>>
>>>>> On 11/08/2025 11:28, IPFire Project wrote:
>>>>>> **IPFire 2.29 – Core Update 197** is now available for testing. This release introduces a significant overhaul of OpenVPN, upgrading to version 2.6 with improved security, broader client compatibility, and a modernised codebase — all without requiring changes to existing configurations. System performance has also been optimised to allow the CPU to remain in power-saving states more often, reducing energy consumption. As with every release, this update includes a large number of package updates to ensure your system remains secure and reliable.
>>>>>> ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌
>>>>>>
>>>>>>
>>>>>>    IPFire_
>>>>>>
>>>>>>
>>>>>>    IPFire 2.29 - Core Update 197 is available for testing
>>>>>>
>>>>>> **IPFire 2.29 – Core Update 197** is now available for testing. This release introduces a significant overhaul of OpenVPN, upgrading to version 2.6 with improved security, broader client compatibility, and a modernised codebase — all without requiring changes to existing configurations. System performance has also been optimised to allow the CPU to remain in power-saving states more often, reducing energy consumption. As with every release, this update includes a large number of package updates to ensure your system remains secure and reliable.
>>>>>>
>>>>>> Read The Full Post On Our Blog <https://www.ipfire.org/blog/ipfire-2-29-core-update-197-is-available-for-testing?utm_medium=email&utm_source=blog-announcement>
>>>>>>
>>>>>> The IPFire Project, c/o Lightning Wire Labs GmbH, Gerhardstraße 8, 45711 Datteln, Germany
>>>>>>
>>>>>> Unsubscribe <https://www.ipfire.org/unsubscribe>
>>
>>
>>
>