- The new directive '--data-ciphers algs' has been introduced for RWs with OpenVPN version 2.5.0. This directive negotiates with the clients the best but also available cipher. The selection for '--data-ciphers algs' is between the GCM family and the new CHACHA20-POLY1305 (all AEAD ciphers). All ciphers can be combined with another or can also be selected separately.
- The new directive '--data-ciphers algs' substitutes '--ncp-disable', therefor '--ncp-disable' has been removed which fixes the deprecation warning in the OpenVPN-2.5.0 server instance.
- A new section in ovpnmain.cgi has been added under the "Advanced server options" where this changes takes affect. Since all crytographic options should step-by-step belong to the "Advanced server options" (like in IPSec) the name of this section "Cryptographic options" is the same as in the "Global Settings".
- New CHACHA-POLY1305 cipher is integrated.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 91 ++++++++++++++++++++++++++++++++++++++- langs/de/cgi-bin/de.pl | 4 ++ langs/en/cgi-bin/en.pl | 4 ++ 3 files changed, 97 insertions(+), 2 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index c92d0237d..833ce8247 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -80,6 +80,7 @@ my $col=""; my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local"; my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local"; my $dhparameter = "/etc/ssl/ffdhe4096.pem"; +my @advcipherchar=();
&General::readhash("${General::swroot}/ethernet/settings", %netsettings); $cgiparams{'ENABLED'} = 'off'; @@ -101,6 +102,7 @@ $cgiparams{'number'} = ''; $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; +$cgiparams{'DATACIPHERS'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; # Perform crypto and configration test &pkiconfigcheck; @@ -329,7 +331,12 @@ sub writeserverconf { } print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n"; - print CONF "ncp-disable\n"; + + # Data channel encryption + # Set seperator ':' for data ciphers + @advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/|/:/g); + print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n"; + print CONF "cipher $sovpnsettings{DCIPHER}\n"; print CONF "auth $sovpnsettings{'DAUTH'}\n"; # Set TLSv2 as minimum @@ -811,8 +818,15 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; + $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'}; my @temp=();
+ # data-ciphers needs at least one cipher + if ($cgiparams{'DATACIPHERS'} eq '') { + $errormessage = $Lang::tr{'ovpn errmsg invalid data cipher input'}; + goto ADV_ERROR; + } + if ($cgiparams{'FRAGMENT'} eq '') { delete $vpnsettings{'FRAGMENT'}; } else { @@ -2291,7 +2305,12 @@ else $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } - print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; + + # Data cipher negotiation + # Set seperator ':' for --data-ciphers algorithms + @advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/|/:/g); + print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n"; + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
if ($vpnsettings{'TLSAUTH'} eq 'on') { @@ -2644,6 +2663,7 @@ END %cahash = (); %confighash = (); my $disabled; + my @temp=(); &General::readhash("${General::swroot}/ovpn/settings", %cgiparams); read_routepushfile;
@@ -2652,6 +2672,18 @@ END # $cgiparams{'CLIENT2CLIENT'} = 'on'; # } ADV_ERROR: + + # Set default data channel ciphers + if ($cgiparams{'DATACIPHERS'} eq '') { + $cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM'; + } + $checked{'DATACIPHERS'}{'AES-256-GCM'} = ''; + $checked{'DATACIPHERS'}{'AES-192-GCM'} = ''; + $checked{'DATACIPHERS'}{'AES-128-GCM'} = ''; + $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = ''; + @temp = split('|', $cgiparams{'DATACIPHERS'}); + foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; } + if ($cgiparams{'MAX_CLIENTS'} eq '') { $cgiparams{'MAX_CLIENTS'} = '100'; } @@ -2706,9 +2738,64 @@ ADV_ERROR: &Header::closebox(); } &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'}); + + # Set default data channel ciphers + if ($cgiparams{'DATACIPHERS'} eq '') { + $cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM'; + } + $checked{'DATACIPHERS'}{'AES-256-GCM'} = ''; + $checked{'DATACIPHERS'}{'AES-192-GCM'} = ''; + $checked{'DATACIPHERS'}{'AES-128-GCM'} = ''; + $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = ''; + @temp = split('|', $cgiparams{'DATACIPHERS'}); + foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; } + + if ($cgiparams{'MAX_CLIENTS'} eq '') { + $cgiparams{'MAX_CLIENTS'} = '100'; + } +@@ -2706,9 +2738,45 @@ + &Header::closebox(); + } + &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'}); + print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>"; + print<<END + <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> + <table width='100%'> + <tr> + <td style='width:18em'><b>$Lang::tr{'ovpn advanced encryption'}</b></td> + </tr> + </table> + <div class="ADVANCED_ENCRYPTION"> + <table width='100%'> + <thead> + <tr> + <th width="15%"></th> + <th>$Lang::tr{'ovpn data channel'}</th> + </tr> + </thead> + <tbody> + <tr> + <td class='boldbase' width="24%">$Lang::tr{'ovpn data encryption'}</td> + <td class='boldbase'> + <select name='DATACIPHERS' multiple='multiple' size='6' style='width: 100%'> + <option value='ChaCha20-Poly1305' $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'}>256 bit ChaCha20-Poly1305</option> + <option value='AES-256-GCM' $checked{'DATACIPHERS'}{'AES-256-GCM'}>256 $Lang::tr{'bit'} AES-GCM</option> + <option value='AES-192-GCM' $checked{'DATACIPHERS'}{'AES-192-GCM'}>192 $Lang::tr{'bit'} AES-GCM</option> + <option value='AES-128-GCM' $checked{'DATACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option> + </select> + </td> + </tr> + </tbody> + </table> + </div> +END +; + print <<END; <form method='post' enctype='multipart/form-data'> <table width='100%' border=0> + <hr> <tr> <td colspan='4'><b>$Lang::tr{'dhcp-options'}</b></td> </tr> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index f13bddf4b..7c8287510 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1952,14 +1952,18 @@ 'override mtu' => 'Überschreibe Standard-MTU', 'ovpn' => 'OpenVPN', 'ovpn add conf' => 'Erweiterte Konfiguration', +'ovpn advanced encryption' => 'Kryptografie Optionen', 'ovpn con stat' => 'OpenVPN Verbindungs-Statistik', 'ovpn config' => 'OVPN-Konfiguration', 'ovpn connection name' => 'Verbindungs-Name', 'ovpn crypt options' => 'Kryptografieoptionen', +'ovpn data encryption' => 'Daten-Kanal Verschlüsselung', +'ovpn data channel' => 'Daten-Kanal', 'ovpn device' => 'OpenVPN-Gerät', 'ovpn dl' => 'OVPN-Konfiguration downloaden', 'ovpn engines' => 'Krypto Engine', 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt', +'ovpn errmsg invalid data cipher input' => 'Die Daten-Kanal Verschlüsselung benötigt mindestens einen Algorithmus', 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske', 'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', 'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 0113f8811..cfa826245 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2013,14 +2013,18 @@ 'override mtu' => 'Override default MTU', 'ovpn' => 'OpenVPN', 'ovpn add conf' => 'Additional configuration', +'ovpn advanced encryption' => 'Cryptographic options', 'ovpn con stat' => 'OpenVPN Connection Statistics', 'ovpn config' => 'OVPN-Config', 'ovpn connection name' => 'Connection Name', 'ovpn crypt options' => 'Cryptographic options', +'ovpn data encryption' => 'Data-Channel encryption', +'ovpn data channel' => 'Data-Channel', 'ovpn device' => 'OpenVPN device:', 'ovpn dl' => 'OVPN-Config Download', 'ovpn engines' => 'Crypto engine', 'ovpn errmsg green already pushed' => 'Route for green network is always set', +'ovpn errmsg invalid data cipher input' => 'The data-channel encryption needs at least one cipher', 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask', 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', 'ovpn generating the root and host certificates' => 'Generating the root and host certificate can take a long time.',