[PATCH 1/3] OpenVPN: Introduce advanced encryption section

3 Dec 2020

- The whole crypto section has been outsorted from the global section to
an extra page.
- Since --cipher is deprecated and will be handled via
--data-cipher-fallback, the VAR name and the index has been kept but
renamed from --cipher to --data-cipher-fallback. Old default AES-256-CBC
has also been kept.
- The new directive --data-ciphers has been introduced for RWs which negotiates
now between the GCM family and the new CHACHA20-POLY1305. All ciphers
can be combined.
- The new directive --data-ciphers substitutes --ncp-disable, there
--ncp-disable has been removed which fixes the deprecation warning in
the updated OpenVPN-2.5.0.
- While client generation the client version can be set which enables, if
client is >=2.5.0 a full cipher negotiation. Existing clients can also
subsequently be enhanced via edit.
- The new ciphers and HMACs as been completely integrated into N2N
environment without further modification.
Code for update process via update.sh needs to be integrated:
/usr/local/bin/openvpnctrl -k > /dev/null
if grep -q 'cipher' /var/ipfire/ovpn/server.conf; then
sed -i 's/cipher/data-ciphers-fallback/' /var/ipfire/ovpn/server.conf
fi
/usr/local/bin/openvpnctrl -s > /dev/null
Signed-off-by: ummeegge erik.kapfer@ipfire.org
---
 html/cgi-bin/ovpnmain.cgi | 330 ++++++++++++++++++++++++++++----------
 langs/de/cgi-bin/de.pl    |  11 +-
 langs/en/cgi-bin/en.pl    |  11 +-
 3 files changed, 269 insertions(+), 83 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 68a70d147..fc4c6193a 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -75,6 +75,7 @@ my $name;
 my $col="";
 my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";
 my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";
+my @advcipherchar=();
&General::readhash("${General::swroot}/ethernet/settings", %netsettings);
 $cgiparams{'ENABLED'} = 'off';
@@ -98,6 +99,7 @@ $cgiparams{'number'} = '';
 $cgiparams{'DCIPHER'} = '';
 $cgiparams{'DAUTH'} = '';
 $cgiparams{'TLSAUTH'} = '';
+$cgiparams{'DATACIPHERS'} = '';
 $routes_push_file = "${General::swroot}/ovpn/routes_push";
 # Perform crypto and configration test
 &pkiconfigcheck;
@@ -325,8 +327,16 @@ sub writeserverconf {
     }	
     print CONF "status-version 1\n";
     print CONF "status /var/run/ovpnserver.log 30\n";
-    print CONF "ncp-disable\n";
-    print CONF "cipher $sovpnsettings{DCIPHER}\n";
+	print CONF "data-ciphers-fallback $sovpnsettings{DCIPHER}\n";
+
+	# Data channel encryption
+	# Set seperator for data ciphers
+	@advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/|/:/g);
+	# Add also algorithm from --cipher directive
+	if ($sovpnsettings{'DATACIPHERS'} ne '') {
+		print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n";
+	}
+
    print CONF "auth $sovpnsettings{'DAUTH'}\n";
     # Set TLSv2 as minimum
     print CONF "tls-version-min 1.2\n";
@@ -911,6 +921,28 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
     &writeserverconf();#hier ok
 }
+###
+### Save Advanced encryption
+###
+
+if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
+	&General::readhash("${General::swroot}/ovpn/settings", %vpnsettings);
+
+	$vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
+	$vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
+
+	# --data-ciphers needs at least one cipher
+	if ($cgiparams{'DATACIPHERS'} eq '') {
+		$errormessage = $Lang::tr{'ovpn errmsg invalid data cipher input'};
+		goto ADV_ENC_ERROR;
+	}
+
+	&General::writehash("${General::swroot}/ovpn/settings", %vpnsettings);
+	&writeserverconf();
+}
+
+### End Save advanced encryption
+
 ###
 # m.a.d net2net
 ###
@@ -982,10 +1014,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
   print SERVERCONF "# Cipher\n"; 
   print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n";
-  # If GCM cipher is used, do not use --auth
+  # If AEAD cipher is used, do not use --auth
   if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
       ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
-      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM') ||
+      ($cgiparams{'DCIPHER'} eq 'ChaCha20-Poly1305')) {
     print SERVERCONF unless "# HMAC algorithm\n";
     print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n";
   } else {
@@ -1087,10 +1120,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
   print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n";
   print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n";
-  # If GCM cipher is used, do not use --auth
+  # If AEAD cipher is used, do not use --auth
   if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
       ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
-      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM') ||
+      ($cgiparams{'DCIPHER'} eq 'ChaCha20-Poly1305')) {
     print CLIENTCONF unless "# HMAC algorithm\n";
     print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n";
   } else {
@@ -1214,7 +1248,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
     $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
     $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
     $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
-    $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
     $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
     $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
 #wrtie enable
@@ -2344,7 +2377,15 @@ else
    $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem")  or die "Can't add file cacert.pem\n";
    $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";    
     }
-    print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
+
+	# Set --data-ciphers for client >=2.5.0 or --cipher for <2.5.0
+	if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') {
+		@advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/|/:/g);
+		print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n";
+	} else {
+		print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n";
+	}
+
    print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
if ($vpnsettings{'TLSAUTH'} eq 'on') {
@@ -2859,7 +2900,169 @@ END
     &Header::closebigbox();
     &Header::closepage();
     exit(0);
-	
+
+###
+### Advanced encryption settings
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ovpn advanced encryption'}) {
+	%cgiparams = ();
+	%confighash = ();
+	my @temp=();
+	my $disabled;
+	&General::readhash("${General::swroot}/ovpn/settings", %cgiparams);
+
+	my $key = $cgiparams{'KEY'};
+	if (! $key) {
+		$key = &General::findhasharraykey (%confighash);
+		foreach my $i (39.. 45) { $confighash{$key}[$i] = ""; }
+	}
+	$confighash{$key}[40] = $cgiparams{'DCIPHER'};
+	$confighash{$key}[42] = $cgiparams{'DATACIPHERS'};
+
+ADV_ENC_ERROR:
+
+	# Set default for data-cipher-fallback (the old --cipher directive)
+	if ($cgiparams{'DCIPHER'} eq '') {
+		$cgiparams{'DCIPHER'} =  'AES-256-CBC'; #[40]
+	}
+	$checked{'DCIPHER'}{'AES-256-CBC'} = '';
+	$checked{'DCIPHER'}{'AES-192-CBC'} = '';
+	$checked{'DCIPHER'}{'AES-128-CBC'} = '';
+	$checked{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
+	$checked{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
+	$checked{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
+	$checked{'DCIPHER'}{'SEED-CBC'} = '';
+	$checked{'DCIPHER'}{'DES-EDE3-CBC'} = '';
+	$checked{'DCIPHER'}{'DESX-CBC'} = '';
+	$checked{'DCIPHER'}{'DES-EDE-CBC'} = '';
+	$checked{'DCIPHER'}{'BF-CBC'} = '';
+	$checked{'DCIPHER'}{'CAST5-CBC'} = '';
+	@temp = split('|', $cgiparams{'DCIPHER'});
+	foreach my $key (@temp) {$checked{'DCIPHER'}{$key} = "selected='selected'"; }
+
+	# Set default data channel ciphers
+	if ($cgiparams{'DATACIPHERS'} eq '') {
+		$cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM'; #[42];
+	}
+	$checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = '';
+	$checked{'DATACIPHERS'}{'AES-256-GCM'} = '';
+	$checked{'DATACIPHERS'}{'AES-192-GCM'} = '';
+	$checked{'DATACIPHERS'}{'AES-128-GCM'} = '';
+	@temp = split('|', $cgiparams{'DATACIPHERS'});
+	foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
+
+	# Save settings and display default if not configured
+	if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
+		$confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'};
+		$confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'};
+	} else {
+		$cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'};
+		$cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'};
+	}
+
+ADV_ENC_ERROR:
+
+	&Header::showhttpheaders();
+	&Header::openpage($Lang::tr{'ovpn'}, 1, '');
+	&Header::openbigbox('100%', 'left', '', $errormessage);
+	if ($errormessage) {
+		&Header::openbox('100%', 'left', $Lang::tr{'error messages'});
+		print "<class name='base'>$errormessage";
+		print "&nbsp;</class>";
+		&Header::closebox();
+	}
+	if ($warnmessage) {
+		&Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:");
+		print "<class name='base'>$warnmessage";
+		print "&nbsp;</class>";
+		&Header::closebox();
+	}
+	print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>";
+	&Header::openbox('100%', 'left', "$Lang::tr{'ovpn advanced encryption'}:");
+	print<<END
+
+	<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
+	<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
+
+	<table width='100%'>
+		<thead>
+			<tr>
+				<th width="15%"></th>
+				<th>$Lang::tr{'ovpn data channel'}</th>
+				<th>$Lang::tr{'ovpn data channel fallback'}</th>
+			</tr>
+		</thead>
+		<tbody>
+			<tr>
+				<td class='boldbase' width="27%">$Lang::tr{'ovpn data encryption'}</td>
+				<td class='boldbase'>
+					<select name='DATACIPHERS' multiple='multiple' size='6' style='width: 100%'>
+						<option value='ChaCha20-Poly1305' $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'}>256 bit ChaCha20-Poly1305</option>
+						<option value='AES-256-GCM' $checked{'DATACIPHERS'}{'AES-256-GCM'}>256 $Lang::tr{'bit'} AES-GCM</option>
+						<option value='AES-192-GCM' $checked{'DATACIPHERS'}{'AES-192-GCM'}>192 $Lang::tr{'bit'} AES-GCM</option>
+						<option value='AES-128-GCM' $checked{'DATACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option>
+					</select>
+				</td>
+
+				<td class='boldbase'>
+					<select name='DCIPHER' size='6' style='width: 100%'>
+						<option value='AES-256-CBC' $checked{'DCIPHER'}{'AES-256-CBC'}>256 $Lang::tr{'bit'} AES-CBC</option>
+						<option value='AES-192-CBC' $checked{'DCIPHER'}{'AES-192-CBC'}>192 $Lang::tr{'bit'} AES-CBC</option>
+						<option value='AES-128-CBC' $checked{'DCIPHER'}{'AES-128-CBC'}>128 bit AES-CBC</option>
+						<option value='CAMELLIA-256-CBC' $checked{'DCIPHER'}{'CAMELLIA-256-CBC'}>256 $Lang::tr{'bit'} Camellia-CBC</option>
+						<option value='CAMELLIA-192-CBC' $checked{'DCIPHER'}{'CAMELLIA-192-CBC'}>192 $Lang::tr{'bit'} CAMELLIA-CBC</option>
+						<option value='CAMELLIA-128-CBC' $checked{'DCIPHER'}{'CAMELLIA-128-CBC'}>128 $Lang::tr{'bit'} Camellia-CBC</option>
+						<option value='SEED-CBC' $checked{'DCIPHER'}{'SEED-CBC'}>128 $Lang::tr{'bit'} SEED-CBC</option>
+						<option value='DES-EDE3-CBC' $checked{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+						<option value='DESX-CBC' $checked{'DCIPHER'}{'DESX-CBC'}>DESX-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+						<option value='DES-EDE-CBC' $checked{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+						<option value='BF-CBC' $checked{'DCIPHER'}{'BF-CBC'}>BF-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+						<option value='CAST5-CBC' $checked{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC 128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option>
+					</select>
+				</td>
+			</tr>
+		</tbody>
+	</table>
+	<hr>
+END
+;
+	if ( -e "/var/run/openvpn.pid") {
+		print"  <br><b><font color='#990000'>$Lang::tr{'attention'}:</b></font><br>$Lang::tr{'server restart'}<br><br><hr>";
+		print<<END;
+			<table width='100%'>
+				<tr>
+					<td>&nbsp;</td>
+					<td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-enc-options'}' disabled='disabled' /></td>
+					<td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
+					<td>&nbsp;</td>
+				</tr>
+			</table>
+		</form>
+END
+;
+
+	} else {
+		print<<END;
+			<table width='100%'>
+				<tr>
+					<td>&nbsp;</td>
+					<td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-enc-options'}' /></td>
+					<td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
+					<td>&nbsp;</td>
+				</tr>
+			</table>
+		</form>
+END
+;
+
+	}
+
+	&Header::closebox();
+	&Header::closebigbox();
+	&Header::closepage();
+	exit(0);
+
+### END advanced encryption
# A.Marx CCD   Add,delete or edit CCD net
@@ -3595,6 +3798,8 @@ if ($confighash{$cgiparams{'KEY'}}) {
    	$cgiparams{'DAUTH'}		= $confighash{$cgiparams{'KEY'}}[39];
    	$cgiparams{'DCIPHER'}		= $confighash{$cgiparams{'KEY'}}[40];
    	$cgiparams{'TLSAUTH'}		= $confighash{$cgiparams{'KEY'}}[41];
+		# Index from [39] to [44] has been reserved by advanced encryption
+		$cgiparams{'CLIENTVERSION'} = $confighash{$cgiparams{'KEY'}}[45];
    } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
    $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
    
@@ -4338,6 +4543,8 @@ if ($cgiparams{'TYPE'} eq 'net') {
    if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
    	$confighash{$key}[41] = "no-pass";
    }
+	# Index from [39] to [44] has been reserved by advanced encryption
+	$confighash{$key}[45]         = $cgiparams{'CLIENTVERSION'};
&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", %confighash);
    
@@ -4508,28 +4715,6 @@ if ($cgiparams{'TYPE'} eq 'net') {
     $checked{'MSSFIX'}{'on'} = '';
     $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
-    $selected{'DCIPHER'}{'AES-256-GCM'} = '';
-    $selected{'DCIPHER'}{'AES-192-GCM'} = '';
-    $selected{'DCIPHER'}{'AES-128-GCM'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-256-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-192-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-128-CBC'} = '';
-    $selected{'DCIPHER'}{'DESX-CBC'} = '';
-    $selected{'DCIPHER'}{'SEED-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
-    $selected{'DCIPHER'}{'CAST5-CBC'} = '';
-    $selected{'DCIPHER'}{'BF-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-CBC'} = '';
-    # If no cipher has been chossen yet, select
-    # the old default (AES-256-CBC) for compatiblity reasons.
-    if ($cgiparams{'DCIPHER'} eq '') {
-	$cgiparams{'DCIPHER'} = 'AES-256-CBC';
-    }
-    $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
     $selected{'DAUTH'}{'whirlpool'} = '';
     $selected{'DAUTH'}{'SHA512'} = '';
     $selected{'DAUTH'}{'SHA384'} = '';
@@ -4595,11 +4780,12 @@ if ($cgiparams{'TYPE'} eq 'net') {
    	print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' /></td>";
        }
-		# If GCM ciphers are in usage, HMAC menu is disabled
+		# If AEAD ciphers are in usage, HMAC menu is disabled
    	my $hmacdisabled;
    	if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
    		($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
-			($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
+			($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM') ||
+			($confighash{$cgiparams{'KEY'}}[40] eq 'ChaCha20-Poly1305')) {
    			$hmacdisabled = "disabled='disabled'";
    	};
@@ -4673,9 +4859,10 @@ if ($cgiparams{'TYPE'} eq 'net') {
<tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
    	<td><select name='DCIPHER'  id="n2ncipher" required>
-				<option value='AES-256-GCM'		$selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
-				<option value='AES-192-GCM'		$selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
-				<option value='AES-128-GCM'		$selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
+				<option value='ChaCha20-Poly1305'	$selected{'DCIPHER'}{'ChaCha20-Poly1305'}>CHACHA20-POLY1305 (256 $Lang::tr{'bit'})</option>
+				<option value='AES-256-GCM'			$selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
+				<option value='AES-192-GCM'			$selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
+				<option value='AES-128-GCM'			$selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
    			<option value='CAMELLIA-256-CBC'	$selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
    			<option value='CAMELLIA-192-CBC'	$selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
    			<option value='CAMELLIA-128-CBC'	$selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
@@ -4693,10 +4880,15 @@ if ($cgiparams{'TYPE'} eq 'net') {
<td class='boldbase'>$Lang::tr{'ovpn ha'}:</td>
    	<td><select name='DAUTH' id="n2nhmac" $hmacdisabled>
-				<option value='whirlpool'		$selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
+				<option value='BLAKE2b512'		$selected{'DAUTH'}{'BLAKE2b512'}>Blake2 512 $Lang::tr{'bit'} - 64-bit optimized</option>
+				<option value='BLAKE2s256'		$selected{'DAUTH'}{'BLAKE2s256'}>Blake2 256 $Lang::tr{'bit'} - 8- to 32-bit optimized</option>
+				<option value='SHA3-512'		$selected{'DAUTH'}{'SHA3-512'}>SHA3 512 $Lang::tr{'bit'}</option>
+				<option value='SHA3-384'		$selected{'DAUTH'}{'SHA3-384'}>SHA3 384 $Lang::tr{'bit'}</option>
+				<option value='SHA3-256'		$selected{'DAUTH'}{'SHA-256'}>SHA3 256 $Lang::tr{'bit'}</option>
    			<option value='SHA512'			$selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
    			<option value='SHA384'			$selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
    			<option value='SHA256'			$selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
+				<option value='whirlpool'		$selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
    			<option value='SHA1'			$selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
    		</select>
    	</td>
@@ -4713,7 +4905,7 @@ print<<END;
    <script>
    	var disable_options = false;
    	document.getElementById('n2ncipher').onchange = function () {
-			if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) {
+			if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM"||this.value == "CHACHA20-POLY1305")) {
    			document.getElementById('n2nhmac').setAttribute('disabled', true);
    		} else {
    			document.getElementById('n2nhmac').removeAttribute('disabled');
@@ -4749,6 +4941,7 @@ if ($cgiparams{'TYPE'} eq 'host') {
        print"</td></tr></table><br><br>";
    	my $name=$cgiparams{'CHECK1'};
    	$checked{'RG'}{$cgiparams{'RG'}} = 'CHECKED';
+		$checked{'CLIENTVERSION'}{$cgiparams{'CLIENTVERSION'}} = 'CHECKED';
    	
    if (! -z "${General::swroot}/ovpn/ccd.conf"){	
    	print"<table border='0' width='100%' cellspacing='1' cellpadding='0'><tr><td width='1%'></td><td width='30%' class='boldbase' align='center'><b>$Lang::tr{'ccd name'}</td><td width='15%' class='boldbase' align='center'><b>$Lang::tr{'network'}</td><td class='boldbase' align='center' width='18%'><b>$Lang::tr{'ccd clientip'}</td></tr>";
@@ -4884,7 +5077,13 @@ if ($cgiparams{'TYPE'} eq 'host') {
    
    print <<END;
    <table border='0' width='100%'>
-	<tr><td width='20%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr>
+
+	<tr><td width='30%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr>
+	<tr>
+		<td width='30%'>$Lang::tr{'ovpn client version 25 cipher negotiation'}:</td>
+		<td colspan='3'><input type='checkbox' name='CLIENTVERSION' $checked{'CLIENTVERSION'}{'on'} />
+		<font color='red'>&nbsp;$Lang::tr{'ovpn client version 25 warning'}</font></td>
+	</tr>
    <tr><td colspan='4'><b><br>$Lang::tr{'ccd routes'}</b></td></tr>
    <tr><td colspan='4'>&nbsp</td></tr>
    <tr><td valign='top'>$Lang::tr{'ccd iroute'}</td><td align='left' width='30%'><textarea name='IR' cols='26' rows='6' wrap='off'>
@@ -5061,9 +5260,6 @@ END
     }
#default setzen
-    if ($cgiparams{'DCIPHER'} eq '') {
-		$cgiparams{'DCIPHER'} =  'AES-256-CBC';
-    }
     if ($cgiparams{'DDEST_PORT'} eq '') {
    	$cgiparams{'DDEST_PORT'} =  '1194';
     }
@@ -5105,24 +5301,6 @@ END
     $selected{'DPROTOCOL'}{'tcp'} = '';
     $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
-    $selected{'DCIPHER'}{'AES-256-GCM'} = '';
-    $selected{'DCIPHER'}{'AES-192-GCM'} = '';
-    $selected{'DCIPHER'}{'AES-128-GCM'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-256-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-192-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-128-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
-    $selected{'DCIPHER'}{'DESX-CBC'} = '';
-    $selected{'DCIPHER'}{'SEED-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
-    $selected{'DCIPHER'}{'CAST5-CBC'} = '';
-    $selected{'DCIPHER'}{'BF-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-CBC'} = '';
-    $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
-
     $selected{'DAUTH'}{'whirlpool'} = '';
     $selected{'DAUTH'}{'SHA512'} = '';
     $selected{'DAUTH'}{'SHA384'} = '';
@@ -5138,6 +5316,13 @@ END
     $checked{'DCOMPLZO'}{'on'} = '';
     $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
+	if ($cgiparams{'CLIENTVERSION'} = '' ) {
+		$cgiparams{'CLIENTVERSION'} = 'off';
+	}
+	$checked{'CLIENTVERSION'}{'off'} = '';
+	$checked{'CLIENTVERSION'}{'on'} = '';
+	$checked{'CLIENTVERSION'}{$cgiparams{'CLIENTVERSION'}} = 'CHECKED';
+
 # m.a.d
     $checked{'MSSFIX'}{'off'} = '';
     $checked{'MSSFIX'}{'on'} = '';
@@ -5245,26 +5430,6 @@ END
    			<option value='SHA1'			$selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
    		</select>
    	</td>
-
-		<td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
-		<td><select name='DCIPHER'>
-				<option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
-				<option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
-				<option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
-				<option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
-				<option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
-				<option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
-				<option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
-				<option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
-				<option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
-				<option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
-				<option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-			</select>
-		</td>
    </tr>
<tr><td colspan='4'><br></td></tr>
@@ -5280,12 +5445,14 @@ END
     if ( $srunning eq "yes" ) {
    print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' disabled='disabled' />";
    print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
-	print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";	
+	print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
+	print "<input type='submit' name='ACTION' value='$Lang::tr{'ovpn advanced encryption'}' />";
    print "<input type='submit' name='ACTION' value='$Lang::tr{'stop ovpn server'}' /></td></tr>";
     } else{
    print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
    print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
    print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
+	print "<input type='submit' name='ACTION' value='$Lang::tr{'ovpn advanced encryption'}' />";
    if (( -e "${General::swroot}/ovpn/ca/cacert.pem" &&
         -e "${General::swroot}/ovpn/ca/dh1024.pem" &&
         -e "${General::swroot}/ovpn/certs/servercert.pem" &&
@@ -5818,3 +5985,4 @@ END
&Header::closepage();
+
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 2fb46e741..614f8a16c 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1901,10 +1901,17 @@
 'override mtu' => 'Überschreibe Standard-MTU',
 'ovpn' => 'OpenVPN',
 'ovpn add conf' => 'Erweiterte Konfiguration',
+'ovpn advanced encryption' => 'Erweiterte Kryptografie Einstellung',
+'ovpn client version 25 cipher negotiation' => 'Verschlüsselung aushandeln',
+'ovpn client version 25 warning' => 'Erst ab Client Version 2.5.0 verfügbar',
 'ovpn con stat' => 'OpenVPN Verbindungs-Statistik',
 'ovpn config' => 'OVPN-Konfiguration',
 'ovpn connection name' => 'Verbindungs-Name',
 'ovpn crypt options' => 'Kryptografieoptionen',
+'ovpn data encryption' => 'Daten-Kanal Verschlüsselung',
+'ovpn data channel authentication' => 'Daten-Kontrol Kanal Authentifikation',
+'ovpn data channel' => 'Daten-Kanal',
+'ovpn data channel fallback' => 'Daten-Kanal Fallback',
 'ovpn device' => 'OpenVPN-Gerät',
 'ovpn dh' => 'Diffie-Hellman-Parameter-Länge',
 'ovpn dh new key' => 'Neuen Diffie-Hellman Parameter erstellen',
@@ -1913,6 +1920,7 @@
 'ovpn dl' => 'OVPN-Konfiguration downloaden',
 'ovpn engines' => 'Krypto Engine',
 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt',
+'ovpn errmsg invalid data cipher input' => 'Der Daten-Kanal benötigt mindestens einen Algorithmus',
 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske',
 'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein! <br>Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.</br>',
 'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
@@ -2163,6 +2171,7 @@
 'save error' => 'Konfigurationsarchiv-Datei konnte nicht gespeichert werden',
 'save settings' => 'Einstellungen speichern',
 'save-adv-options' => 'Erweiterte Optionen speichern',
+'save-enc-options' => 'Kryptografie Optionen speichern',
 'script name' => 'Skriptname:',
 'search' => 'Suchen',
 'secondary dns' => 'Sekundärer DNS-Server:',
@@ -2853,7 +2862,7 @@
 'vpn subjectaltname missing' => 'SubjectAlternativeName darf nicht leer bleiben.',
 'vpn wait' => 'WARTE',
 'vpn watch' => 'Netz-zu-Netz VPN neu starten, wenn sich Remote-IP ändert (DynDNS).',
-'vpn weak' => 'schwach',
+'vpn weak' => 'Unsicher',
 'vulnerability' => 'Verwundbarkeit',
 'vulnerable' => 'Verwundbar',
 'waiting to synchronize clock' => 'Bitte warten, die Uhr wird synchronisiert',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index b5284effa..714d7c81e 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1933,10 +1933,17 @@
 'override mtu' => 'Override default MTU',
 'ovpn' => 'OpenVPN',
 'ovpn add conf' => 'Additional configuration',
+'ovpn advanced encryption' => 'Advanced encryption settings',
+'ovpn client version 25 cipher negotiation' => 'Negotiate encryption',
+'ovpn client version 25 warning' => 'Available with client version 2.5.0 and higher',
 'ovpn con stat' => 'OpenVPN Connection Statistics',
 'ovpn config' => 'OVPN-Config',
 'ovpn connection name' => 'Connection Name',
 'ovpn crypt options' => 'Cryptographic options',
+'ovpn data encryption' => 'Data-Channel encryption',
+'ovpn data channel authentication' => 'Data and channel authentication',
+'ovpn data channel' => 'Data-Channel',
+'ovpn data channel fallback' => 'Data-Channel fallback',
 'ovpn device' => 'OpenVPN device:',
 'ovpn dh' => 'Diffie-Hellman parameters length',
 'ovpn dh new key' => 'Generate new Diffie-Hellman parameters',
@@ -1945,6 +1952,7 @@
 'ovpn dl' => 'OVPN-Config Download',
 'ovpn engines' => 'Crypto engine',
 'ovpn errmsg green already pushed' => 'Route for green network is always set',
+'ovpn errmsg invalid data cipher input' => 'The data cipher needs at least one cipher',
 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
 'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>',
 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
@@ -2196,6 +2204,7 @@
 'save error' => 'Unable to save configuration archive file',
 'save settings' => 'Save settings',
 'save-adv-options' => 'Save advanced options',
+'save-enc-options' => 'Save encryption options',
 'script name' => 'Script name:',
 'search' => 'Search',
 'secondary dns' => 'Secondary DNS:',
@@ -2897,7 +2906,7 @@
 'vpn subjectaltname missing' => 'SubjectAlternativeName cannot be emtpy.',
 'vpn wait' => 'WAITING',
 'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).',
-'vpn weak' => 'Weak',
+'vpn weak' => 'Insecure',
 'vulnerability' => 'Vulnerability',
 'vulnerable' => 'Vulnerable',
 'waiting to synchronize clock' => 'Waiting to synchronize clock',
-- 
2.20.1


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

[PATCH 1/3] OpenVPN: Introduce advanced encryption section