[PATCH 1/4] OpenVPN: Update to version 2.6.9 .

List overview All Threads
Download

newer

older

[PATCH 1/5] ids-functions.pl:...

OpenVPN cipher negotiation patch...

Erik Kapfer

21 Mar 2024 21 Mar '24

12:24 p.m.

This update enters the 2.6.x series and needs configuration changes since NCP is now a requirement.

Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org --- config/rootfiles/common/openvpn | 1 - lfs/openvpn | 9 +++++---- 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index d9848a579..91c702bd5 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -15,7 +15,6 @@ usr/sbin/openvpn-authenticator #usr/share/doc/openvpn/COPYRIGHT.GPL #usr/share/doc/openvpn/Changes.rst #usr/share/doc/openvpn/README -#usr/share/doc/openvpn/README.IPv6 #usr/share/doc/openvpn/README.auth-pam #usr/share/doc/openvpn/README.down-root #usr/share/doc/openvpn/README.mbedtls diff --git a/lfs/openvpn b/lfs/openvpn index b71b4ccc9..7899894be 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2023 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2024 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@

include Config

-VER = 2.5.9 +VER = 2.6.9

THISAPP = openvpn-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_BLAKE2 = e5110ebb9149121c11de45f085f66d30a89fb674ad96c5792d83b16dc29c95215a91e682adb3c800b91ed4d88d6d24b5bcae0799cdb855a284832f0668ffcb82 +$(DL_FILE)_BLAKE2 = 22289b32f2b9afc2aed59f6fc66dc25b3043b8c82858b7857e4f904a25c6cf0f21a41551ed4f8d8869c0e7248e4e060779f760dd606e99cdc02203fbff886536

install : $(TARGET)

@@ -76,7 +76,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-iproute2 \ --enable-plugins \ --enable-plugin-auth-pam \ - --enable-plugin-down-root + --enable-plugin-down-root \ + --disable-dco

cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install

-- 2.43.0

Show replies by date

Erik Kapfer

21 Mar 21 Mar

12:24 p.m.

New subject: [PATCH 2/4] OpenVPN: Integration of the Negotiation Cipher Protocol (NCP) .

- The new directive '--data-ciphers algs' has been introduced for RWs with OpenVPN version 2.5.0. This directive negotiates with the clients the best but also available cipher. The selection for '--data-ciphers algs' is between the GCM family and the new CHACHA20-POLY1305 (all AEAD ciphers). All ciphers can be combined with another or can also be selected separately.

- The new directive '--data-ciphers algs' substitutes '--ncp-disable', therefor '--ncp-disable' has been removed which fixes the deprecation warning in the OpenVPN-2.5.0 server instance.

- A new section in ovpnmain.cgi has been added under the "Advanced server options" where this changes takes affect. Since all crytographic options should step-by-step belong to the "Advanced server options" (like in IPSec) the name of this section "Cryptographic options" is the same as in the "Global Settings".

- New CHACHA-POLY1305 cipher is integrated.

Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 91 ++++++++++++++++++++++++++++++++++++++- langs/de/cgi-bin/de.pl | 4 ++ langs/en/cgi-bin/en.pl | 4 ++ 3 files changed, 97 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index c92d0237d..833ce8247 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -80,6 +80,7 @@ my $col=""; my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local"; my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local"; my $dhparameter = "/etc/ssl/ffdhe4096.pem"; +my @advcipherchar=();

&General::readhash("${General::swroot}/ethernet/settings", %netsettings); $cgiparams{'ENABLED'} = 'off'; @@ -101,6 +102,7 @@ $cgiparams{'number'} = ''; $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; +$cgiparams{'DATACIPHERS'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; # Perform crypto and configration test &pkiconfigcheck; @@ -329,7 +331,12 @@ sub writeserverconf { } print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n"; - print CONF "ncp-disable\n"; + + # Data channel encryption + # Set seperator ':' for data ciphers + @advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/|/:/g); + print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n"; + print CONF "cipher $sovpnsettings{DCIPHER}\n"; print CONF "auth $sovpnsettings{'DAUTH'}\n"; # Set TLSv2 as minimum @@ -811,8 +818,15 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; + $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'}; my @temp=();

+ # data-ciphers needs at least one cipher + if ($cgiparams{'DATACIPHERS'} eq '') { + $errormessage = $Lang::tr{'ovpn errmsg invalid data cipher input'}; + goto ADV_ERROR; + } + if ($cgiparams{'FRAGMENT'} eq '') { delete $vpnsettings{'FRAGMENT'}; } else { @@ -2291,7 +2305,12 @@ else $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } - print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; + + # Data cipher negotiation + # Set seperator ':' for --data-ciphers algorithms + @advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/|/:/g); + print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n"; + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";

if ($vpnsettings{'TLSAUTH'} eq 'on') { @@ -2644,6 +2663,7 @@ END %cahash = (); %confighash = (); my $disabled; + my @temp=(); &General::readhash("${General::swroot}/ovpn/settings", %cgiparams); read_routepushfile;

@@ -2652,6 +2672,18 @@ END # $cgiparams{'CLIENT2CLIENT'} = 'on'; # } ADV_ERROR: + + # Set default data channel ciphers + if ($cgiparams{'DATACIPHERS'} eq '') { + $cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM'; + } + $checked{'DATACIPHERS'}{'AES-256-GCM'} = ''; + $checked{'DATACIPHERS'}{'AES-192-GCM'} = ''; + $checked{'DATACIPHERS'}{'AES-128-GCM'} = ''; + $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = ''; + @temp = split('|', $cgiparams{'DATACIPHERS'}); + foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; } + if ($cgiparams{'MAX_CLIENTS'} eq '') { $cgiparams{'MAX_CLIENTS'} = '100'; } @@ -2706,9 +2738,64 @@ ADV_ERROR: &Header::closebox(); } &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'}); + + # Set default data channel ciphers + if ($cgiparams{'DATACIPHERS'} eq '') { + $cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM'; + } + $checked{'DATACIPHERS'}{'AES-256-GCM'} = ''; + $checked{'DATACIPHERS'}{'AES-192-GCM'} = ''; + $checked{'DATACIPHERS'}{'AES-128-GCM'} = ''; + $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = ''; + @temp = split('|', $cgiparams{'DATACIPHERS'}); + foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; } + + if ($cgiparams{'MAX_CLIENTS'} eq '') { + $cgiparams{'MAX_CLIENTS'} = '100'; + } +@@ -2706,9 +2738,45 @@ + &Header::closebox(); + } + &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'}); + print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>"; + print<<END + <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'> + <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' /> + <table width='100%'> + <tr> + <td style='width:18em'><b>$Lang::tr{'ovpn advanced encryption'}</b></td> + </tr> + </table> + <div class="ADVANCED_ENCRYPTION"> + <table width='100%'> + <thead> + <tr> + <th width="15%"></th> + <th>$Lang::tr{'ovpn data channel'}</th> + </tr> + </thead> + <tbody> + <tr> + <td class='boldbase' width="24%">$Lang::tr{'ovpn data encryption'}</td> + <td class='boldbase'> + <select name='DATACIPHERS' multiple='multiple' size='6' style='width: 100%'> + <option value='ChaCha20-Poly1305' $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'}>256 bit ChaCha20-Poly1305</option> + <option value='AES-256-GCM' $checked{'DATACIPHERS'}{'AES-256-GCM'}>256 $Lang::tr{'bit'} AES-GCM</option> + <option value='AES-192-GCM' $checked{'DATACIPHERS'}{'AES-192-GCM'}>192 $Lang::tr{'bit'} AES-GCM</option> + <option value='AES-128-GCM' $checked{'DATACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option> + </select> + </td> + </tr> + </tbody> + </table> + </div> +END +; + print <<END; <form method='post' enctype='multipart/form-data'> <table width='100%' border=0> + <hr> <tr> <td colspan='4'><b>$Lang::tr{'dhcp-options'}</b></td> </tr> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index f13bddf4b..7c8287510 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1952,14 +1952,18 @@ 'override mtu' => 'Überschreibe Standard-MTU', 'ovpn' => 'OpenVPN', 'ovpn add conf' => 'Erweiterte Konfiguration', +'ovpn advanced encryption' => 'Kryptografie Optionen', 'ovpn con stat' => 'OpenVPN Verbindungs-Statistik', 'ovpn config' => 'OVPN-Konfiguration', 'ovpn connection name' => 'Verbindungs-Name', 'ovpn crypt options' => 'Kryptografieoptionen', +'ovpn data encryption' => 'Daten-Kanal Verschlüsselung', +'ovpn data channel' => 'Daten-Kanal', 'ovpn device' => 'OpenVPN-Gerät', 'ovpn dl' => 'OVPN-Konfiguration downloaden', 'ovpn engines' => 'Krypto Engine', 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt', +'ovpn errmsg invalid data cipher input' => 'Die Daten-Kanal Verschlüsselung benötigt mindestens einen Algorithmus', 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske', 'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>', 'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 0113f8811..cfa826245 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2013,14 +2013,18 @@ 'override mtu' => 'Override default MTU', 'ovpn' => 'OpenVPN', 'ovpn add conf' => 'Additional configuration', +'ovpn advanced encryption' => 'Cryptographic options', 'ovpn con stat' => 'OpenVPN Connection Statistics', 'ovpn config' => 'OVPN-Config', 'ovpn connection name' => 'Connection Name', 'ovpn crypt options' => 'Cryptographic options', +'ovpn data encryption' => 'Data-Channel encryption', +'ovpn data channel' => 'Data-Channel', 'ovpn device' => 'OpenVPN device:', 'ovpn dl' => 'OVPN-Config Download', 'ovpn engines' => 'Crypto engine', 'ovpn errmsg green already pushed' => 'Route for green network is always set', +'ovpn errmsg invalid data cipher input' => 'The data-channel encryption needs at least one cipher', 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask', 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>', 'ovpn generating the root and host certificates' => 'Generating the root and host certificate can take a long time.',

-- 2.43.0

Erik Kapfer

12:24 p.m.

New subject: [PATCH 3/4] OpenVPN: Introduce --data-cipher-fallback to substitude the deprecated --cipher directive .

- Since the '--cipher' directive is with OpenVPN version 2.5.0 deprecated and will be handled now via '--data-cipher-fallback' to keep the compatibility with already existing clients until version 2.3.x. The old 'DCIPHER' variable name has been kept and uses also the old setting file but the directive has now be renamed from '--cipher' to '--data-cipher-fallback'. All new clients needs to be at least at OpenVPN version 2.5.0 since the '--cipher' directive will no longer be printed into client.ovpn but uses instead only NCP.

- All old CBC ciphers except the GCM familiy and CHACHA20-POLY1305 (AEAD ciphers), are now included in the '--data-ciphers-fallback' table which is located beneath the data-channel ciphers in a separate table.

- With this patch all ciphers are now located under the "Advanced server options" and no longer under the "Global settings" therefor, tls-auth needed to be rearranged in the "Global settings".

Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 92 +++++++++++++++++++++------------------ langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 3 files changed, 51 insertions(+), 43 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 833ce8247..49ddae4ce 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -337,7 +337,10 @@ sub writeserverconf { @advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/|/:/g); print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n";

- print CONF "cipher $sovpnsettings{DCIPHER}\n"; + # The "--cipher" directive has been renamed to "--data-cipher-fallback" + # but uses the old setting files. This should deliver compatibility + # for already existing old clients back to OpenVPN version 2.3.x + print CONF "data-ciphers-fallback $sovpnsettings{DCIPHER}\n"; print CONF "auth $sovpnsettings{'DAUTH'}\n"; # Set TLSv2 as minimum print CONF "tls-version-min 1.2\n"; @@ -819,6 +822,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'}; + $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; my @temp=();

# data-ciphers needs at least one cipher @@ -1243,7 +1247,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'}; $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; - $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; #wrtie enable @@ -2306,6 +2309,12 @@ else $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; }

+ # !!! With the update to version 2.6.x all new configured clients + # needs to be at least at OpenVPN version >= 2.5.0 cause the cipher + # directive is deprecated and reach his EOL with 2.7.x so only the + # following NCP will be used !!! + #print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; + # Data cipher negotiation # Set seperator ':' for --data-ciphers algorithms @advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/|/:/g); @@ -2684,6 +2693,26 @@ ADV_ERROR: @temp = split('|', $cgiparams{'DATACIPHERS'}); foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }

+ # Set default for data-cipher-fallback (the old --cipher directive) + if ($cgiparams{'DCIPHER'} eq '') { + $cgiparams{'DCIPHER'} = 'AES-256-CBC'; + } + # All CBC ciphers are now in data-cipher-fallback section + $selected{'DCIPHER'}{'AES-256-CBC'} = ''; + $selected{'DCIPHER'}{'AES-192-CBC'} = ''; + $selected{'DCIPHER'}{'AES-128-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; + $selected{'DCIPHER'}{'SEED-CBC'} = ''; + $selected{'DCIPHER'}{'DES-CBC'} = ''; + $selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; + $selected{'DCIPHER'}{'DESX-CBC'} = ''; + $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; + $selected{'DCIPHER'}{'BF-CBC'} = ''; + $selected{'DCIPHER'}{'CAST5-CBC'} = ''; + $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; + if ($cgiparams{'MAX_CLIENTS'} eq '') { $cgiparams{'MAX_CLIENTS'} = '100'; } @@ -2772,6 +2801,7 @@ ADV_ERROR: <tr> <th width="15%"></th> <th>$Lang::tr{'ovpn data channel'}</th> + <th>$Lang::tr{'ovpn data channel fallback'}</th> </tr> </thead> <tbody> @@ -2785,6 +2815,23 @@ ADV_ERROR: <option value='AES-128-GCM' $checked{'DATACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option> </select> </td> + + <td class='boldbase'> + <select name='DCIPHER' size='6' style='width: 100%'> + <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>256 $Lang::tr{'bit'} AES-CBC</option> + <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>192 $Lang::tr{'bit'} AES-CBC</option> + <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>128 bit AES-CBC</option> + <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>256 $Lang::tr{'bit'} Camellia-CBC</option> + <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>192 $Lang::tr{'bit'} CAMELLIA-CBC</option> + <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>128 $Lang::tr{'bit'} Camellia-CBC</option> + <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>128 $Lang::tr{'bit'} SEED-CBC</option> + <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option> + <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option> + <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option> + <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option> + <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC 128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option> + </select> + </td> </tr> </tbody> </table> @@ -5250,24 +5297,6 @@ END $selected{'DPROTOCOL'}{'tcp'} = ''; $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';

- $selected{'DCIPHER'}{'AES-256-GCM'} = ''; - $selected{'DCIPHER'}{'AES-192-GCM'} = ''; - $selected{'DCIPHER'}{'AES-128-GCM'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; - $selected{'DCIPHER'}{'AES-256-CBC'} = ''; - $selected{'DCIPHER'}{'AES-192-CBC'} = ''; - $selected{'DCIPHER'}{'AES-128-CBC'} = ''; - $selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; - $selected{'DCIPHER'}{'DESX-CBC'} = ''; - $selected{'DCIPHER'}{'SEED-CBC'} = ''; - $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; - $selected{'DCIPHER'}{'CAST5-CBC'} = ''; - $selected{'DCIPHER'}{'BF-CBC'} = ''; - $selected{'DCIPHER'}{'DES-CBC'} = ''; - $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; - $selected{'DAUTH'}{'whirlpool'} = ''; $selected{'DAUTH'}{'SHA512'} = ''; $selected{'DAUTH'}{'SHA384'} = ''; @@ -5391,29 +5420,6 @@ END </select> </td>

- <td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td> - <td><select name='DCIPHER'> - <option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option> - <option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option> - <option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option> - <option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option> - <option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option> - <option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option> - <option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option> - <option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option> - <option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option> - <option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option> - <option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - <option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - <option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - <option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - <option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option> - </select> - </td> - </tr> - - <tr><td colspan='4'><br></td></tr> - <tr> <td class='base'>$Lang::tr{'ovpn tls auth'}</td> <td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td> </tr> diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 7c8287510..92bacc0ef 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1959,6 +1959,7 @@ 'ovpn crypt options' => 'Kryptografieoptionen', 'ovpn data encryption' => 'Daten-Kanal Verschlüsselung', 'ovpn data channel' => 'Daten-Kanal', +'ovpn data channel fallback' => 'Daten-Kanal Fallback', 'ovpn device' => 'OpenVPN-Gerät', 'ovpn dl' => 'OVPN-Konfiguration downloaden', 'ovpn engines' => 'Krypto Engine', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index cfa826245..2f517e79c 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2020,6 +2020,7 @@ 'ovpn crypt options' => 'Cryptographic options', 'ovpn data encryption' => 'Data-Channel encryption', 'ovpn data channel' => 'Data-Channel', +'ovpn data channel fallback' => 'Data-Channel fallback', 'ovpn device' => 'OpenVPN device:', 'ovpn dl' => 'OVPN-Config Download', 'ovpn engines' => 'Crypto engine',

-- 2.43.0

Erik Kapfer

12:24 p.m.

New subject: [PATCH 4/4] update.sh: Add and change new directives for OpenVPN 2.6.x .

This process may should be continued with some of the following updates to make sure the directives are included even the update with this changes has over jumped ?! otherwise, the "Advanced server options" page needs to be saved via WUI to bring OpenVPN to life.

Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org --- config/rootfiles/core/185/update.sh | 11 +++++++++++ 1 file changed, 11 insertions(+)

diff --git a/config/rootfiles/core/185/update.sh b/config/rootfiles/core/185/update.sh index 2c95c4102..247661481 100644 --- a/config/rootfiles/core/185/update.sh +++ b/config/rootfiles/core/185/update.sh @@ -35,6 +35,17 @@ done /etc/init.d/ntp stop /etc/init.d/squid stop

+# OpenVPN add and change new 2.6.x directives for NCP. +if pgrep openvpn > /dev/null; then + /usr/local/bin/openvpnctrl -k > /dev/null + sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES-256-GCM/' /var/ipfire/ovpn/server.conf + sed -i 's/^cipher/data-ciphers-fallback/' /var/ipfire/ovpn/server.conf + /usr/local/bin/openvpnctrl -s > /dev/null +else + sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES-256-GCM/' /var/ipfire/ovpn/server.conf + sed -i 's/^cipher/data-ciphers-fallback/' /var/ipfire/ovpn/server.conf +fi + # Extract files extract_files

-- 2.43.0

ummeegge

12:29 p.m.

New subject: [PATCH 4/4] update.sh: Add and change new directives for OpenVPN 2.6.x .

Hi all, this is a minimal solution of an update to OpenVPN 2.6.x IMO . This patch series should be a help for mainly Adolf (might be great if you go for a checkout) but please give it all a try and test it if it reaches the goal.

Best,

Erik

Am Donnerstag, dem 21.03.2024 um 13:24 +0100 schrieb Erik Kapfer:

...

This process may should be continued with some of the following updates to make sure the directives are included even the update with this changes has over jumped ?! otherwise, the "Advanced server options" page needs to be saved via WUI to bring OpenVPN to life.

Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org

config/rootfiles/core/185/update.sh | 11 +++++++++++ 1 file changed, 11 insertions(+)

diff --git a/config/rootfiles/core/185/update.sh b/config/rootfiles/core/185/update.sh index 2c95c4102..247661481 100644 --- a/config/rootfiles/core/185/update.sh +++ b/config/rootfiles/core/185/update.sh @@ -35,6 +35,17 @@ done /etc/init.d/ntp stop /etc/init.d/squid stop +# OpenVPN add and change new 2.6.x directives for NCP. +if pgrep openvpn > /dev/null; then

/usr/local/bin/openvpnctrl -k > /dev/null

sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES-

256-GCM/' /var/ipfire/ovpn/server.conf

sed -i 's/^cipher/data-ciphers-fallback/'

/var/ipfire/ovpn/server.conf

/usr/local/bin/openvpnctrl -s > /dev/null

+else

sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES-

256-GCM/' /var/ipfire/ovpn/server.conf

sed -i 's/^cipher/data-ciphers-fallback/'

/var/ipfire/ovpn/server.conf +fi

# Extract files extract_files

Michael Tremer

3:14 p.m.

New subject: [PATCH 4/4] update.sh: Add and change new directives for OpenVPN 2.6.x .

Hello Erik,

Thank you for the patchiest, but I have been working this week on implementing this.

You can find more details about this here:

https://www.ipfire.org/docs/roadmap/openvpn-26

I asked Adolf to post the patches that he had and which include parts of your previous work to finally get this over the line. Various people have been working on the OpenVPN code over the years creating an absolute mess. The CGI file is by far the longest we have and very difficult to edit without breaking anything else. So I have started a large refactor (not rewrite) to get it into some state where we can work on things better.

That will be needed to implement the things outlined on the roadmap page. NCP is only one of them.

On that page, you can find my current development branch linked which includes many changes so far, but it is not done, yet.

-Michael

...

On 21 Mar 2024, at 12:29, ummeegge ummeegge@ipfire.org wrote:

Hi all, this is a minimal solution of an update to OpenVPN 2.6.x IMO . This patch series should be a help for mainly Adolf (might be great if you go for a checkout) but please give it all a try and test it if it reaches the goal.

Best,

Erik

Am Donnerstag, dem 21.03.2024 um 13:24 +0100 schrieb Erik Kapfer:

...
This process may should be continued with some of the following updates to make sure the directives are included even the update with this changes has over jumped ?! otherwise, the "Advanced server options" page needs to be saved via WUI to bring OpenVPN to life.

Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org

config/rootfiles/core/185/update.sh | 11 +++++++++++ 1 file changed, 11 insertions(+)

diff --git a/config/rootfiles/core/185/update.sh b/config/rootfiles/core/185/update.sh index 2c95c4102..247661481 100644 --- a/config/rootfiles/core/185/update.sh +++ b/config/rootfiles/core/185/update.sh @@ -35,6 +35,17 @@ done /etc/init.d/ntp stop /etc/init.d/squid stop

+# OpenVPN add and change new 2.6.x directives for NCP. +if pgrep openvpn > /dev/null; then

/usr/local/bin/openvpnctrl -k > /dev/null

sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES-

256-GCM/' /var/ipfire/ovpn/server.conf

sed -i 's/^cipher/data-ciphers-fallback/'

/var/ipfire/ovpn/server.conf

/usr/local/bin/openvpnctrl -s > /dev/null

+else

sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES-

256-GCM/' /var/ipfire/ovpn/server.conf

sed -i 's/^cipher/data-ciphers-fallback/'

/var/ipfire/ovpn/server.conf +fi

# Extract files extract_files

ummeegge

3:50 p.m.

New subject: [PATCH 4/4] update.sh: Add and change new directives for OpenVPN 2.6.x .

Great idea Michael.

Am Donnerstag, dem 21.03.2024 um 15:14 +0000 schrieb Michael Tremer:

...

Hello Erik,

Thank you for the patchiest, but I have been working this week on implementing this.

You can find more details about this here:

https://www.ipfire.org/docs/roadmap/openvpn-26

I asked Adolf to post the patches that he had and which include parts of your previous work to finally get this over the line. Various people have been working on the OpenVPN code over the years creating an absolute mess. The CGI file is by far the longest we have and very difficult to edit without breaking anything else. So I have started a large refactor (not rewrite) to get it into some state where we can work on things better.

That will be needed to implement the things outlined on the roadmap page. NCP is only one of them.

On that page, you can find my current development branch linked which includes many changes so far, but it is not done, yet.

-Michael

...
On 21 Mar 2024, at 12:29, ummeegge ummeegge@ipfire.org wrote:

Hi all, this is a minimal solution of an update to OpenVPN 2.6.x IMO . This patch series should be a help for mainly Adolf (might be great if you go for a checkout) but please give it all a try and test it if it reaches the goal.

Best,

Erik

Am Donnerstag, dem 21.03.2024 um 13:24 +0100 schrieb Erik Kapfer:

...
This process may should be continued with some of the following updates to make sure the directives are included even the update with this changes has over jumped ?! otherwise, the "Advanced server options" page needs to be saved via WUI to bring OpenVPN to life.

Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org

config/rootfiles/core/185/update.sh | 11 +++++++++++ 1 file changed, 11 insertions(+)

diff --git a/config/rootfiles/core/185/update.sh b/config/rootfiles/core/185/update.sh index 2c95c4102..247661481 100644 --- a/config/rootfiles/core/185/update.sh +++ b/config/rootfiles/core/185/update.sh @@ -35,6 +35,17 @@ done /etc/init.d/ntp stop /etc/init.d/squid stop +# OpenVPN add and change new 2.6.x directives for NCP. +if pgrep openvpn > /dev/null; then

/usr/local/bin/openvpnctrl -k > /dev/null

sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES-

256-GCM/' /var/ipfire/ovpn/server.conf

sed -i 's/^cipher/data-ciphers-fallback/'

/var/ipfire/ovpn/server.conf

/usr/local/bin/openvpnctrl -s > /dev/null

+else

sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES-

256-GCM/' /var/ipfire/ovpn/server.conf

sed -i 's/^cipher/data-ciphers-fallback/'

/var/ipfire/ovpn/server.conf +fi

# Extract files extract_files

245

Age (days ago)

245

Last active (days ago)

development@lists.ipfire.org

6 comments

3 participants

tags (0)

participants (3)

Erik Kapfer
Michael Tremer
ummeegge