This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, master has been updated
via c79cbc15941fb4f950fbb7aad6c98fd1344bf348 (commit)
via f5b2d0a14a5e109948bc0d024ffcba63cffcab48 (commit)
from d6d058a56b0ccb6cb96e06aedf66d19648ad58ec (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit c79cbc15941fb4f950fbb7aad6c98fd1344bf348
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Apr 9 11:36:46 2018 +0100
core120: Update OepnVPN configurations for PMTU changes
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit f5b2d0a14a5e109948bc0d024ffcba63cffcab48
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Apr 9 11:32:07 2018 +0100
OpenVPN: Drop Path MTU discovery settings
These have to be dropped since the entire system does not
support Path MTU discovery any more. This should not have
any disadvantage on any tunnels since PMTU didn't really
work in the first place.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/core/120/update.sh | 12 +++++
html/cgi-bin/ovpnmain.cgi | 101 ------------------------------------
2 files changed, 12 insertions(+), 101 deletions(-)
Difference in files:
diff --git a/config/rootfiles/core/120/update.sh b/config/rootfiles/core/120/update.sh
index 0744f3a7f..e4ee15b52 100644
--- a/config/rootfiles/core/120/update.sh
+++ b/config/rootfiles/core/120/update.sh
@@ -58,6 +58,9 @@ if [ -e /var/ipfire/ovpn/server.conf ]; then
sed -i -e 's/script-security 3 system/script-security 3/' \
-e '/status .*/ a ncp-disable' /var/ipfire/ovpn/server.conf
+ # Disable Path MTU discovery settings
+ sed -e "/^mtu-disc/d" -i /var/ipfire/ovpn/server.conf
+
# Update the OpenVPN CRL
openssl ca -gencrl -keyfile /var/ipfire/ovpn/ca/cakey.pem \
-cert /var/ipfire/ovpn/ca/cacert.pem \
@@ -67,6 +70,15 @@ if [ -e /var/ipfire/ovpn/server.conf ]; then
/usr/local/bin/openvpnctrl -s
fi
+# Update OpenVPN N2N configurations
+/usr/local/bin/openvpnctrl -kn2n
+
+for file in /var/ipfire/ovpn/n2nconf/*/*.conf; do
+ sed -e "/^mtu-disc/d" -i ${file}
+done
+
+/usr/local/bin/openvpnctrl -sn2n
+
# Start services
/etc/init.d/apache restart
/etc/init.d/unbound restart
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index ff3d05509..94e723ba2 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -92,7 +92,6 @@ $cgiparams{'ROUTES_PUSH'} = '';
$cgiparams{'DCOMPLZO'} = 'off';
$cgiparams{'MSSFIX'} = '';
$cgiparams{'number'} = '';
-$cgiparams{'PMTU_DISCOVERY'} = '';
$cgiparams{'DCIPHER'} = '';
$cgiparams{'DAUTH'} = '';
$cgiparams{'TLSAUTH'} = '';
@@ -234,10 +233,6 @@ sub writeserverconf {
{ print CONF "tun-mtu 1500\n"; }
elsif ($sovpnsettings{'FRAGMENT'} ne '' && $sovpnsettings{'DPROTOCOL'} ne 'tcp')
{ print CONF "tun-mtu 1500\n"; }
- elsif (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') ||
- ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') ||
- ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' ))
- { print CONF "tun-mtu 1500\n"; }
else
{ print CONF "tun-mtu $sovpnsettings{'DMTU'}\n"; }
@@ -277,13 +272,6 @@ sub writeserverconf {
print CONF "fragment $sovpnsettings{'FRAGMENT'}\n";
}
- # Check if a valid operating mode has been choosen and use it.
- if (($sovpnsettings{'PMTU_DISCOVERY'} eq 'yes') ||
- ($sovpnsettings{'PMTU_DISCOVERY'} eq 'maybe') ||
- ($sovpnsettings{'PMTU_DISCOVERY'} eq 'no' )) {
- print CONF "mtu-disc $sovpnsettings{'PMTU_DISCOVERY'}\n";
- }
-
if ($sovpnsettings{KEEPALIVE_1} > 0 && $sovpnsettings{KEEPALIVE_2} > 0) {
print CONF "keepalive $sovpnsettings{'KEEPALIVE_1'} $sovpnsettings{'KEEPALIVE_2'}\n";
}
@@ -755,7 +743,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
$vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'};
$vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
$vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'};
- $vpnsettings{'PMTU_DISCOVERY'} = $cgiparams{'PMTU_DISCOVERY'};
$vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
$vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
my @temp=();
@@ -777,16 +764,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
$vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'};
}
- if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') ||
- ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') ||
- ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) {
-
- if (($cgiparams{'MSSFIX'} eq 'on') || ($cgiparams{'FRAGMENT'} ne '')) {
- $errormessage = $Lang::tr{'ovpn mtu-disc with mssfix or fragment'};
- goto ADV_ERROR;
- }
- }
-
if ($cgiparams{'DHCP_DOMAIN'} ne ''){
unless (&General::validdomainname($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) {
$errormessage = $Lang::tr{'invalid input for dhcp domain'};
@@ -952,16 +929,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
if ($cgiparams{'MSSFIX'} eq 'on') {print SERVERCONF "mssfix\n"; };
}
- # Check if a valid operating mode has been choosen and use it.
- if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') ||
- ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') ||
- ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) {
- if(($cgiparams{'MSSFIX'} ne 'on') || ($cgiparams{'FRAGMENT'} eq '')) {
- if($cgiparams{'MTU'} eq '1500') {
- print SERVERCONF "mtu-disc $cgiparams{'PMTU_DISCOVERY'}\n";
- }
- }
- }
print SERVERCONF "# Auth. Server\n";
print SERVERCONF "tls-server\n";
print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n";
@@ -1058,16 +1025,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
if ($cgiparams{'MSSFIX'} eq 'on') {print CLIENTCONF "mssfix\n"; };
}
- # Check if a valid operating mode has been choosen and use it.
- if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') ||
- ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') ||
- ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) {
- if(($cgiparams{'MSSFIX'} ne 'on') || ($cgiparams{'FRAGMENT'} eq '')) {
- if ($cgiparams{'MTU'} eq '1500') {
- print CLIENTCONF "mtu-disc $cgiparams{'PMTU_DISCOVERY'}\n";
- }
- }
- }
# Check host certificate if X509 is RFC3280 compliant.
# If not, old --ns-cert-type directive will be used.
# If appropriate key usage extension exists, new --remote-cert-tls directive will be used.
@@ -2279,10 +2236,6 @@ else
{ print CLIENTCONF "tun-mtu 1500\r\n"; }
elsif ($vpnsettings{MSSFIX} eq 'on')
{ print CLIENTCONF "tun-mtu 1500\r\n"; }
- elsif (($vpnsettings{'PMTU_DISCOVERY'} eq 'yes') ||
- ($vpnsettings{'PMTU_DISCOVERY'} eq 'maybe') ||
- ($vpnsettings{'PMTU_DISCOVERY'} eq 'no' ))
- { print CLIENTCONF "tun-mtu 1500\r\n"; }
else
{ print CLIENTCONF "tun-mtu $vpnsettings{'DMTU'}\r\n"; }
@@ -2382,15 +2335,6 @@ else
print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n";
}
- # Check if a valid operating mode has been choosen and use it.
- if (($vpnsettings{'PMTU_DISCOVERY'} eq 'yes') ||
- ($vpnsettings{'PMTU_DISCOVERY'} eq 'maybe') ||
- ($vpnsettings{'PMTU_DISCOVERY'} eq 'no' )) {
- if(($vpnsettings{MSSFIX} ne 'on') || ($vpnsettings{FRAGMENT} eq '')) {
- print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\r\n";
- }
- }
-
if ($include_certs) {
print CLIENTCONF "\r\n";
@@ -2668,9 +2612,6 @@ ADV_ERROR:
if ($cgiparams{'LOG_VERB'} eq '') {
$cgiparams{'LOG_VERB'} = '3';
}
- if ($cgiparams{'PMTU_DISCOVERY'} eq '') {
- $cgiparams{'PMTU_DISCOVERY'} = 'off';
- }
if ($cgiparams{'DAUTH'} eq '') {
$cgiparams{'DAUTH'} = 'SHA512';
}
@@ -2689,7 +2630,6 @@ ADV_ERROR:
$checked{'MSSFIX'}{'off'} = '';
$checked{'MSSFIX'}{'on'} = '';
$checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
- $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\'';
$selected{'LOG_VERB'}{'0'} = '';
$selected{'LOG_VERB'}{'1'} = '';
$selected{'LOG_VERB'}{'2'} = '';
@@ -2812,14 +2752,6 @@ print <<END;
<td><input type='TEXT' name='KEEPALIVE_1' value='$cgiparams{'KEEPALIVE_1'}' size='10' /></td>
<td><input type='TEXT' name='KEEPALIVE_2' value='$cgiparams{'KEEPALIVE_2'}' size='10' /></td>
</tr>
-
- <tr>
- <td class='base'>$Lang::tr{'ovpn mtu-disc'}</td>
- <td><input type='radio' name='PMTU_DISCOVERY' value='yes' $checked{'PMTU_DISCOVERY'}{'yes'} /> $Lang::tr{'ovpn mtu-disc yes'}</td>
- <td><input type='radio' name='PMTU_DISCOVERY' value='maybe' $checked{'PMTU_DISCOVERY'}{'maybe'} /> $Lang::tr{'ovpn mtu-disc maybe'}</td>
- <td><input type='radio' name='PMTU_DISCOVERY' value='no' $checked{'PMTU_DISCOVERY'}{'no'} /> $Lang::tr{'ovpn mtu-disc no'}</td>
- <td><input type='radio' name='PMTU_DISCOVERY' value='off' $checked{'PMTU_DISCOVERY'}{'off'} /> $Lang::tr{'ovpn mtu-disc off'}</td>
- </tr>
</table>
<hr size='1'>
@@ -3650,7 +3582,6 @@ if ($confighash{$cgiparams{'KEY'}}) {
$cgiparams{'CCD_DNS1'} = $confighash{$cgiparams{'KEY'}}[35];
$cgiparams{'CCD_DNS2'} = $confighash{$cgiparams{'KEY'}}[36];
$cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37];
- $cgiparams{'PMTU_DISCOVERY'} = $confighash{$cgiparams{'KEY'}}[38];
$cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39];
$cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40];
$cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41];
@@ -3919,22 +3850,6 @@ if ($cgiparams{'TYPE'} eq 'net') {
goto VPNCONF_ERROR;
}
- if ($cgiparams{'PMTU_DISCOVERY'} ne 'off') {
- if (($cgiparams{'FRAGMENT'} ne '') || ($cgiparams{'MSSFIX'} eq 'on')) {
- $errormessage = $Lang::tr{'ovpn mtu-disc with mssfix or fragment'};
- unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
- rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
- goto VPNCONF_ERROR;
- }
- }
-
- if (($cgiparams{'PMTU_DISCOVERY'} ne 'off') && ($cgiparams{'MTU'} ne '1500')) {
- $errormessage = $Lang::tr{'ovpn mtu-disc and mtu not 1500'};
- unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
- rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
- goto VPNCONF_ERROR;
- }
-
if ( &validdotmask ($cgiparams{'LOCAL_SUBNET'})) {
$errormessage = $Lang::tr{'openvpn prefix local subnet'};
unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
@@ -4378,7 +4293,6 @@ if ($cgiparams{'TYPE'} eq 'net') {
$confighash{$key}[35] = $cgiparams{'CCD_DNS1'};
$confighash{$key}[36] = $cgiparams{'CCD_DNS2'};
$confighash{$key}[37] = $cgiparams{'CCD_WINS'};
- $confighash{$key}[38] = $cgiparams{'PMTU_DISCOVERY'};
$confighash{$key}[39] = $cgiparams{'DAUTH'};
$confighash{$key}[40] = $cgiparams{'DCIPHER'};
@@ -4494,7 +4408,6 @@ if ($cgiparams{'TYPE'} eq 'net') {
###
$cgiparams{'MSSFIX'} = 'on';
$cgiparams{'FRAGMENT'} = '1300';
- $cgiparams{'PMTU_DISCOVERY'} = 'off';
$cgiparams{'DAUTH'} = 'SHA512';
###
# m.a.d n2n end
@@ -4556,11 +4469,6 @@ if ($cgiparams{'TYPE'} eq 'net') {
$checked{'MSSFIX'}{'on'} = '';
$checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
- if ($cgiparams{'PMTU_DISCOVERY'} eq '') {
- $cgiparams{'PMTU_DISCOVERY'} = 'off';
- }
- $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\'';
-
$selected{'DCIPHER'}{'AES-256-GCM'} = '';
$selected{'DCIPHER'}{'AES-192-GCM'} = '';
$selected{'DCIPHER'}{'AES-128-GCM'} = '';
@@ -4721,15 +4629,6 @@ if ($cgiparams{'TYPE'} eq 'net') {
<td><input type='checkbox' name='COMPLZO' $checked{'COMPLZO'}{'on'} /></td>
</tr>
- <tr><td class='boldbase' nowrap='nowrap'>$Lang::tr{'ovpn mtu-disc'}</td>
- <td colspan='3'>
- <input type='radio' name='PMTU_DISCOVERY' value='yes' $checked{'PMTU_DISCOVERY'}{'yes'} /> $Lang::tr{'ovpn mtu-disc yes'}
- <input type='radio' name='PMTU_DISCOVERY' value='maybe' $checked{'PMTU_DISCOVERY'}{'maybe'} /> $Lang::tr{'ovpn mtu-disc maybe'}
- <input type='radio' name='PMTU_DISCOVERY' value='no' $checked{'PMTU_DISCOVERY'}{'no'} /> $Lang::tr{'ovpn mtu-disc no'}
- <input type='radio' name='PMTU_DISCOVERY' value='off' $checked{'PMTU_DISCOVERY'}{'off'} /> $Lang::tr{'ovpn mtu-disc off'}
- </td>
- </tr>
-
<tr><td colspan=4><hr /></td></tr><tr>
<tr>
<td class'base'><b>$Lang::tr{'ovpn crypt options'}:</b></td>
hooks/post-receive
--
IPFire 2.x development tree