From mboxrd@z Thu Jan 1 00:00:00 1970 From: git@ipfire.org To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 27ecea56ce242adc0f3b471ed2868dc3ea246874 Date: Mon, 12 May 2014 12:55:50 +0200 Message-ID: <20140512105551.46F84208F4@argus.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0224945611354078861==" List-Id: --===============0224945611354078861== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via 27ecea56ce242adc0f3b471ed2868dc3ea246874 (commit) via c6d9cb76ab5a1ce0ac152765c929f61b68361d87 (commit) via 661cd276b68c274ecfee7cdf3bd6c7204dc56572 (commit) via b2e75449a98f19e47b8aaf7623a6299749b21de6 (commit) via b9e1738442dc5087ebdaaec659a0f4c21b021081 (commit) via 6d49c4a6318512f12cd06da7727d7000f2071030 (commit) via 49abe7afb1868315b96643afe08c12fa1b339e3a (commit) from 03d0b8c7e8486fca41674ddac51543edad300f4d (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 27ecea56ce242adc0f3b471ed2868dc3ea246874 Author: Michael Tremer Date: Fri May 9 01:28:56 2014 +0200 squid: Update to 3.4.5. commit c6d9cb76ab5a1ce0ac152765c929f61b68361d87 Author: Michael Tremer Date: Mon May 12 12:54:08 2014 +0200 openvpn: Update translation. =20 DH keys are actually called DH parameters. commit 661cd276b68c274ecfee7cdf3bd6c7204dc56572 Merge: b2e7544 49abe7a Author: Michael Tremer Date: Sun May 11 18:47:11 2014 +0200 Merge remote-tracking branch 'ummeegge/openvpn' into next =20 Conflicts: html/cgi-bin/ovpnmain.cgi langs/de/cgi-bin/de.pl langs/en/cgi-bin/en.pl commit b2e75449a98f19e47b8aaf7623a6299749b21de6 Author: Michael Tremer Date: Sun May 11 18:34:34 2014 +0200 Revert "OpenVPN:Add HMAC, cipher 'n2n' and DH key selection. Fixes and ne= w design." =20 This reverts commit c2b5d12b3453c55afce7ef84451a65e130b0d80f. =20 Conflicts: langs/de/cgi-bin/de.pl langs/en/cgi-bin/en.pl commit b9e1738442dc5087ebdaaec659a0f4c21b021081 Merge: 03d0b8c 6d49c4a Author: Michael Tremer Date: Sun May 11 18:27:50 2014 +0200 Merge remote-tracking branch 'ummeegge/OpenVPN' into next commit 6d49c4a6318512f12cd06da7727d7000f2071030 Author: Erik Kapfer Date: Sun May 11 09:28:53 2014 +0200 OpenVPN: Update to version 2.3.4 commit 49abe7afb1868315b96643afe08c12fa1b339e3a Author: Erik Kapfer Date: Sun May 11 09:24:04 2014 +0200 OpenVPN:Add HMAC, cipher 'n2n' and DH key selection. Fixes and new design. =20 Added HMAC algorithm selection menu for N2N and RW. Added cipher selection menu for N2N connections. Added DH key selection also for existing installations incl. DH key uploa= d possibility. Adjusted the ovpn main WUI design to IPSec WUI. Extend key lenght for CA, cert and control channel with faktor 2. Some code and typo cleanup. Bugfixes for #10317, #10149, #10462, #10463 V.2 New changes: Integrated changes in langs and ovpnmain.cgi until 20.03.2014 2.15-Beta3. ovpn.cnf have now default bits of 2048 instead of 1024. ovpn.cnf default_md works now with sha256 instead of md5. Bugfix: By new installation the auth directive for RWs is faded out #1046= 2 Comment 15. Added error message if the crl should be displayed but no crl is present. v.3 New changes #10462 Comment 20: Updated to core version 77. Deleted manual name award in DH key upload section, name will be given au= tomatically now. Added sha512WithRSAEncryption instead of sha1WithRSAEncryption for "Root = Certificate". Added tls-auth support for Roadwarriors. Added crypto engine support for N2N and Roadwarriors. ----------------------------------------------------------------------- Summary of changes: doc/language_issues.de | 17 +- doc/language_issues.en | 18 +- doc/language_issues.es | 10 +- doc/language_issues.fr | 10 +- doc/language_issues.nl | 10 +- doc/language_issues.pl | 10 +- doc/language_issues.ru | 10 +- doc/language_issues.tr | 10 +- doc/language_missings | 65 ++--- html/cgi-bin/ovpnmain.cgi | 625 ++++++++++++++++++++++++++++++--------------= -- langs/de/cgi-bin/de.pl | 45 ++-- langs/en/cgi-bin/en.pl | 36 +-- lfs/openvpn | 10 +- lfs/squid | 4 +- 14 files changed, 530 insertions(+), 350 deletions(-) Difference in files: diff --git a/doc/language_issues.de b/doc/language_issues.de index 3746d7d..a00e97a 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -1,4 +1,3 @@ -WARNING: translation string unused: Client status and controlc WARNING: translation string unused: ConnSched scheduler WARNING: translation string unused: ConnSched select profile WARNING: translation string unused: HDD temperature @@ -364,6 +363,7 @@ WARNING: translation string unused: network time WARNING: translation string unused: network traffic graphs WARNING: translation string unused: network updated WARNING: translation string unused: networks settings +WARNING: translation string unused: never WARNING: translation string unused: new optionsfw must boot WARNING: translation string unused: no alcatelusb firmware WARNING: translation string unused: no cfg upload @@ -411,6 +411,8 @@ WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn config WARNING: translation string unused: ovpn dl WARNING: translation string unused: ovpn log +WARNING: translation string unused: ovpn reneg sec +WARNING: translation string unused: ovpn_fastio WARNING: translation string unused: ovpn_fragment WARNING: translation string unused: ovpn_mssfix WARNING: translation string unused: ovpn_mtudisc @@ -456,16 +458,12 @@ WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile WARNING: translation string unused: requested data -WARNING: translation string unused: reserved dst port -WARNING: translation string unused: reserved src port WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path WARNING: translation string unused: root user password WARNING: translation string unused: route subnet is invalid WARNING: translation string unused: router ip -WARNING: translation string unused: rsvd dst port overlap -WARNING: translation string unused: rsvd src port overlap WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error @@ -596,7 +594,6 @@ WARNING: translation string unused: use dov WARNING: translation string unused: use ibod WARNING: translation string unused: view log WARNING: translation string unused: vpn aggrmode -WARNING: translation string unused: vpn configuration main WARNING: translation string unused: vpn incompatible use of defaultroute WARNING: translation string unused: vpn mtu invalid WARNING: translation string unused: vpn on blue @@ -612,19 +609,21 @@ WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits -WARNING: untranslated string: Number of Countries for the pie chart WARNING: untranslated string: Scan for Songs WARNING: untranslated string: addons WARNING: untranslated string: bytes WARNING: untranslated string: community rules WARNING: untranslated string: dead peer detection +WARNING: untranslated string: dns servers +WARNING: untranslated string: downlink WARNING: untranslated string: emerging rules -WARNING: untranslated string: firewall logs country +WARNING: untranslated string: first WARNING: untranslated string: fwhost err hostip +WARNING: untranslated string: last WARNING: untranslated string: monitor interface WARNING: untranslated string: qos add subclass WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed WARNING: untranslated string: routing table -WARNING: untranslated string: source ip country +WARNING: untranslated string: uplink diff --git a/doc/language_issues.en b/doc/language_issues.en index a64b822..ba7f030 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1,4 +1,3 @@ -WARNING: translation string unused: Client status and controlc WARNING: translation string unused: ConnSched scheduler WARNING: translation string unused: ConnSched select profile WARNING: translation string unused: HDD temperature @@ -146,6 +145,7 @@ WARNING: translation string unused: destination ip bad WARNING: translation string unused: destination ip or net WARNING: translation string unused: destination net WARNING: translation string unused: destination port overlaps +WARNING: translation string unused: dh name is invalid WARNING: translation string unused: dhcp base ip fixed lease WARNING: translation string unused: dhcp create fixed leases WARNING: translation string unused: dhcp fixed lease err1 @@ -389,6 +389,7 @@ WARNING: translation string unused: network time WARNING: translation string unused: network traffic graphs WARNING: translation string unused: network updated WARNING: translation string unused: networks settings +WARNING: translation string unused: never WARNING: translation string unused: new optionsfw must boot WARNING: translation string unused: no alcatelusb firmware WARNING: translation string unused: no cfg upload @@ -437,8 +438,8 @@ WARNING: translation string unused: override mtu WARNING: translation string unused: ovpn config WARNING: translation string unused: ovpn dl WARNING: translation string unused: ovpn log +WARNING: translation string unused: ovpn reneg sec WARNING: translation string unused: ovpn_fastio -WARNING: translation string unused: ovpn_fragment WARNING: translation string unused: ovpn_mssfix WARNING: translation string unused: ovpn_mtudisc WARNING: translation string unused: ovpn_processprio @@ -484,16 +485,12 @@ WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile WARNING: translation string unused: requested data -WARNING: translation string unused: reserved dst port -WARNING: translation string unused: reserved src port WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path WARNING: translation string unused: root user password WARNING: translation string unused: route subnet is invalid WARNING: translation string unused: router ip -WARNING: translation string unused: rsvd dst port overlap -WARNING: translation string unused: rsvd src port overlap WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error @@ -548,6 +545,7 @@ WARNING: translation string unused: successfully refreshe= d updates list WARNING: translation string unused: system graphs WARNING: translation string unused: system log viewer WARNING: translation string unused: system status information +WARNING: translation string unused: teovpn_fragment WARNING: translation string unused: test WARNING: translation string unused: test email could not be sent WARNING: translation string unused: test email was sent @@ -631,7 +629,6 @@ WARNING: translation string unused: use dov WARNING: translation string unused: use ibod WARNING: translation string unused: view log WARNING: translation string unused: vpn aggrmode -WARNING: translation string unused: vpn configuration main WARNING: translation string unused: vpn incompatible use of defaultroute WARNING: translation string unused: vpn mtu invalid WARNING: translation string unused: vpn on blue @@ -647,13 +644,16 @@ WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits -WARNING: untranslated string: Number of Countries for the pie chart WARNING: untranslated string: Scan for Songs WARNING: untranslated string: bytes +WARNING: untranslated string: dns servers +WARNING: untranslated string: downlink +WARNING: untranslated string: first WARNING: untranslated string: fwhost err hostip +WARNING: untranslated string: last WARNING: untranslated string: monitor interface WARNING: untranslated string: route config changed WARNING: untranslated string: routing config added WARNING: untranslated string: routing config changed WARNING: untranslated string: routing table -WARNING: untranslated string: source ip country +WARNING: untranslated string: uplink diff --git a/doc/language_issues.es b/doc/language_issues.es index 92622bd..54cb32e 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -420,16 +420,12 @@ WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile WARNING: translation string unused: requested data -WARNING: translation string unused: reserved dst port -WARNING: translation string unused: reserved src port WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path WARNING: translation string unused: root user password WARNING: translation string unused: route subnet is invalid WARNING: translation string unused: router ip -WARNING: translation string unused: rsvd dst port overlap -WARNING: translation string unused: rsvd src port overlap WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error @@ -638,8 +634,9 @@ WARNING: untranslated string: dead peer detection WARNING: untranslated string: deprecated fs warn WARNING: untranslated string: details WARNING: untranslated string: dh +WARNING: untranslated string: dh key move failed WARNING: untranslated string: dh key warn -WARNING: untranslated string: dh name is invalid +WARNING: untranslated string: dh key warn1 WARNING: untranslated string: dnat address WARNING: untranslated string: dns servers WARNING: untranslated string: dnsforward @@ -877,7 +874,8 @@ WARNING: untranslated string: outgoing firewall p2p allow WARNING: untranslated string: outgoing firewall p2p deny WARNING: untranslated string: ovpn crypt options WARNING: untranslated string: ovpn dh -WARNING: untranslated string: ovpn dh name +WARNING: untranslated string: ovpn dh upload +WARNING: untranslated string: ovpn engines WARNING: untranslated string: ovpn errmsg green already pushed WARNING: untranslated string: ovpn errmsg invalid ip or mask WARNING: untranslated string: ovpn generating the root and host certificates diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 65e036f..0386f24 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -431,16 +431,12 @@ WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile WARNING: translation string unused: requested data -WARNING: translation string unused: reserved dst port -WARNING: translation string unused: reserved src port WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path WARNING: translation string unused: root user password WARNING: translation string unused: route subnet is invalid WARNING: translation string unused: router ip -WARNING: translation string unused: rsvd dst port overlap -WARNING: translation string unused: rsvd src port overlap WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error @@ -648,8 +644,9 @@ WARNING: untranslated string: dead peer detection WARNING: untranslated string: deprecated fs warn WARNING: untranslated string: details WARNING: untranslated string: dh +WARNING: untranslated string: dh key move failed WARNING: untranslated string: dh key warn -WARNING: untranslated string: dh name is invalid +WARNING: untranslated string: dh key warn1 WARNING: untranslated string: dnat address WARNING: untranslated string: dns address deleted txt WARNING: untranslated string: dns servers @@ -888,7 +885,8 @@ WARNING: untranslated string: other WARNING: untranslated string: outgoing firewall access WARNING: untranslated string: ovpn crypt options WARNING: untranslated string: ovpn dh -WARNING: untranslated string: ovpn dh name +WARNING: untranslated string: ovpn dh upload +WARNING: untranslated string: ovpn engines WARNING: untranslated string: ovpn generating the root and host certificates WARNING: untranslated string: ovpn ha WARNING: untranslated string: ovpn hmac diff --git a/doc/language_issues.nl b/doc/language_issues.nl index e06e8a7..7c6f729 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -485,16 +485,12 @@ WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile WARNING: translation string unused: requested data -WARNING: translation string unused: reserved dst port -WARNING: translation string unused: reserved src port WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path WARNING: translation string unused: root user password WARNING: translation string unused: route subnet is invalid WARNING: translation string unused: router ip -WARNING: translation string unused: rsvd dst port overlap -WARNING: translation string unused: rsvd src port overlap WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error @@ -654,8 +650,9 @@ WARNING: untranslated string: atm device WARNING: untranslated string: bytes WARNING: untranslated string: capabilities WARNING: untranslated string: dh +WARNING: untranslated string: dh key move failed WARNING: untranslated string: dh key warn -WARNING: untranslated string: dh name is invalid +WARNING: untranslated string: dh key warn1 WARNING: untranslated string: dns servers WARNING: untranslated string: drop outgoing WARNING: untranslated string: firewall logs country @@ -681,7 +678,8 @@ WARNING: untranslated string: monitor interface WARNING: untranslated string: not a valid dh key WARNING: untranslated string: ovpn crypt options WARNING: untranslated string: ovpn dh -WARNING: untranslated string: ovpn dh name +WARNING: untranslated string: ovpn dh upload +WARNING: untranslated string: ovpn engines WARNING: untranslated string: ovpn generating the root and host certificates WARNING: untranslated string: ovpn ha WARNING: untranslated string: ovpn hmac diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 92622bd..54cb32e 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -420,16 +420,12 @@ WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile WARNING: translation string unused: requested data -WARNING: translation string unused: reserved dst port -WARNING: translation string unused: reserved src port WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path WARNING: translation string unused: root user password WARNING: translation string unused: route subnet is invalid WARNING: translation string unused: router ip -WARNING: translation string unused: rsvd dst port overlap -WARNING: translation string unused: rsvd src port overlap WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error @@ -638,8 +634,9 @@ WARNING: untranslated string: dead peer detection WARNING: untranslated string: deprecated fs warn WARNING: untranslated string: details WARNING: untranslated string: dh +WARNING: untranslated string: dh key move failed WARNING: untranslated string: dh key warn -WARNING: untranslated string: dh name is invalid +WARNING: untranslated string: dh key warn1 WARNING: untranslated string: dnat address WARNING: untranslated string: dns servers WARNING: untranslated string: dnsforward @@ -877,7 +874,8 @@ WARNING: untranslated string: outgoing firewall p2p allow WARNING: untranslated string: outgoing firewall p2p deny WARNING: untranslated string: ovpn crypt options WARNING: untranslated string: ovpn dh -WARNING: untranslated string: ovpn dh name +WARNING: untranslated string: ovpn dh upload +WARNING: untranslated string: ovpn engines WARNING: untranslated string: ovpn errmsg green already pushed WARNING: untranslated string: ovpn errmsg invalid ip or mask WARNING: untranslated string: ovpn generating the root and host certificates diff --git a/doc/language_issues.ru b/doc/language_issues.ru index fbf4d46..c7c39ec 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -425,16 +425,12 @@ WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile WARNING: translation string unused: requested data -WARNING: translation string unused: reserved dst port -WARNING: translation string unused: reserved src port WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path WARNING: translation string unused: root user password WARNING: translation string unused: route subnet is invalid WARNING: translation string unused: router ip -WARNING: translation string unused: rsvd dst port overlap -WARNING: translation string unused: rsvd src port overlap WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error @@ -642,8 +638,9 @@ WARNING: untranslated string: dead peer detection WARNING: untranslated string: deprecated fs warn WARNING: untranslated string: details WARNING: untranslated string: dh +WARNING: untranslated string: dh key move failed WARNING: untranslated string: dh key warn -WARNING: untranslated string: dh name is invalid +WARNING: untranslated string: dh key warn1 WARNING: untranslated string: disk access per WARNING: untranslated string: dnat address WARNING: untranslated string: dns servers @@ -872,7 +869,8 @@ WARNING: untranslated string: outgoing firewall access WARNING: untranslated string: outgoing traffic in bytes per second WARNING: untranslated string: ovpn crypt options WARNING: untranslated string: ovpn dh -WARNING: untranslated string: ovpn dh name +WARNING: untranslated string: ovpn dh upload +WARNING: untranslated string: ovpn engines WARNING: untranslated string: ovpn generating the root and host certificates WARNING: untranslated string: ovpn ha WARNING: untranslated string: ovpn hmac diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 816967c..06cacf1 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -484,16 +484,12 @@ WARNING: translation string unused: released WARNING: translation string unused: removable device advice WARNING: translation string unused: reportfile WARNING: translation string unused: requested data -WARNING: translation string unused: reserved dst port -WARNING: translation string unused: reserved src port WARNING: translation string unused: restore hardware settings WARNING: translation string unused: root WARNING: translation string unused: root path WARNING: translation string unused: root user password WARNING: translation string unused: route subnet is invalid WARNING: translation string unused: router ip -WARNING: translation string unused: rsvd dst port overlap -WARNING: translation string unused: rsvd src port overlap WARNING: translation string unused: rules already up to date WARNING: translation string unused: safe removal of umounted device WARNING: translation string unused: save error @@ -652,8 +648,9 @@ WARNING: untranslated string: Scan for Songs WARNING: untranslated string: bytes WARNING: untranslated string: capabilities WARNING: untranslated string: dh +WARNING: untranslated string: dh key move failed WARNING: untranslated string: dh key warn -WARNING: untranslated string: dh name is invalid +WARNING: untranslated string: dh key warn1 WARNING: untranslated string: firewall logs country WARNING: untranslated string: fwhost err hostip WARNING: untranslated string: gen dh @@ -677,7 +674,8 @@ WARNING: untranslated string: monitor interface WARNING: untranslated string: not a valid dh key WARNING: untranslated string: ovpn crypt options WARNING: untranslated string: ovpn dh -WARNING: untranslated string: ovpn dh name +WARNING: untranslated string: ovpn dh upload +WARNING: untranslated string: ovpn engines WARNING: untranslated string: ovpn generating the root and host certificates WARNING: untranslated string: ovpn ha WARNING: untranslated string: ovpn hmac diff --git a/doc/language_missings b/doc/language_missings index b8fe1b4..d25ea40 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -6,6 +6,7 @@ ############################################################################ < addon < ccd maxclients +< ovpn_fragment ############################################################################ # Checking install/setup translations for language: fr # ############################################################################ @@ -79,8 +80,9 @@ < deprecated fs warn < details < dh +< dh key move failed < dh key warn -< dh name is invalid +< dh key warn1 < dnat address < dns address deleted txt < dnsforward @@ -90,8 +92,6 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone -< dns servers -< downlink < dpd delay < dpd timeout < drop action @@ -119,8 +119,8 @@ < fireinfo why enable < fireinfo why read more < fireinfo your profile id +< firewall logs country < firewall rules -< first < flag < forward firewall < fw default drop @@ -319,7 +319,6 @@ < ipsec < ipsec network < ipsec no connections -< last < least preferred < lifetime < mac filter @@ -342,11 +341,13 @@ < modem sim information < modem status < most preferred +< never < no hardware random number generator < not a valid dh key < notice < ntp common settings < ntp sync +< Number of Countries for the pie chart < openvpn default < openvpn destination port used < openvpn disabled @@ -363,7 +364,8 @@ < outgoing firewall access < ovpn crypt options < ovpn dh -< ovpn dh name +< ovpn dh upload +< ovpn engines < ovpn generating the root and host certificates < ovpn ha < ovpn hmac @@ -377,6 +379,7 @@ < ovpn mtu-disc yes < ovpn no connections < ovpn port in root range +< ovpn reneg sec < p2p block < p2p block save notice < proxy reports @@ -392,6 +395,7 @@ < snat new source ip address < snort working < software version +< source ip country < ssh < static routes < support donation @@ -453,7 +457,6 @@ < tor use exit nodes < updxlrtr sources < updxlrtr standard view -< uplink < upload dh key < upload new ruleset < uptime @@ -590,8 +593,9 @@ < deprecated fs warn < details < dh +< dh key move failed < dh key warn -< dh name is invalid +< dh key warn1 < dnat address < dnsforward < dnsforward add a new entry @@ -600,8 +604,6 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone -< dns servers -< downlink < dpd delay < dpd timeout < drop action @@ -629,8 +631,8 @@ < fireinfo why enable < fireinfo why read more < fireinfo your profile id +< firewall logs country < firewall rules -< first < flag < forward firewall < fw default drop @@ -829,7 +831,6 @@ < ipsec < ipsec network < ipsec no connections -< last < least preferred < lifetime < mac filter @@ -852,9 +853,11 @@ < modem sim information < modem status < most preferred +< never < no hardware random number generator < not a valid dh key < notice +< Number of Countries for the pie chart < openvpn default < openvpn destination port used < openvpn disabled @@ -885,7 +888,8 @@ < outgoing firewall view group < ovpn crypt options < ovpn dh -< ovpn dh name +< ovpn dh upload +< ovpn engines < ovpn errmsg green already pushed < ovpn errmsg invalid ip or mask < ovpn generating the root and host certificates @@ -901,6 +905,7 @@ < ovpn mtu-disc yes < ovpn no connections < ovpn port in root range +< ovpn reneg sec < ovpn routes push < ovpn routes push options < p2p block @@ -918,6 +923,7 @@ < show dh < snat new source ip address < software version +< source ip country < ssh < static routes < support donation @@ -979,7 +985,6 @@ < tor use exit nodes < updxlrtr sources < updxlrtr standard view -< uplink < upload dh key < uptime < uptime load average @@ -1092,8 +1097,9 @@ < deprecated fs warn < details < dh +< dh key move failed < dh key warn -< dh name is invalid +< dh key warn1 < dnat address < dnsforward < dnsforward add a new entry @@ -1102,8 +1108,6 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone -< dns servers -< downlink < dpd delay < dpd timeout < drop action @@ -1123,8 +1127,8 @@ < extrahd unable to read < extrahd unable to write < extrahd you cant mount +< firewall logs country < firewall rules -< first < flag < forward firewall < fw default drop @@ -1323,7 +1327,6 @@ < ipsec < ipsec network < ipsec no connections -< last < least preferred < lifetime < mac filter @@ -1346,9 +1349,11 @@ < modem sim information < modem status < most preferred +< never < no hardware random number generator < not a valid dh key < notice +< Number of Countries for the pie chart < openvpn default < openvpn destination port used < openvpn disabled @@ -1365,7 +1370,8 @@ < outgoing firewall access < ovpn crypt options < ovpn dh -< ovpn dh name +< ovpn dh upload +< ovpn engines < ovpn errmsg green already pushed < ovpn errmsg invalid ip or mask < ovpn generating the root and host certificates @@ -1381,6 +1387,7 @@ < ovpn mtu-disc yes < ovpn no connections < ovpn port in root range +< ovpn reneg sec < ovpn routes push < ovpn routes push options < p2p block @@ -1397,6 +1404,7 @@ < show dh < snat new source ip address < software version +< source ip country < ssh < static routes < support donation @@ -1457,7 +1465,6 @@ < tor use exit nodes < updxlrtr sources < updxlrtr standard view -< uplink < upload dh key < uptime < uptime load average @@ -1572,8 +1579,9 @@ < deprecated fs warn < details < dh +< dh key move failed < dh key warn -< dh name is invalid +< dh key warn1 < disk access per < dnat address < dnsforward @@ -1583,8 +1591,6 @@ < dnsforward entries < dnsforward forward_server < dnsforward zone -< dns servers -< downlink < dpd delay < dpd timeout < drop action @@ -1605,8 +1611,8 @@ < extrahd unable to read < extrahd unable to write < extrahd you cant mount +< firewall logs country < firewall rules -< first < flag < forward firewall < frequency @@ -1808,7 +1814,6 @@ < ipsec < ipsec network < ipsec no connections -< last < least preferred < lifetime < mac filter @@ -1832,9 +1837,11 @@ < modem status < month-graph < most preferred +< never < no hardware random number generator < not a valid dh key < notice +< Number of Countries for the pie chart < openvpn default < openvpn destination port used < openvpn disabled @@ -1852,7 +1859,8 @@ < outgoing traffic in bytes per second < ovpn crypt options < ovpn dh -< ovpn dh name +< ovpn dh upload +< ovpn engines < ovpn generating the root and host certificates < ovpn ha < ovpn hmac @@ -1866,6 +1874,7 @@ < ovpn mtu-disc yes < ovpn no connections < ovpn port in root range +< ovpn reneg sec < p2p block < p2p block save notice < proxy reports @@ -1880,6 +1889,7 @@ < show dh < snat new source ip address < software version +< source ip country < ssh < static routes < support donation @@ -1940,7 +1950,6 @@ < tor use exit nodes < updxlrtr sources < updxlrtr standard view -< uplink < upload dh key < uptime < uptime load average diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index dec27b7..df5f9ec 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################= ### # = # # IPFire.org - A linux based firewall = # -# Copyright (C) 2007-2013 IPFire Team = # +# Copyright (C) 2007-2014 IPFire Team = # # = # # This program is free software: you can redistribute it and/or modify = # # it under the terms of the GNU General Public License as published by = # @@ -19,7 +19,6 @@ # = # ############################################################################= ### ### -# Based on IPFireCore 76 ### use CGI; use CGI qw/:standard/; @@ -90,8 +89,10 @@ $cgiparams{'DCOMPLZO'} =3D 'off'; $cgiparams{'MSSFIX'} =3D ''; $cgiparams{'number'} =3D ''; $cgiparams{'PMTU_DISCOVERY'} =3D ''; -$cgiparams{'DAUTH'} =3D ''; $cgiparams{'DCIPHER'} =3D ''; +$cgiparams{'DAUTH'} =3D ''; +$cgiparams{'TLSAUTH'} =3D ''; +$cgiparams{'ENGINES'} =3D ''; $routes_push_file =3D "${General::swroot}/ovpn/routes_push"; unless (-e $routes_push_file) { system("touch $routes_push_file"); } unless (-e "${General::swroot}/ovpn/ccd.conf") { system("touch ${General:= :swroot}/ovpn/ccd.conf"); } @@ -226,6 +227,50 @@ sub checkportinc } } =20 +# Darren Critchley - certain ports are reserved for IPFire +# TCP 67,68,81,222,444 +# UDP 67,68 +# Params passed in -> port, rangeyn, protocol +sub disallowreserved +{ + # port 67 and 68 same for tcp and udp, don't bother putting in an array + my $msg =3D ""; + my @tcp_reserved =3D (81,222,444); + my $prt =3D $_[0]; # the port or range + my $ryn =3D $_[1]; # tells us whether or not it is a port range + my $prot =3D $_[2]; # protocol + my $srcdst =3D $_[3]; # source or destination + if ($ryn) { # disect port range + if ($srcdst eq "src") { + $msg =3D "$Lang::tr{'rsvd src port overlap'}"; + } else { + $msg =3D "$Lang::tr{'rsvd dst port overlap'}"; + } + my @tmprng =3D split(/\:/,$prt); + unless (67 < $tmprng[0] || 67 > $tmprng[1]) { $errormessage=3D"$msg 67"; r= eturn; } + unless (68 < $tmprng[0] || 68 > $tmprng[1]) { $errormessage=3D"$msg 68"; r= eturn; } + if ($prot eq "tcp") { + foreach my $prange (@tcp_reserved) { + unless ($prange < $tmprng[0] || $prange > $tmprng[1]) { $errormessage=3D= "$msg $prange"; return; } + } + } + } else { + if ($srcdst eq "src") { + $msg =3D "$Lang::tr{'reserved src port'}"; + } else { + $msg =3D "$Lang::tr{'reserved dst port'}"; + } + if ($prt =3D=3D 67) { $errormessage=3D"$msg 67"; return; } + if ($prt =3D=3D 68) { $errormessage=3D"$msg 68"; return; } + if ($prot eq "tcp") { + foreach my $prange (@tcp_reserved) { + if ($prange =3D=3D $prt) { $errormessage=3D"$msg $prange"; return; } + } + } + } + return; +} + =20 sub writeserverconf { my %sovpnsettings =3D (); =20 @@ -251,7 +296,7 @@ sub writeserverconf { print CONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; print CONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n"; print CONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n"; - print CONF "dh ${General::swroot}/ovpn/ca/dh1024.pem\n"; + print CONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n"; my @tempovpnsubnet =3D split("\/",$sovpnsettings{'DOVPN_SUBNET'}); print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{= 'GREEN_NETMASK'}\"\n"; @@ -321,8 +366,16 @@ sub writeserverconf { if ($sovpnsettings{'DAUTH'} eq '') { print CONF ""; } else { - print CONF "auth $sovpnsettings{'DAUTH'}\n"; - } + print CONF "auth $sovpnsettings{'DAUTH'}\n"; + } + if ($sovpnsettings{'TLSAUTH'} eq 'on') { + print CONF "tls-auth ${General::swroot}/ovpn/ca/ta.key 0\n"; + } + if ($sovpnsettings{ENGINES} eq 'disabled') { + print CONF ""; + } else { + print CONF "engine $sovpnsettings{ENGINES}\n"; + } if ($sovpnsettings{DCOMPLZO} eq 'on') { print CONF "comp-lzo\n"; } @@ -519,7 +572,7 @@ sub getccdadresses my @iprange=3D(); my %ccdhash=3D(); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ccdhash); - $iprange[0]=3D$ip1.".".$ip2.".".$ip3.".".($ip4+2); + $iprange[0]=3D$ip1.".".$ip2.".".$ip3.".".2; for (my $i=3D1;$i<=3D$count;$i++) { my $tmpip=3D$iprange[$i-1]; my $stepper=3D$i*4; @@ -742,6 +795,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}= ) { $vpnsettings{'ROUTES_PUSH'} =3D $cgiparams{'ROUTES_PUSH'}; $vpnsettings{'PMTU_DISCOVERY'} =3D $cgiparams{'PMTU_DISCOVERY'}; $vpnsettings{'DAUTH'} =3D $cgiparams{'DAUTH'}; + $vpnsettings{'TLSAUTH'} =3D $cgiparams{'TLSAUTH'}; + $vpnsettings{'ENGINES'} =3D $cgiparams{'ENGINES'}; my @temp=3D(); =20 if ($cgiparams{'FRAGMENT'} eq '') { @@ -754,12 +809,20 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options= '}) { $vpnsettings{'FRAGMENT'} =3D $cgiparams{'FRAGMENT'}; } } + if ($cgiparams{'MSSFIX'} ne 'on') { delete $vpnsettings{'MSSFIX'}; } else { $vpnsettings{'MSSFIX'} =3D $cgiparams{'MSSFIX'}; } =20 + # Create ta.key for tls-auth if not presant + if ($cgiparams{'TLSAUTH'} eq 'on') { + if ( ! -e "${General::swroot}/ovpn/ca/ta.key") { + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ov= pn/ca/ta.key") + } + } + if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { @@ -936,11 +999,21 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'= NAME'}"){mkdir "${General print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n";=20 print SERVERCONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n";=20 print SERVERCONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n";=20 - print SERVERCONF "dh ${General::swroot}/ovpn/ca/dh1024.pem\n"; + print SERVERCONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n"; print SERVERCONF "# Cipher\n";=20 print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n"; - print SERVERCONF "# HMAC algorithm\n"; - print SERVERCONF "auth $cgiparams{'DAUTH'}\n"; + if ($cgiparams{'DAUTH'} eq '') { + print SERVERCONF "auth SHA1\n"; + } else { + print SERVERCONF "# HMAC algorithm\n"; + print SERVERCONF "auth $cgiparams{'DAUTH'}\n"; + } + if ($cgiparams{'ENGINES'} eq 'disabled') { + print SERVERCONF ""; + } else { + print SERVERCONF "# Crypto engine\n"; + print SERVERCONF "engine $cgiparams{'ENGINES'}\n"; + } if ($cgiparams{'COMPLZO'} eq 'on') { print SERVERCONF "# Enable Compression\n"; print SERVERCONF "comp-lzo\r\n"; @@ -1029,9 +1102,19 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{= 'NAME'}"){mkdir "${General print CLIENTCONF "tls-client\n";=20 print CLIENTCONF "# Cipher\n";=20 print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n"; - print CLIENTCONF "# HMAC algorithm\n"; - print CLIENTCONF "auth $cgiparams{'DAUTH'}\n"; print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.= p12\r\n"; + if ($cgiparams{'DAUTH'} eq '') { + print CLIENTCONF "auth SHA1\n"; + } else { + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth $cgiparams{'DAUTH'}\n"; + } + if ($cgiparams{'ENGINES'} eq 'disabled') { + print CLIENTCONF ""; + } else { + print CLIENTCONF "# Crypto engine\n"; + print CLIENTCONF "engine $cgiparams{'ENGINES'}\n"; + } if ($cgiparams{'COMPLZO'} eq 'on') { print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\r\n"; @@ -1165,41 +1248,43 @@ SETTINGS_ERROR: } } while ($file =3D glob("${General::swroot}/ovpn/ca/*")) { - unlink $file + unlink $file; } while ($file =3D glob("${General::swroot}/ovpn/certs/*")) { - unlink $file + unlink $file; } while ($file =3D glob("${General::swroot}/ovpn/crls/*")) { - unlink $file + unlink $file; } &cleanssldatabase(); if (open(FILE, ">${General::swroot}/ovpn/caconfig")) { print FILE ""; close FILE; } - if (open(FILE, ">${General::swroot}/ovpn/ccdroute")) { - print FILE ""; - close FILE; - } - if (open(FILE, ">${General::swroot}/ovpn/ccdroute2")) { - print FILE ""; - close FILE; - } - while ($file =3D glob("${General::swroot}/ovpn/ccd/*")) { - unlink $file - } - if (open(FILE, ">${General::swroot}/ovpn/ovpn-leases.db")) { - print FILE ""; - close FILE; - } - if (open(FILE, ">${General::swroot}/ovpn/ovpnconfig")) { - print FILE ""; - close FILE; - } - while ($file =3D glob("${General::swroot}/ovpn/n2nconf/*")) { - system ("rm -rf $file") - } + if (open(FILE, ">${General::swroot}/ovpn/ccdroute")) { + print FILE ""; + close FILE; + } + if (open(FILE, ">${General::swroot}/ovpn/ccdroute2")) { + print FILE ""; + close FILE; + } + while ($file =3D glob("${General::swroot}/ovpn/ccd/*")) { + unlink $file + } + if (open(FILE, ">${General::swroot}/ovpn/ovpn-leases.db")) { + print FILE ""; + close FILE; + } + if (open(FILE, ">${General::swroot}/ovpn/ovpnconfig")) { + print FILE ""; + close FILE; + } + while ($file =3D glob("${General::swroot}/ovpn/n2nconf/*")) { + system ("rm -rf $file"); + } + + #&writeserverconf(); ### ### Reset all step 1 ### @@ -1215,6 +1300,7 @@ SETTINGS_ERROR: $Lang::tr{'capswarning'}<= /b>:=20 + $Lang::tr{'capswarning'}<= /b>: $Lang::tr{'resetting the vpn configuration will remove the root ca, the = host certificate and all certificate based connections'} @@ -1234,7 +1320,7 @@ END ### Generate DH key step 2 ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'} && $cgiparams{= 'AREUSURE'} eq 'yes') { - # Delete if old key exists + # Delete if old key exists if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; } @@ -1258,7 +1344,7 @@ END - +
$Lang::tr{'ovpn dh'}: @@ -1276,10 +1362,12 @@ END
- $Lang::tr{'capswarning'}: - $Lang::tr{'dh key warn'} - + $Lang::tr{'capswarning'}: <= /b>$Lang::tr{'dh key warn'} + + + + @@ -1298,21 +1386,17 @@ END ### Upload DH key ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) { - if ($cgiparams{'DH_NAME'} !~ /dh1024.pem/) { - $errormessage =3D $Lang::tr{'dh name is invalid'}; - goto UPLOADCA_ERROR; - } if (ref ($cgiparams{'FH'}) ne 'Fh') { $errormessage =3D $Lang::tr{'there was no file upload'}; goto UPLOADCA_ERROR; } - # Move uploaded dh key to a temporary file + # Move uploaded dh key to a temporary file (my $fh, my $filename) =3D tempfile( ); if (copy ($cgiparams{'FH'}, $fh) !=3D 1) { $errormessage =3D $!; - goto UPLOADCA_ERROR; + goto UPLOADCA_ERROR; } - my $temp =3D `/usr/bin/openssl dhparam -text -in $filename`; + my $temp =3D `/usr/bin/openssl dhparam -text -in $filename`; if ($temp !~ /DH Parameters: \((1024|2048|3072|4096) bit\)/) { $errormessage =3D $Lang::tr{'not a valid dh key'}; unlink ($filename); @@ -1323,11 +1407,11 @@ END unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; } move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"); - if ($? ne 0) { - $errormessage =3D "$Lang::tr{'certificate file move failed'}: $!"; - unlink ($filename); - goto UPLOADCA_ERROR; - } + if ($? ne 0) { + $errormessage =3D "$Lang::tr{'dh key move failed'}: $!"; + unlink ($filename); + goto UPLOADCA_ERROR; + } } =20 ### @@ -1784,7 +1868,7 @@ END } } else { # child unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-rand', '/= proc/interrupts:/proc/net/rt_cache', - '-days', '999999', '-newkey', 'rsa:4096', + '-days', '999999', '-newkey', 'rsa:4096', '-sha512', '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", '-out', "${General::swroot}/ovpn/ca/cacert.pem", '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { @@ -1894,7 +1978,7 @@ END &Header::closebox(); } &Header::openbox('100%', 'LEFT', "$Lang::tr{'generate root/host certificate= s'}:"); - print <
$Lang::tr{'dh key warn1'}

@@ -1927,8 +2011,8 @@ END } print ">$country"; } - print < + print < =20 - - + +
$Lang::tr{'organization name'}:
$Lang::tr{'ovpn dh'}:   
3D'*' $Lang::tr{'this= field may be blank'}


- $Lang::tr{'capswarning'}: - $Lang::tr{'ovpn generating the root and host certificates'} -

+ + $Lang::tr{'capswarning'}: <= /b>$Lang::tr{'ovpn generating the root and host certificates'} + - + + + + +
$Lang::tr{'dh key warn'}
- $Lang::tr{'dh key warn'} -
$Lang::tr{'dh key warn1'}

=20 + @@ -2104,14 +2191,19 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ print CLIENTCONF "ns-cert-type server\n"; =20 print CLIENTCONF "# Auth. Client\n";=20 print CLIENTCONF "tls-client\n";=20 - print CLIENTCONF "# Cipher\n";=20 + print CLIENTCONF "# Cipher\n"; print CLIENTCONF "cipher $confighash{$cgiparams{'KEY'}}[40]\n"; - print CLIENTCONF "# HMAC algorithm\n"; - print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n"; if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot= }/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") {=20 print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgipar= ams{'KEY'}}[1].p12\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'K= EY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add fil= e $confighash{$cgiparams{'KEY'}}[1].p12\n"; - }=20 + } + if ($confighash{$cgiparams{'KEY'}}[39] eq '') { + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth SHA1\n"; + } else { + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n"; + } if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') { print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\r\n"; @@ -2207,11 +2299,15 @@ else $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}= }[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add= file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; =20 } print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; - if ($vpnsettings{'DAUTH'} eq '') { + if ($vpnsettings{'DAUTH'} eq '') { print CLIENTCONF ""; } else { - print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; - } + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; + } + if ($vpnsettings{'TLSAUTH'} eq 'on') { + print CLIENTCONF "tls-auth ta.key 1\r\n"; + $zip->addFile( "${General::swroot}/ovpn/ca/ta.key", "ta.key") or die "Can'= t add file ta.key\n"; + } if ($vpnsettings{DCOMPLZO} eq 'on') { print CLIENTCONF "comp-lzo\r\n"; } @@ -2320,8 +2416,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { } else { $errormessage =3D $Lang::tr{'invalid key'}; } - - &General::firewall_reload(); + &General::firewall_reload(); =20 ### ### Download PKCS12 file @@ -2361,7 +2456,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show dh'}) { =20 if (! -e "${General::swroot}/ovpn/ca/dh1024.pem") { - $errormessage =3D $Lang::tr{'not present'}; + $errormessage =3D $Lang::tr{'not present'}; } else { &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ovpn'}, 1, ''); @@ -2383,21 +2478,21 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show crl'}) { # &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%configh= ash); =20 - if (! -e "${General::swroot}/ovpn/crls/cacrl.pem") { - $errormessage =3D $Lang::tr{'not present'}; + if (! -e "${General::swroot}/ovpn/crls/cacrl.pem") { + $errormessage =3D $Lang::tr{'not present'}; } else { - &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'ovpn'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', ''); - &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:"); - my $output =3D `/usr/bin/openssl crl -text -noout -in ${General::swroot= }/ovpn/crls/cacrl.pem`; - $output =3D &Header::cleanhtml($output,"y"); - print "
$output
\n"; - &Header::closebox(); - print ""; - &Header::closebigbox(); - &Header::closepage(); - exit(0); + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:"); + my $output =3D `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ov= pn/crls/cacrl.pem`; + $output =3D &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit(0); } =20 ### @@ -2435,6 +2530,15 @@ ADV_ERROR: if ($cgiparams{'DAUTH'} eq '') { $cgiparams{'DAUTH'} =3D 'SHA1'; } + if ($cgiparams{'DAUTH'} eq '') { + $cgiparams{'DAUTH'} =3D 'SHA1'; + } + if ($cgiparams{'ENGINES'} eq '') { + $cgiparams{'ENGINES'} =3D 'disabled'; + } + if ($cgiparams{'TLSAUTH'} eq '') { + $cgiparams{'TLSAUTH'} =3D 'off'; + } $checked{'CLIENT2CLIENT'}{'off'} =3D ''; $checked{'CLIENT2CLIENT'}{'on'} =3D ''; $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} =3D 'CHECKED'; @@ -2445,6 +2549,7 @@ ADV_ERROR: $checked{'MSSFIX'}{'on'} =3D ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} =3D 'CHECKED'; $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} =3D 'checked=3D= \'checked\''; + $selected{'LOG_VERB'}{'0'} =3D ''; $selected{'LOG_VERB'}{'1'} =3D ''; $selected{'LOG_VERB'}{'2'} =3D ''; $selected{'LOG_VERB'}{'3'} =3D ''; @@ -2456,15 +2561,22 @@ ADV_ERROR: $selected{'LOG_VERB'}{'9'} =3D ''; $selected{'LOG_VERB'}{'10'} =3D ''; $selected{'LOG_VERB'}{'11'} =3D ''; - $selected{'LOG_VERB'}{'0'} =3D ''; $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} =3D 'SELECTED'; $selected{'DAUTH'}{'whirlpool'} =3D ''; $selected{'DAUTH'}{'SHA512'} =3D ''; $selected{'DAUTH'}{'SHA384'} =3D ''; $selected{'DAUTH'}{'SHA256'} =3D ''; - $selected{'DAUTH'}{'ecdsa-with-SHA1'} =3D ''; $selected{'DAUTH'}{'SHA1'} =3D ''; $selected{'DAUTH'}{$cgiparams{'DAUTH'}} =3D 'SELECTED'; + $checked{'TLSAUTH'}{'off'} =3D ''; + $checked{'TLSAUTH'}{'on'} =3D ''; + $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} =3D 'CHECKED'; + $selected{'ENGINES'}{'cryptodev'} =3D ''; + $selected{'ENGINES'}{'dynamic'} =3D ''; + $selected{'ENGINES'}{'aesni'} =3D ''; + $selected{'ENGINES'}{'padlock'} =3D ''; + $selected{'ENGINES'}{'disabled'} =3D ''; + $selected{'ENGINES'}{$cgiparams{'ENGINES'}} =3D 'SELECTED'; =20 &Header::showhttpheaders(); &Header::openpage($Lang::tr{'status ovpn'}, 1, ''); @@ -2478,7 +2590,7 @@ ADV_ERROR: &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'}); print < -
$Lang::tr{'upload p12 file'}:
+
@@ -2546,12 +2658,13 @@ print < - - + + - - + + + @@ -2564,30 +2677,28 @@ print <
$Lang::tr{'dhcp-options'}
fragment
mssfix $Lang::tr{'openvpn default'}: on
$Lang::tr{'openvpn default'}: off
$Lang::tr{'ovpn mtu-disc'} $Lang::tr{'ovpn mtu-disc yes'}
- + - + =20 - -
$Lang::tr{'log-options'}$Lang::tr{'log-options'}
VERB -
+ + + + + + + + + + + + + + =20
@@ -2599,24 +2710,46 @@ print <=09 -
$Lang::tr{'ovpn ha'} Default: SHA1 (160 $Lang::tr{'bit'})
+ + + $Lang::tr{'ovpn engines'} + + + Default: $Lang::tr{'disabled'} + + + + + + + =20 + + + +
HMAC tls-auth<= /td> +
END =20 if ( -e "/var/run/openvpn.pid"){ print"
$Lang::tr{'attention'}:
$Lang::tr{'server restart'}

"; - print<   @@ -2632,7 +2765,7 @@ END =09 }else{ =20 -print<   @@ -2687,11 +2820,11 @@ if ($cgiparams{'ACTION'} eq "edit"){ =09 &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd modify'}); =20 - print <
$Lang::tr{'ccd name'}: - $Lang::tr{'ccd subnet'}: + $Lang::tr{'ccd subnet'}:
@@ -2701,7 +2834,7 @@ END &Header::closebox(); =20 &Header::openbox('100%', 'LEFT',$Lang::tr{'ccd net'} ); - print < $Lang::tr{'ccd name'}$Lang::tr{'network'}$Lang::tr{'ccd used'} @@ -2711,7 +2844,7 @@ END else{ if (! -e "/var/run/openvpn.pid"){ &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd add'}); - print < $Lang::tr{'ccd hint'}

@@ -2751,7 +2884,7 @@ END print"$ccdconf[0]$ccdconf[1]$ccdhosts/".(&ccdmaxclients($ccdconf[1])+1).""; print < - + @@ -2760,7 +2893,7 @@ END - + END ; }=09 @@ -2864,7 +2997,7 @@ END } =09 print ""; - print < @@ -2979,7 +3112,7 @@ END =20 if ( -s "${General::swroot}/ovpn/settings") { =20 - print <$Lang::tr{'connection type'}:
- + @@ -3000,7 +3133,7 @@ END =09 =20 } else { - print <$Lang::tr{'connection type'}:
@@ -2990,7 +3123,7 @@ if ( -s "${General::swroot}/ovpn/settings") { $Lang::tr{'net to net vpn'} (Upload Client Package)
 
 Import Connection Name
 $Lang::tr{'openvpn default'}: Client Packagename
 Default : Client Packagename
3D'*' $Lang::tr{'this field may be blank'}
@@ -3149,6 +3282,7 @@ my $complzoactive; my $mssfixactive; my $authactive; my $n2nfragment; +my $authactive; my @n2nmtudisc =3D split(/ /, (grep { /^mtu-disc/ } @firen2nconf)[0]); my @n2nproto2 =3D split(/ /, (grep { /^proto/ } @firen2nconf)[0]); my @n2nproto =3D split(/-/, $n2nproto2[1]); @@ -3168,7 +3302,7 @@ my @n2nmgmt =3D split(/ /, (grep { /^management/ } @fi= ren2nconf)[0]); my @n2nlocalsub =3D split(/ /, (grep { /^# remsub/ } @firen2nconf)[0]); my @n2ncipher =3D split(/ /, (grep { /^cipher/ } @firen2nconf)[0]); my @n2nauth =3D split(/ /, (grep { /^auth/ } @firen2nconf)[0]); - +my @n2nengine =3D split(/ /, (grep { /^engine/ } @firen2nconf)[0]);; =20 ### # m.a.d delete CR and LF from arrays for this chomp doesnt work @@ -3189,6 +3323,7 @@ $n2nmgmt[2] =3D~ s/\n|\r//g; $n2nmtudisc[1] =3D~ s/\n|\r//g; $n2ncipher[1] =3D~ s/\n|\r//g; $n2nauth[1] =3D~ s/\n|\r//g; +$n2nengine[1] =3D~ s/\n|\r//g; chomp ($complzoactive); chomp ($mssfixactive); =20 @@ -3242,7 +3377,7 @@ foreach my $dkey (keys %confighash) { =09 $key =3D &General::findhasharraykey (\%confighash); =20 - foreach my $i (0 .. 41) { $confighash{$key}[$i] =3D "";} + foreach my $i (0 .. 42) { $confighash{$key}[$i] =3D "";} =20 $confighash{$key}[0] =3D 'off'; $confighash{$key}[1] =3D $n2nname[0]; @@ -3263,9 +3398,10 @@ foreach my $dkey (keys %confighash) { $confighash{$key}[29] =3D $n2nport[1]; $confighash{$key}[30] =3D $complzoactive; $confighash{$key}[31] =3D $n2ntunmtu[1]; - $confighash{$key}[38] =3D $n2nmtudisc[1];=20 + $confighash{$key}[38] =3D $n2nmtudisc[1]; $confighash{$key}[39] =3D $n2nauth[1]; $confighash{$key}[40] =3D $n2ncipher[1]; + $confighash{$key}[41] =3D 'disabled'; =20 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighas= h); =20 @@ -3285,7 +3421,7 @@ foreach my $dkey (keys %confighash) { &Header::openbox('100%', 'LEFT', 'import ipfire net2net config'); } if ($errormessage eq ''){ - print <
$Lang::tr{'host to net vpn'}
@@ -3302,8 +3438,8 @@ foreach my $dkey (keys %confighash) { - - + + <= td>$confighash{$key}[39]=09 @@ -3405,6 +3541,8 @@ if ($confighash{$cgiparams{'KEY'}}) { $cgiparams{'PMTU_DISCOVERY'} =3D $confighash{$cgiparams{'KEY'}}[38]; $cgiparams{'DAUTH'} =3D $confighash{$cgiparams{'KEY'}}[39]; $cgiparams{'DCIPHER'} =3D $confighash{$cgiparams{'KEY'}}[40]; + $cgiparams{'TLSAUTH'} =3D $confighash{$cgiparams{'KEY'}}[41]; + $cgiparams{'ENGINES'} =3D $confighash{$cgiparams{'KEY'}}[42]; } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { $cgiparams{'REMARK'} =3D &Header::cleanhtml($cgiparams{'REMARK'}); =09 @@ -3723,14 +3861,13 @@ if ($cgiparams{'TYPE'} eq 'net') { unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'= NAME'}.conf") or die "Removing Configfile fail: $!"; rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Re= moving Directory fail: $!"; goto VPNCONF_ERROR; - } - #Check if remote subnet is used elsewhere - my ($n2nip,$n2nsub)=3Dsplit("/",$cgiparams{'REMOTE_SUBNET'}); - $warnmessage=3D&General::checksubnets('',$n2nip,'ovpn'); - if ($warnmessage){ - $warnmessage=3D$Lang::tr{'remote subnet'}." ($cgiparams{'REMO= TE_SUBNET'})
".$warnmessage; - } -=20 + } + #Check if remote subnet is used elsewhere + my ($n2nip,$n2nsub)=3Dsplit("/",$cgiparams{'REMOTE_SUBNET'}); + $warnmessage=3D&General::checksubnets('',$n2nip,'ovpn'); + if ($warnmessage){ + $warnmessage=3D$Lang::tr{'remote subnet'}." ($cgiparams{'REMOTE_SUBNET'}) =
".$warnmessage; + } } =20 # if (($cgiparams{'TYPE'} eq 'net') && ($cgiparams{'SIDE'} !~ /^(left|right)= $/)) { @@ -4085,7 +4222,7 @@ if ($cgiparams{'TYPE'} eq 'net') { =09 if (! $key) { $key =3D &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 41) { $confighash{$key}[$i] =3D "";} + foreach my $i (0 .. 43) { $confighash{$key}[$i] =3D "";} } $confighash{$key}[0] =3D $cgiparams{'ENABLED'}; $confighash{$key}[1] =3D $cgiparams{'NAME'}; @@ -4131,6 +4268,7 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[38] =3D $cgiparams{'PMTU_DISCOVERY'}; $confighash{$key}[39] =3D $cgiparams{'DAUTH'}; $confighash{$key}[40] =3D $cgiparams{'DCIPHER'}; + $confighash{$key}[42] =3D $cgiparams{'ENGINES'}; =20 &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash= ); =09 @@ -4240,8 +4378,9 @@ if ($cgiparams{'TYPE'} eq 'net') { ###=09 $cgiparams{'MSSFIX'} =3D 'on'; $cgiparams{'FRAGMENT'} =3D '1300'; - $cgiparams{'PMTU_DISCOVERY'} =3D 'off'; - $cgiparams{'DAUTH'} =3D 'SHA1'; + $cgiparams{'PMTU_DISCOVERY'} =3D 'off'; + $cgiparams{'DAUTH'} =3D 'SHA1'; + $cgiparams{'ENGINES'} =3D 'disabled'; ### # m.a.d n2n end ###=09 @@ -4306,14 +4445,6 @@ if ($cgiparams{'TYPE'} eq 'net') { } $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} =3D 'checked=3D= \'checked\''; =20 - $selected{'DAUTH'}{'whirlpool'} =3D ''; - $selected{'DAUTH'}{'SHA512'} =3D ''; - $selected{'DAUTH'}{'SHA384'} =3D ''; - $selected{'DAUTH'}{'SHA256'} =3D ''; - $selected{'DAUTH'}{'ecdsa-with-SHA1'} =3D ''; - $selected{'DAUTH'}{'SHA1'} =3D ''; - $selected{'DAUTH'}{$cgiparams{'DAUTH'}} =3D 'SELECTED'; - $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} =3D ''; $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} =3D ''; $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} =3D ''; @@ -4330,7 +4461,35 @@ if ($cgiparams{'TYPE'} eq 'net') { $selected{'DCIPHER'}{'DES-CBC'} =3D ''; $selected{'DCIPHER'}{'RC2-64-CBC'} =3D ''; $selected{'DCIPHER'}{'RC2-40-CBC'} =3D ''; + # If no cipher has been chossen yet, select + # the old default (AES-256-CBC) for compatiblity reasons. + if ($cgiparams{'DCIPHER'} eq '') { + $cgiparams{'DCIPHER'} =3D 'AES-256-CBC'; + } $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} =3D 'SELECTED'; + $selected{'DAUTH'}{'whirlpool'} =3D ''; + $selected{'DAUTH'}{'SHA512'} =3D ''; + $selected{'DAUTH'}{'SHA384'} =3D ''; + $selected{'DAUTH'}{'SHA256'} =3D ''; + $selected{'DAUTH'}{'SHA1'} =3D ''; + # If no hash algorythm has been choosen yet, select + # the old default value (SHA1) for compatiblity reasons. + if ($cgiparams{'DAUTH'} eq '') { + $cgiparams{'DAUTH'} =3D 'SHA1'; + } + $selected{'DAUTH'}{$cgiparams{'DAUTH'}} =3D 'SELECTED'; + + $selected{'ENGINES'}{'disabled'} =3D ''; + $selected{'ENGINES'}{'cryptodev'} =3D ''; + $selected{'ENGINES'}{'dynamic'} =3D ''; + $selected{'ENGINES'}{'aesni'} =3D ''; + $selected{'ENGINES'}{'padlock'} =3D ''; + # If no engine has been choosen yet, select + # a default one (disabled). + if ($cgiparams{'ENGINES'} eq '') { + $cgiparams{'ENGINES'} =3D 'disabled'; + } + $selected{'ENGINES'}{$cgiparams{'ENGINES'}} =3D 'SELECTED'; =20 if (1) { &Header::showhttpheaders(); @@ -4386,7 +4545,6 @@ if ($cgiparams{'TYPE'} eq 'net') { } else { print ""; } - print <  @@ -4405,77 +4563,93 @@ if ($cgiparams{'TYPE'} eq 'net') { =20 - - - - + =20 + =20 + =20 - - + + =20 =20 + + + =20 - + + + + + + + + =20 - + + =20 - + - - =20 - + =20 + + + END ; } @@ -4538,7 +4712,7 @@ if ($cgiparams{'TYPE'} eq 'host') { =20 if ($cgiparams{'TYPE'} eq 'host') { =20 - print < =20 @@ -4563,7 +4737,7 @@ END =20 } else { =20 - print < =20 @@ -4597,7 +4771,7 @@ END ### =20 if ($cgiparams{'TYPE'} eq 'host') { - print < =20 @@ -4605,7 +4779,7 @@ if ($cgiparams{'TYPE'} eq 'host') { = - + = @@ -4613,7 +4787,7 @@ if ($cgiparams{'TYPE'} eq 'host') {
  
MSSFIX:$confighas= h{$key}[23]
Fragment:$configh= ash{$key}[24]
$Lang::tr{'MTU'}$= confighash{$key}[31]
$Lang::tr{'ovpn mtu-disc'}:$confighash{$key}[38]
Management Port:$= confighash{$key}[22]
$Lang::tr{'ovpn mtu-disc'}$confighash{$key}[38]
Management Port $= confighash{$key}[22]
$Lang::tr{'ovpn hmac'}:
$Lang::tr{'cipher'}<= b>$confighash{$key}[40]
  
 
$Lang::tr{'ovpn subnet'}$Lang::tr{'destination port'}:
$Lang::tr{'protocol'} Management Port ($Lang::tr{'openv= pn default'}: $Lang::tr{'destination port'}):   $Lang::tr{'destination port'}:
$Lang::tr{'cipher'} $Lang::tr{'ovpn ha'}: +
$Lang::tr{'ovpn engines'} &n= bsp; +
$Lang::tr{'MTU'} 
Management Port ($Lang::tr{'= openvpn default'}: $Lang::tr{'destination port'}):  = ;
$Lang::tr{'MTU'} = $Lang::tr{'openvpn default'}: udp/tcp 1500/1400
fragment:  
fragment   $Lang::tr{'openvpn default'}: 1300
mssfix:  
mssfix   <= /td> $Lang::tr{'openvpn default'}: on
$Lang::tr{'comp-lzo'} &= nbsp; -
$Lang::tr{'ovpn mtu-disc'}: - - $Lang::tr{'ovpn mtu-disc yes'} - $Lang::tr{'ovpn mtu-disc maybe'} - $Lang::tr{'ovpn mtu-disc no'} - $Lang::tr{'ovpn mtu-disc off'} -
$Lang::tr{'comp-lzo'} =   +
$Lang::tr{'ovpn mtu-disc'} + $Lang::tr{'ovpn mtu-disc yes'} + $Lang::tr{'ovpn mtu-disc maybe'} + $Lang::tr{'ovpn mtu-disc no'} + $Lang::tr{'ovpn mtu-disc off'} +
$Lang::tr{'upload= a certificate request'}
$Lang::tr{'genera= te a certificate'} 
 $Lang::tr{'valid till'} (days):
  $Lang::tr{'pkcs12 file password'}:
 $Lang::tr{'pkcs12 file password'}= :
($Lang::tr{'confirmation'})
 $Lang::tr{'pkcs12 file password'}= :
($Lang::tr{'confirmation'})
 
END }else{ - print <         @@ -4741,7 +4915,7 @@ END if (&haveOrangeNet() && $selorange =3D=3D '1'){ print"";$selorange=3D0;}elsif(&haveOrangeNet() && $selorang= e =3D=3D '0'){print"";} =09 if ($selgreen =3D=3D '1' || $other =3D=3D '0'){ print"";$set=3D0;}else{print"