From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ipfire-scm+bounces-287-archive=lists.ipfire.org@lists.ipfire.org>
Received: from mail02.haj.ipfire.org (localhost [IPv6:::1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4dLR554xFjz2y1f
	for <archive@lists.ipfire.org>; Tue, 02 Dec 2025 16:27:37 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4dLR554W9Mz2xQT
	for <ipfire-scm@lists.ipfire.org>; Tue, 02 Dec 2025 16:27:37 +0000 (UTC)
Received: from people01.haj.ipfire.org (people01.haj.ipfire.org [IPv6:2001:678:b28::161])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature ECDSA (secp384r1) client-digest SHA384)
	(Client CN "people01.haj.ipfire.org", Issuer "E8" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4dLR543Vplz7D
	for <ipfire-scm@lists.ipfire.org>; Tue, 02 Dec 2025 16:27:36 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1764692856;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc; bh=56o9JlcV30aL4O3D2BeD5Ff2/i//6l4OpPmmK7HFSxo=;
	b=MLOLPDhbwVFmLAHm+BUhLBQlUjakTc0CRqC/1sEoUxeBQ9isEGjaq/Lhi8laNHfk3RN6Pp
	iiVsrzqOZtN2MeAg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa;
	t=1764692856;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc; bh=56o9JlcV30aL4O3D2BeD5Ff2/i//6l4OpPmmK7HFSxo=;
	b=p8pJ+qbm0hAbniZiGMg7DcFGeIgwzeXJ4E/QCB+UkT2th0y3AIhAtUpvMQvo22JItaHdEM
	FG3K8q0ItfXgBRhChdop5nm/WJoH4HNM/7HQ7KR8nDWTTUVfRpVVCY4joCtMIv4lWNxjPz
	73dT+bL+qNb8h+ZOMoIl9WytXAJMbrDD0l8XhGnlUpk4qnbbQjfpkqDX7H2UZanYp/amsT
	g/u9lqdWVi4nUX04NLKvZYwuFAx5U7T5URPIkCJjtzsZFyzT1vxdkm4nTynAkBX/wqLMZO
	qeuu69M/6014lT6dLBq1u0aniszgQkVamvVRkiubzr8NutN2BsM6rTavRvNJlA==
Received: by people01.haj.ipfire.org (Postfix, from userid 1000)
	id 4dLR530bPmz2xsr; Tue, 02 Dec 2025 16:27:35 +0000 (UTC)
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 32280102d774eb3b19c423efbd40145f2e524427
X-Git-Refname: refs/heads/next
X-Git-Reftype: branch
X-Git-Oldrev: 24ad6f00b5c69f1ba882e0b11c6aee3ce8e2b619
X-Git-Newrev: 32280102d774eb3b19c423efbd40145f2e524427
Message-Id: <4dLR530bPmz2xsr@people01.haj.ipfire.org>
Date: Tue, 02 Dec 2025 16:27:34 +0000 (UTC)
From: Michael Tremer <git@ipfire.org>
Precedence: list
List-Id: <ipfire-scm.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:ipfire-scm+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:ipfire-scm+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:ipfire-scm@lists.ipfire.org>
List-Help: <mailto:ipfire-scm+help@lists.ipfire.org?subject=help>
Sender: <ipfire-scm@lists.ipfire.org>
Mail-Followup-To: <ipfire-scm@lists.ipfire.org>

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  32280102d774eb3b19c423efbd40145f2e524427 (commit)
       via  c3936b58dd71806c561d38ff326af732fcae54dd (commit)
       via  21f50e457e90a65127476b1ccee262cf535e95aa (commit)
      from  24ad6f00b5c69f1ba882e0b11c6aee3ce8e2b619 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 32280102d774eb3b19c423efbd40145f2e524427
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Tue Dec 2 16:27:20 2025 +0000

    core200: Ship and apply OpenVPN RW changes
    
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

commit c3936b58dd71806c561d38ff326af732fcae54dd
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Tue Dec 2 17:20:46 2025 +0100

    ovpnmain.cgi: Push auth-token only to clients that use OTP
    
    This is mainly a cosmetic change as some clients complain about
    importing this option as it is supposed to be "push-only".
    
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

commit 21f50e457e90a65127476b1ccee262cf535e95aa
Author: Michael Tremer <michael.tremer@ipfire.org>
Date:   Tue Dec 2 12:43:39 2025 +0100

    ovpnmain.cgi: Push the MTU to the clients
    
    This is supported for clients >= 2.6 and will grant us some extra
    flexibility if this value needs to be changed.
    
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/rootfiles/core/200/filelists/files |  1 +
 config/rootfiles/core/200/update.sh       |  4 ++++
 html/cgi-bin/ovpnmain.cgi                 | 12 ++++++++----
 3 files changed, 13 insertions(+), 4 deletions(-)

Difference in files:
diff --git a/config/rootfiles/core/200/filelists/files b/config/rootfiles/core/200/filelists/files
index e69de29bb..f7a8b3297 100644
--- a/config/rootfiles/core/200/filelists/files
+++ b/config/rootfiles/core/200/filelists/files
@@ -0,0 +1 @@
+srv/web/ipfire/cgi-bin/ovpnmain.cgi
diff --git a/config/rootfiles/core/200/update.sh b/config/rootfiles/core/200/update.sh
index 6dba91fce..7d00047b1 100644
--- a/config/rootfiles/core/200/update.sh
+++ b/config/rootfiles/core/200/update.sh
@@ -69,8 +69,12 @@ ldconfig
 # Apply SSH configuration
 /usr/local/bin/sshctrl
 
+# Update the OpenVPN configuration
+sudo -u nobody /srv/web/ipfire/cgi-bin/ovpnmain.cgi
+
 # Start services
 /etc/init.d/unbound restart
+/etc/init.d/openvpn-rw restart
 
 # Build initial ramdisks (for intel-microcode)
 dracut --regenerate-all --force
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index ec86a218b..dd4f98246 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -265,7 +265,10 @@ sub writeserverconf {
     my $subnetmask = &Network::get_netmask($vpnsettings{'DOVPN_SUBNET'});
 
     print CONF "server $netaddress $subnetmask\n";
+
+    # Set the MTU and push it to the clients
     print CONF "tun-mtu $vpnsettings{'DMTU'}\n";
+    print CONF "push \"tun-mtu $vpnsettings{'DMTU'}\"\n";
 
 	# Write custom routes
     if ($vpnsettings{'ROUTES_PUSH'} ne '') {
@@ -624,6 +627,11 @@ sub write_ccd_configs() {
 		# Write a header
 		print CONF "# OpenVPN Client Configuration File\n\n";
 
+		# Push the auth-token if the client is using OTP
+		if ($conns{$key}[43] eq 'on') {
+			print CONF "push \"auth-token TOTP\"\n\n";
+		}
+
 		# Fetch the allocated IP address (if any)
 		my $pool    = $conns{$key}[32];
 		my $address = $conns{$key}[33];
@@ -2436,9 +2444,6 @@ END
 		print "remote $vpnsettings{'VPN_IP'} $vpnsettings{'DDEST_PORT'}\n";
 		print "proto $vpnsettings{'DPROTOCOL'}\n";
 
-		# Configure the MTU of the tunnel interface
-		print "tun-mtu $vpnsettings{'DMTU'}\n";
-
 		# Ask the client to verify the server certificate
 		if (&is_cert_rfc3280_compliant("${General::swroot}/ovpn/certs/servercert.pem")) {
 			print "remote-cert-tls server\n";
@@ -2465,7 +2470,6 @@ END
 		# Set a fake user name for authentication
 		print "auth-user-pass\n";
 		print "auth-token-user USER\n";
-		print "auth-token TOTP\n";
 
 		# If the server is asking for TOTP this needs to happen interactively
 		print "auth-retry interact\n";


hooks/post-receive
--
IPFire 2.x development tree