OpenVPN:Add HMAC, cipher 'n2n' and DH key selection. Fixes and new design.

Added HMAC algorithm selection menu for N2N and RW. Added cipher selection menu for N2N connections. Added DH key selection also for existing installations incl. DH key upload possibility. Adjusted the ovpn main WUI design to IPSec WUI. Extend key lenght for CA, cert and control channel with faktor 2. Some code and typo cleanup. Bugfixes for #10317, #10149, #10462, #10463 V.2 New changes: Integrated changes in langs and ovpnmain.cgi until 20.03.2014 2.15-Beta3. ovpn.cnf have now default bits of 2048 instead of 1024. ovpn.cnf default_md works now with sha256 instead of md5. Bugfix: By new installation the auth directive for RWs is faded out #10462 Comment 15. Added error message if the crl should be displayed but no crl is present. v.3 New changes #10462 Comment 20: Updated to core version 77. Deleted manual name award in DH key upload section, name will be given automatically now. Added sha512WithRSAEncryption instead of sha1WithRSAEncryption for "Root Certificate". Added tls-auth support for Roadwarriors. Added crypto engine support for N2N and Roadwarriors.
2026-04-27 19:23:24 +02:00 · 2014-05-11 09:24:04 +02:00
parent a257ce6b8d
commit 49abe7afb1
4 changed files with 943 additions and 450 deletions
--- a/config/ovpn/openssl/ovpn.cnf
+++ b/config/ovpn/openssl/ovpn.cnf
@@ -1,46 +1,46 @@
-HOME		= .
-RANDFILE	= /var/ipfire/ovpn/ca/.rnd
-oid_section	= new_oids
+HOME				= .
+RANDFILE			= /var/ipfire/ovpn/ca/.rnd
+oid_section			= new_oids

 [ new_oids ]

 [ ca ]
-default_ca	= openvpn
+default_ca			= openvpn

 [ openvpn ]
-dir		= /var/ipfire/ovpn
-certs		= $dir/certs
-crl_dir		= $dir/crl
-database	= $dir/certs/index.txt
-new_certs_dir	= $dir/certs
-certificate	= $dir/ca/cacert.pem
-serial		= $dir/certs/serial
-crl		= $dir/crl.pem
-private_key	= $dir/ca/cakey.pem
-RANDFILE	= $dir/ca/.rand
-x509_extensions	= usr_cert
-default_days	= 999999
-default_crl_days= 30
-default_md	= md5
-preserve	= no
-policy		= policy_match
-email_in_dn	= no
+dir				= /var/ipfire/ovpn
+certs				= $dir/certs
+crl_dir				= $dir/crl
+database			= $dir/certs/index.txt
+new_certs_dir			= $dir/certs
+certificate			= $dir/ca/cacert.pem
+serial				= $dir/certs/serial
+crl				= $dir/crl.pem
+private_key			= $dir/ca/cakey.pem
+RANDFILE			= $dir/ca/.rand
+x509_extensions			= usr_cert
+default_days			= 999999
+default_crl_days		= 30
+default_md			= sha256
+preserve			= no
+policy				= policy_match
+email_in_dn			= no

 [ policy_match ]
-countryName		= optional
-stateOrProvinceName	= optional
-organizationName	= optional
-organizationalUnitName	= optional
-commonName		= supplied
-emailAddress		= optional
+countryName			= optional
+stateOrProvinceName		= optional
+organizationName		= optional
+organizationalUnitName		= optional
+commonName			= supplied
+emailAddress			= optional

 [ req ]
-default_bits		= 1024
-default_keyfile 	= privkey.pem
-distinguished_name	= req_distinguished_name
-attributes		= req_attributes
-x509_extensions	= v3_ca
-string_mask = nombstr
+default_bits			= 2048
+default_keyfile 		= privkey.pem
+distinguished_name		= req_distinguished_name
+attributes			= req_attributes
+x509_extensions			= v3_ca
+string_mask 			= nombstr

 [ req_distinguished_name ]
 countryName			= Country Name (2 letter code)
@@ -73,31 +73,31 @@ challengePassword_max		= 20
 unstructuredName		= An optional company name

 [ usr_cert ]
-basicConstraints=CA:FALSE
+basicConstraints		= CA:FALSE
 nsComment			= "OpenSSL Generated Certificate"
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid,issuer:always

 [ server ]

 # JY ADDED -- Make a cert with nsCertType set to "server"
-basicConstraints=CA:FALSE
+basicConstraints		= CA:FALSE
 nsCertType			= server
 nsComment			= "OpenSSL Generated Server Certificate"
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always 
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid,issuer:always 

 [ v3_req ]
-basicConstraints = CA:FALSE
-keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+basicConstraints 		= CA:FALSE
+keyUsage 			= nonRepudiation, digitalSignature, keyEncipherment

 [ v3_ca ]
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid:always,issuer:always
-basicConstraints = CA:true
+subjectKeyIdentifier		= hash
+authorityKeyIdentifier		= keyid:always,issuer:always
+basicConstraints 		= CA:true

 [ crl_ext ]
-authorityKeyIdentifier=keyid:always,issuer:always
+authorityKeyIdentifier		= keyid:always,issuer:always

 [ engine ]
-default = openssl
+default 			= openssl