This parameter can either be "host" or "net", but the existing check
only allows "net" entries. Since other entries are also valid but
don't require further action, this patch removes the error message.
Fixes: #12686
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This disables the theme support and makes it impossible to use any other
themes than the ipfire default theme.
The only intention of this patch is to hardcode the theme to ipfire.
To change any cgi we have is an ugly way, but the only way to do this
fast. The colour handling needs certainly to be improved as well, but
this will and should be done in other patches.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
OpenVPN is an absolute mess. The behaviour of configuration
parameters has been changed over the time; default values have been
changed over time; and it looks like nobody is actually testing
anything any more.
I have been spending hours today on figuring out why OpenVPN
is so damn slow. On a Lightning Wire Labs IPFire Mini Appliance
it achieves about 100 MBit/s in the default configuration when
"openssl speed -evp aes-256-gcm" achieves over 3.5 GBit/s.
Changing any of the cryptography parameters does not change
anything. Throughput remains around 100 MBit/s.
I finally set "cipher none" and "auth none" which disables
encryption and authentication altogether but does not increase
throughput. From here on it was absolutely clear that it was
not a crypto issue.
OpenVPN tries to be smart here and does its own fragmentation.
This is the worst idea I have heard of all day, because that job
is normally done best by the OS.
Various settings which allow the user to "tune" this are grossly
ineffective - let alone it isn't even clear what I am supposed
to configure anywhere. Setting "fragment 1500" weirdly still
does not convince openvpn to generate a packet that is longer
than 1400 bytes. Who'd a thunk?
There is a number of other parameters to set the MTU or which
are related to it (tun-mtu, link-mtu, fragment, mssfix).
On top of all of this we have two "bugs" in ovpnmain.cgi which
are being fixed in this patch:
1) mssfix can be configured by the user. However, we always
enable it in openvpn. The default is on, we only add "mssfix"
which simply turns it on.
It is now being disabled when the user has chosen so in the
web UI. I do not know if this is backwards-compatible.
2) We cap the MTU (tun-mtu) at 1500 bytes when fragment is being
used. So it becomes pointless that the user can this and the
user is not being made aware of this when they hit the save
button.
This was added when we added path MTU discovery. Since that
did not work and was removed, we can remove this now, too.
I archived a solid 500-600 MBit/s of goodput with these settings:
* Disable mssfix
* Set "fragment" to 0
* Set MTU to 9000
I am sure the MTU could be further increased to have bigger packets,
but I did not test how badly this will affect latency of the tunnel.
OpenVPN seems to only be able to handle a certain amount of packets
a second - no matter what. With larger packets, the throughput of
the tunnel increases, but latency might as well.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Cc: Erik Kapfer <erik.kapfer@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes: #12529
- If a client N2N configuration will be imported into IPFire systems,
a line will be added which calls the --up script to restart the
static route initscript. Since this is IPFire specific, i will only be
added via import on IPFire system.
- Deleted unneeded line in CLIENTCONF section.
- Added description to SERVERCONF section.
Signed-off-by: ummeegge <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
ovpnmain.cgi delivers now 'tls-version-min 1.2' for Roadwarrior and N2N.
Since the server needs it only on server side, this patch do not includes it for Roadwarrior clients.
N2N do not uses push options therefor this directive will be included on both sides.
To integrate the new directive into actual working OpenVPN server environment, the following commands
should be executed via update.sh.
Code block start:
if test -f "/var/ipfire/ovpn/server.conf"; then
# Add tls-version-minimum to OpenVPN server if not already there
if ! grep -q '^tls-version-min' /var/ipfire/ovpn/server.conf > /dev/null 2>&1; then
# Stop server before append the line
/usr/local/bin/openvpnctrl -k
# Append new directive
echo >> "tls-version-min 1.2" /var/ipfire/ovpn/server.conf
# Make sure server.conf have the correct permissions to prevent such
# --> https://community.ipfire.org/t/unable-to-start-the-openvpn-server/2465/54?u=ummeegge
# case
chown nobody:nobody /var/ipfire/ovpn/server.conf
# Start server again
/usr/local/bin/openvpnctrl -s
fi
fi
Code block end
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes#12335
If no N2N name has been set, no directory and config has been created so it can not be deleted.
'goto VPNCONF_ERROR;' has been missing for N2N checks.
Fixed also code formatting.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This script is called when an OpenVPN Roadwarrior client
connects or disconnect and logs the start and duration
of the session.
This can be used to monitor session duration and data transfer.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
File uploads did not work since Perl was upgraded. This patch
fixes that problem by only checking if an object was returned
instead of performing a string comparison.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Since Core 132 the 'TLS Channel Protection' is part of the global settings,
the ta.key generation check should also be in the main section otherwise it
won´t be created if not present.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Fixes: #11964 and #12157
If slow boards or/and boards with low entropy needs too long to generate the DH-parameter, ovpnmain.cgi can get into a
"Script timed out before returning headers" and no further OpenSSl commands will be executed after dhparam is finished.
Since the ta.key are created after the DH-parameter, it won´t be produced in that case.
To prevent this, the DH-parameter will now be generated at the end.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Fixes: #11819
- Since the Voracle vulnerability, LZO is better placed under advanced section cause under specific circumstances it is exploitable.
- Warning/hint has been added in the option defaults description.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Since HMAC selection is already in global section, it makes sense to keep the encryption togehter.
- Given tls-auth better understandable name.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes: #12009 and #11824
- Since HMACs will be used in any configuration it is better placed in the global menu.
- Adapted global section to advanced and marked sections with a headline for better overview.
- Deleted old headline in advanced section cause it is not needed anymore.
- Added check if settings do not includes 'DAUTH', if possible SHA512 will be used and written to settings file.
Old configurations with SHA1 will be untouched.
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fixes#11904
Since OpenSSL-1.1.0x the database attribute file for IPSec and OpenVPN wasn´t created while initial PKI generation.
OpenVPN delivered an error message but IPSec did crashed within the first attempt.
This problem persists also after X509 deletion and new generation.
index.txt.attr will now be delivered by the system but also deleted and recreated while setting up a new x509.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Changes includes:
Own crypto warning and error message in WUI (can be extended to configuration too).
Check if DH-parameter is < 2048 bit with an error message and howto fix it.
Check if md5 is still in use with an error message and suggestion how to proceed further to fix it.
Check for soon needed RFC3280 TLS rules compliants and suggestion how to proceed further to fix it.
Disabled 1024 bit DH-parameter upload.
Changed de and en language files for DH-parameter upload (deleted 1024 bit).
Added explanations to de and en language files for the above changes.
Fixed Typo in en language file.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Since OpenVPN-2.4.x, a lot of changes has been introduced. This patch should help the users for better understanding of errors in the cryptography.
It includes also potential warnings for upcoming changes and needed adjustments in the system.
This can also be extended in the future for upcoming configuration changes.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This fixes#11772 .
If the X509 are deleted, the openvpnctrl output generates a bad header wrapper error from the CGI
which causes an internal server error. The redirection of the openvpnctrl output fixes this.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Since OpenVPN-2.4.x do not accepts 1024 bit DH-parameter for security concerns anymore,
it has been removed from the menu.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Fix for #11766 .
Since the new OpenSSL output differs in the 'Subject' section, the regex needed to be adapted.
Old and new output should now be possible.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Since OpenSSL 1.1.0x it is required to set a value for the 'valid til (days)' field.
The WUI delivers now a guide value of two years.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Check has been integrated that the OpenSSL maximum of '999999' valid days can not be exceeded.
Check for needed entry in 'Valid til days' field has been integrated.
Asterisk for 'Valid til days' field has been set to mark it as required field.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This makes debugging easier, especially when it comes to
GeoIP related firewall rules and database related issues
such as #11482.
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
These have to be dropped since the entire system does not
support Path MTU discovery any more. This should not have
any disadvantage on any tunnels since PMTU didn't really
work in the first place.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior section.
HMAC selection for N2N will be disabled if AES-GCM is used since GCM provides an own message authentication (GMAC).
'auth *' line in N2N.conf will be deleted appropriately if AES-GCM is used since '--tls-auth' is not available for N2N.
HMAC selection menu for Roadwarriors is still available since '--tls-auth' is available for RWs
which uses the configuered HMAC even AES-GCM has been applied.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
script-security: The support for the 'system' flag has been removed due to security implications
with shell expansions when executing scripts via system() call.
For more informations: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage .
ncp-disable: Negotiable crypto parameters has been disabled for the first.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
These are not considered secure anymore but are unfortunately
still needed in some cases (legacy hardware, ...).
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
