bpfire

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-10 19:15:54 +02:00

Author	SHA1	Message	Date
Erik Kapfer	942446b553	OpenVPN: Add tls-version-min for TLSv1.2 ovpnmain.cgi delivers now 'tls-version-min 1.2' for Roadwarrior and N2N. Since the server needs it only on server side, this patch do not includes it for Roadwarrior clients. N2N do not uses push options therefor this directive will be included on both sides. To integrate the new directive into actual working OpenVPN server environment, the following commands should be executed via update.sh. Code block start: if test -f "/var/ipfire/ovpn/server.conf"; then # Add tls-version-minimum to OpenVPN server if not already there if ! grep -q '^tls-version-min' /var/ipfire/ovpn/server.conf > /dev/null 2>&1; then # Stop server before append the line /usr/local/bin/openvpnctrl -k # Append new directive echo >> "tls-version-min 1.2" /var/ipfire/ovpn/server.conf # Make sure server.conf have the correct permissions to prevent such # --> https://community.ipfire.org/t/unable-to-start-the-openvpn-server/2465/54?u=ummeegge # case chown nobody:nobody /var/ipfire/ovpn/server.conf # Start server again /usr/local/bin/openvpnctrl -s fi fi Code block end Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2020-08-17 10:09:15 +00:00
Erik Kapfer	ba50f66da3	OpenVPN: max-clients value has been enhanced The --max-client value has been enhanced from 255 clients to 1024 clients. Error message gives now explanation if the maximum has been reached. Patch has been triggered by https://community.ipfire.org/t/openvpn-max-vpn-clients-quantity-and-connections/2925 . Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2020-08-17 10:09:03 +00:00
Stefan Schantl	e2e270e1db	ovpnmain.cgi: Use location-functions.pl Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2020-06-12 18:51:03 +02:00
Stefan Schantl	8b58dbf32a	Merge branch 'switch-to-libloc' into next-switch-to-libloc	2020-05-25 19:58:54 +02:00
Erik Kapfer	73735ad99c	OpenVPN: Fix for N2N plausibility checks Fixes #12335 If no N2N name has been set, no directory and config has been created so it can not be deleted. 'goto VPNCONF_ERROR;' has been missing for N2N checks. Fixed also code formatting. Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-05-09 11:42:24 +00:00
Michael Tremer	708f2b7368	openvpn: Add metrics script This script is called when an OpenVPN Roadwarrior client connects or disconnect and logs the start and duration of the session. This can be used to monitor session duration and data transfer. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-05-01 19:18:00 +00:00
Erik Kapfer	fa4dbe2745	OpenVPN: Delete RRD dir if connection is deleted Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-03-30 16:29:57 +00:00
Stefan Schantl	7ad653cc09	ovpnmain.cgi: Validate CCDNet name when renaming it. Fixes #12282 Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-03-26 17:51:04 +00:00
Erik Kapfer	6ad43b0f21	OpenVPN: Stop N2N connection before remove. Fix #12334 Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2020-03-26 09:44:03 +00:00
Erik Kapfer	6a9d9ff4af	ovpn: Fix LZO checkbox restore Triggered by --> https://community.ipfire.org/t/openvpn-is-lzo-compression-now-effectively-disabled/503 . Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-12-06 16:39:55 +00:00
Stefan Schantl	83ccdf7fea	openvpnmain.cgi: Use new location lookup method. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>	2019-12-06 14:36:48 +01:00
Erik Kapfer	fa5274763c	OpenVPN: Fix max-clients option Fix: Triggered by https://forum.ipfire.org/viewtopic.php?f=16&t=23551 Since the 'DHCP_WINS' cgiparam has been set for the max-client directive, changes in the WUI has not been adapted to server.conf. Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-11-13 18:55:15 +00:00
Michael Tremer	2ad1b18bdb	vpnmain.cgi+ovpnmain.cgi: Fix file upload with new versions of Perl File uploads did not work since Perl was upgraded. This patch fixes that problem by only checking if an object was returned instead of performing a string comparison. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-14 18:10:20 +00:00
Erik Kapfer	b21a6319cd	ovpn: Add ta.key check to main settings Since Core 132 the 'TLS Channel Protection' is part of the global settings, the ta.key generation check should also be in the main section otherwise it won´t be created if not present. Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-08 18:04:52 +00:00
Erik Kapfer	ae04d0a311	ovpn: Generate ta.key before dh-parameter Fixes: #11964 and #12157 If slow boards or/and boards with low entropy needs too long to generate the DH-parameter, ovpnmain.cgi can get into a "Script timed out before returning headers" and no further OpenSSl commands will be executed after dhparam is finished. Since the ta.key are created after the DH-parameter, it won´t be produced in that case. To prevent this, the DH-parameter will now be generated at the end. Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>	2019-10-08 18:04:50 +00:00
Erik Kapfer	d2de0a00ce	ovpnmain.cgi: Fixed line break for LZO option It is better readable if everything is in one line. Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-06-02 22:49:17 +01:00
Erik Kapfer	1338977702	ovpn_reorganize_encryption: Integrate LZO from global to advanced section Fixes: #11819 - Since the Voracle vulnerability, LZO is better placed under advanced section cause under specific circumstances it is exploitable. - Warning/hint has been added in the option defaults description. Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-05-20 10:51:26 +01:00
Erik Kapfer	0c4ffc6919	ovpn_reorganize_encryption: Added tls-auth into global section - Since HMAC selection is already in global section, it makes sense to keep the encryption togehter. - Given tls-auth better understandable name. Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-05-20 10:50:21 +01:00
Erik Kapfer	86308adb25	ovpn_reorganize_encryption: Integrate HMAC selection to global section Fixes: #12009 and #11824 - Since HMACs will be used in any configuration it is better placed in the global menu. - Adapted global section to advanced and marked sections with a headline for better overview. - Deleted old headline in advanced section cause it is not needed anymore. - Added check if settings do not includes 'DAUTH', if possible SHA512 will be used and written to settings file. Old configurations with SHA1 will be untouched. Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-05-20 10:49:30 +01:00
Michael Tremer	b6c60092db	openvpn: Remove subnet check for static pools Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-03-22 15:24:03 +00:00
Erik Kapfer	e6f7f8e7ba	database_attribute: Deliver/create index.txt.attr Fixes #11904 Since OpenSSL-1.1.0x the database attribute file for IPSec and OpenVPN wasn´t created while initial PKI generation. OpenVPN delivered an error message but IPSec did crashed within the first attempt. This problem persists also after X509 deletion and new generation. index.txt.attr will now be delivered by the system but also deleted and recreated while setting up a new x509. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2019-01-03 14:52:53 +00:00
Erik Kapfer	32405d88b0	OpenVPN: Deleted mtu-disc completely since it has been dropped. Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-07-10 18:40:39 +01:00
Erik Kapfer	400c8afd98	OpenVPN: x509 and DH-parameter check with Warnings and error messages in WUI Changes includes: Own crypto warning and error message in WUI (can be extended to configuration too). Check if DH-parameter is < 2048 bit with an error message and howto fix it. Check if md5 is still in use with an error message and suggestion how to proceed further to fix it. Check for soon needed RFC3280 TLS rules compliants and suggestion how to proceed further to fix it. Disabled 1024 bit DH-parameter upload. Changed de and en language files for DH-parameter upload (deleted 1024 bit). Added explanations to de and en language files for the above changes. Fixed Typo in en language file. Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-07-03 15:32:48 +01:00
Michael Tremer	55d590518d	Revert "OpenVPN: Clarify fundamental crypto errors but also warnings in WUI" This reverts commit `15a3aa45cf`. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-07-03 15:32:42 +01:00
Erik Kapfer	15a3aa45cf	OpenVPN: Clarify fundamental crypto errors but also warnings in WUI Since OpenVPN-2.4.x, a lot of changes has been introduced. This patch should help the users for better understanding of errors in the cryptography. It includes also potential warnings for upcoming changes and needed adjustments in the system. This can also be extended in the future for upcoming configuration changes. Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-07-03 10:34:41 +01:00
Erik Kapfer	8ae4010b31	OpenVPN: Prevent internal server error cause of bad header wrapper This fixes #11772 . If the X509 are deleted, the openvpnctrl output generates a bad header wrapper error from the CGI which causes an internal server error. The redirection of the openvpnctrl output fixes this. Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-07-03 10:34:29 +01:00
Erik Kapfer	e3dda65eba	OpenVPN: Delete 1024 bit DH-parameter from menu Since OpenVPN-2.4.x do not accepts 1024 bit DH-parameter for security concerns anymore, it has been removed from the menu. Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-06-19 11:31:19 +01:00
Erik Kapfer	beac479f2d	OpenVPN: Prevent that a Roadwarrior name will be set two times Fixes bug #11307 Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-06-18 16:48:24 +01:00
Erik Kapfer	87ea30ff56	OpenVPN: Fix upload check for root and host certificate Fix for #11766 . Since the new OpenSSL output differs in the 'Subject' section, the regex needed to be adapted. Old and new output should now be possible. Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-06-18 16:31:48 +01:00
Erik Kapfer	c0a7c9b278	OpenVPN: Set default of 730 days for client certificate validity Since OpenSSL 1.1.0x it is required to set a value for the 'valid til (days)' field. The WUI delivers now a guide value of two years. Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-06-18 15:49:24 +01:00
Erik Kapfer	425465ede9	OpenVPN: Valid til days is required with OpenVPN-2.4.x Check has been integrated that the OpenSSL maximum of '999999' valid days can not be exceeded. Check for needed entry in 'Valid til days' field has been integrated. Asterisk for 'Valid til days' field has been set to mark it as required field. Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-06-18 15:06:20 +01:00
Michael Tremer	5f12becaa7	ovpnmain.cgi: Add missing closing bracket Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-06-18 14:11:39 +01:00
Peter Müller	d8ef6a9537	display country data for remote IPs on ovpnmain.cgi This makes debugging easier, especially when it comes to GeoIP related firewall rules and database related issues such as #11482. Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-05-09 14:51:20 +01:00
Michael Tremer	f5b2d0a14a	OpenVPN: Drop Path MTU discovery settings These have to be dropped since the entire system does not support Path MTU discovery any more. This should not have any disadvantage on any tunnels since PMTU didn't really work in the first place. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-04-09 11:32:07 +01:00
Erik Kapfer via Development	52f61e496d	OpenVPN: New AES-GCM cipher for N2N and RW AES-GCM 128, 196 and 256 bit has been added to Net-to-Net and Roadwarrior section. HMAC selection for N2N will be disabled if AES-GCM is used since GCM provides an own message authentication (GMAC). 'auth *' line in N2N.conf will be deleted appropriately if AES-GCM is used since '--tls-auth' is not available for N2N. HMAC selection menu for Roadwarriors is still available since '--tls-auth' is available for RWs which uses the configuered HMAC even AES-GCM has been applied. Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-25 19:31:30 +00:00
Michael Tremer	9434bffaf2	Merge branch 'openssl-11' into next	2018-02-21 12:21:10 +00:00
Erik Kapfer	a4fd232541	OpenVPN: Added needed directive for v2.4 update script-security: The support for the 'system' flag has been removed due to security implications with shell expansions when executing scripts via system() call. For more informations: https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage . ncp-disable: Negotiable crypto parameters has been disabled for the first. Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-15 10:41:41 +00:00
Erik Kapfer	ea6dd5b0ac	OpenVPN: Mark unsecure ciphers and DH-parameter as 'weak' in WUI menu 64 bit block ciphers like Blowfish, TDEA and CAST5 are vulnerable to the so called 'Birthday attacks' . Infos for 'Sweet32' Birthday attacks can be found in here https://sweet32.info/ . An Overview of 64 bit clock ciphers can also be found in here http://en.citizendium.org/wiki/Block_cipher/Catalogs/Cipher_list#64-bit_blocks 1024 bit Diffie-Hellman parameter has also been marked as weak causing the 'Logjam Attack' . Infos for 'Logjam Attack' can be found in here https://weakdh.org/ . Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2018-02-11 23:41:42 +00:00
Peter Müller	6fc0f5eb92	mark 3DES and 1024 bit DH params as weak These are not considered secure anymore but are unfortunately still needed in some cases (legacy hardware, ...). Signed-off-by: Peter Müller <peter.mueller@link38.eu> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2017-12-14 17:46:13 +00:00
Michael Tremer	3a44597467	OpenVPN: Allow to set routes to IPsec networks This makes hub-and-spoke designs with OpenVPN RW and IPsec N2N easier to configure Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2017-12-04 17:51:53 +00:00
Erik Kapfer	b66b02ab73	OpenVPN: Fix for '--ns-cert-type server is deprecated' . - Added extended key usage based on RFC3280 TLS rules for OpenVPNs OpenSSL configuration, so '--remote-cert-tls' can be used instead of the old and deprecated '--ns-cert-type' if the host certificate are newely generated with this options. Nevertheless both directives (old and new) will work also with old CAs. - Automatic detection if the host certificate uses the new options. If it does, '--remote-cert-tls server' will be automatically set into the client configuration files for Net-to-Net and Roadwarriors connections. If it does NOT, the old '--ns-cert-type server' directive will be set in the client configuration file. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2017-10-11 11:55:16 +01:00
Michael Tremer	f3dfb261c8	OpenVPN: Mark SHA1 as weak Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2017-04-28 13:03:46 +01:00
Michael Tremer	7090074557	OpenVPN: Use SHA512 by default This will break compatibility with old clients like Windows XP, but these are too old now to be supported. SHA1 is considered to be weak and should not be used any more Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2017-04-28 13:01:41 +01:00
Erik Kapfer	964700d414	openvpn: Update to version 2.3.7, added --verify-x509-name directive. The tls-remote directive is deprecated and will be removed with OpenVPN version 2.4 . Added instead --verify-x509-name HOST name into ovpnmain.cgi. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2016-01-04 22:41:46 +00:00
Alexander Marx	35a21a254d	BUG10902: Add statusfile line when editing an ovpn n2n connection Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2015-11-09 17:36:10 +00:00
Michael Tremer	2913185aa4	openvpn: The --up option only takes one single argument Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2015-11-05 11:44:57 +00:00
Michael Tremer	a4e9b9d8e0	openvpn: Apply static routes on client site as well Fixes: #10968 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2015-11-05 11:44:04 +00:00
Michael Tremer	b22d8aaf4a	openvpn: Embed the certificate and key file into configuration This will allow to import just the configuration file into iOS and establish the VPN connection. Also works with many other OpenVPN clients. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2015-11-04 21:10:47 +00:00
Michael Tremer	71af643cda	openvpn: Add option to download a client package with PEM files This patch adds the option to download a client package that comes with a regular PEM and key file instead of a PKCS12 file which is easier to use with clients that don't support PKCS12 (like iOS) opposed to converting the file manually. This requires that the connection is created without using a password for the certificate. Then the certificate is already stored in an insecure way. This patch also adds this to the Core Update 95 updater. Fixes: #10966 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> CC: Alexander Marx <alexander.marx@ipfire.org>	2015-11-04 21:10:41 +00:00
Michael Tremer	3045d6abde	openvpn: Apply static routes when N2N connection comes up Fixes: #10968 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>	2015-11-04 21:10:27 +00:00

1 2 3 4 5

207 Commits