From: Michael Tremer Date: Tue, 19 Mar 2024 18:32:50 +0000 (+0100) Subject: ovpnmain.cgi: Implement cipher negotiation for RW clients X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=328c256d267b4fe16204d5e34105d2ff07f8ae80;p=people%2Fms%2Fipfire-2.x.git ovpnmain.cgi: Implement cipher negotiation for RW clients Signed-off-by: Michael Tremer --- diff --git a/doc/language_issues.de b/doc/language_issues.de index 6a4ee84ca..10bc2e501 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -871,6 +871,11 @@ WARNING: translation string unused: zoneconf val vlan amount assignment error WARNING: translation string unused: zoneconf val vlan tag assignment error WARNING: translation string unused: zoneconf val vlan tag range error WARNING: translation string unused: zoneconf val zoneslave amount error +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: access point name = Access Point Name WARNING: untranslated string: access point name is invalid = Access Point Name is invalid WARNING: untranslated string: access point name is required = Access Point Name is required @@ -943,8 +948,11 @@ WARNING: untranslated string: log drop hostile out = Log dropped packets TO host WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Daemon WARNING: untranslated string: no entries = No entries at the moment. WARNING: untranslated string: optional = Optional +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pakfire invalid tree = Invalid repository selected WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. diff --git a/doc/language_issues.en b/doc/language_issues.en index 18591b0e9..c0b81d112 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1,9 +1,14 @@ WARNING: untranslated string: 24 hours = 24 Hours +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit WARNING: untranslated string: Act as = Act as: WARNING: untranslated string: Add Level7 rule = Add Level7 rule WARNING: untranslated string: Add Port Rule = Add port rule WARNING: untranslated string: Add Rule = Add rule WARNING: untranslated string: Add a route = Add a route +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive = Captive Portal WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive GAIN ACCESS = GAIN ACCESS @@ -1453,6 +1458,7 @@ WARNING: untranslated string: outgoing overhead in bytes per second = Outgoing O WARNING: untranslated string: outgoing traffic in bytes per second = Outgoing Traffic WARNING: untranslated string: ovpn = OpenVPN WARNING: untranslated string: ovpn add conf = Additional configuration +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn con stat = OpenVPN Connection Statistics WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn crypt options = Cryptographic options @@ -1461,6 +1467,7 @@ WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-a WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn ha = Hash algorithm +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required. WARNING: untranslated string: ovpn no connections = No active OpenVPN connections WARNING: untranslated string: ovpn on blue = OpenVPN on BLUE: @@ -1475,6 +1482,7 @@ WARNING: untranslated string: ovpn subnet = OpenVPN subnet: WARNING: untranslated string: ovpn subnet is invalid = OpenVPN subnet is invalid. WARNING: untranslated string: ovpn subnet overlap = OpenVPN Subnet overlaps with : WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pagerefresh = Page is beeing refreshed, please wait. WARNING: untranslated string: pak update = Update WARNING: untranslated string: pakfire accept all = Do you want to install all packages? diff --git a/doc/language_issues.es b/doc/language_issues.es index 17b0a57fa..3054b8cde 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -944,6 +944,11 @@ WARNING: translation string unused: zoneconf val vlan amount assignment error WARNING: translation string unused: zoneconf val vlan tag assignment error WARNING: translation string unused: zoneconf val vlan tag range error WARNING: translation string unused: zoneconf val zoneslave amount error +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive clients = unknown string WARNING: untranslated string: Scan for Songs = unknown string @@ -1005,8 +1010,11 @@ WARNING: untranslated string: log drop hostile out = Log dropped packets TO host WARNING: untranslated string: no data = unknown string WARNING: untranslated string: openvpn cert expires soon = Expires Soon WARNING: untranslated string: openvpn cert has expired = Expired +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pakfire ago = ago. WARNING: untranslated string: regenerate host certificate = Renew Host Certificate WARNING: untranslated string: reiserfs warning1 = Reiserfs is deprecated and scheduled to be removed from the kernel in 2025. diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 6ddab4395..a973e161f 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -912,6 +912,11 @@ WARNING: translation string unused: zoneconf val vlan amount assignment error WARNING: translation string unused: zoneconf val vlan tag assignment error WARNING: translation string unused: zoneconf val vlan tag range error WARNING: translation string unused: zoneconf val zoneslave amount error +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: core notice 3 = available. WARNING: untranslated string: enable disable client = unknown string WARNING: untranslated string: enable disable dyndns = unknown string @@ -949,8 +954,11 @@ WARNING: untranslated string: guardian logtarget_syslog = unknown string WARNING: untranslated string: guardian no entries = unknown string WARNING: untranslated string: guardian service = unknown string WARNING: untranslated string: hostile networks total = Total Hostile Networks +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pakfire ago = ago. WARNING: untranslated string: routing config added = unknown string WARNING: untranslated string: routing config changed = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index 5626918ae..39522efec 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -850,6 +850,11 @@ WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: 24 hours = 24 Hours +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive = Captive Portal WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive GAIN ACCESS = GAIN ACCESS @@ -1195,11 +1200,14 @@ WARNING: untranslated string: otp qrcode = OTP QRCode WARNING: untranslated string: outgoing compression in bytes per second = Outgoing compression WARNING: untranslated string: outgoing overhead in bytes per second = Outgoing Overhead WARNING: untranslated string: ovpn add conf = Additional configuration +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pak update = Update WARNING: untranslated string: pakfire already busy = Pakfire is already performing a task. Please try again later. WARNING: untranslated string: pakfire finished = Pakfire has finished! Returning... diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 9a26b205f..573f68cb8 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -850,6 +850,11 @@ WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: 24 hours = 24 Hours +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive = Captive Portal WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive GAIN ACCESS = GAIN ACCESS @@ -1217,13 +1222,16 @@ WARNING: untranslated string: otp qrcode = OTP QRCode WARNING: untranslated string: outgoing compression in bytes per second = Outgoing compression WARNING: untranslated string: outgoing overhead in bytes per second = Outgoing Overhead WARNING: untranslated string: ovpn add conf = Additional configuration +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn crypt options = Cryptographic options WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn ha = Hash algorithm +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pakfire already busy = Pakfire is already performing a task. Please try again later. WARNING: untranslated string: pakfire finished = Pakfire has finished! Returning... WARNING: untranslated string: pakfire finished error = Pakfire has finished! Errors occurred, please check the log output before proceeding. diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 4a2ba4033..4821848ec 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -762,6 +762,11 @@ WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: 24 hours = 24 Hours +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive = Captive Portal WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive GAIN ACCESS = GAIN ACCESS @@ -1382,6 +1387,7 @@ WARNING: untranslated string: outgoing compression in bytes per second = Outgoin WARNING: untranslated string: outgoing firewall access = Outgoing Firewall Access WARNING: untranslated string: outgoing overhead in bytes per second = Outgoing Overhead WARNING: untranslated string: ovpn add conf = Additional configuration +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn crypt options = Cryptographic options WARNING: untranslated string: ovpn errmsg green already pushed = Route for green network is always set @@ -1389,6 +1395,7 @@ WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-a WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn ha = Hash algorithm +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required. WARNING: untranslated string: ovpn no connections = No active OpenVPN connections WARNING: untranslated string: ovpn port in root range = A port number of 1024 or higher is required. @@ -1396,6 +1403,7 @@ WARNING: untranslated string: ovpn routes push = Routes (one per line) e.g. 192. WARNING: untranslated string: ovpn routes push options = Route push options WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pak update = Update WARNING: untranslated string: pakfire already busy = Pakfire is already performing a task. Please try again later. WARNING: untranslated string: pakfire finished = Pakfire has finished! Returning... diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 3fe8454d6..e5dc832be 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -756,7 +756,12 @@ WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: 24 hours = 24 Hours +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit WARNING: untranslated string: Add a route = Add a route +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive = Captive Portal WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive GAIN ACCESS = GAIN ACCESS @@ -1381,16 +1386,19 @@ WARNING: untranslated string: outgoing firewall access = Outgoing Firewall Acces WARNING: untranslated string: outgoing overhead in bytes per second = Outgoing Overhead WARNING: untranslated string: outgoing traffic in bytes per second = Outgoing Traffic WARNING: untranslated string: ovpn add conf = Additional configuration +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn crypt options = Cryptographic options WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn ha = Hash algorithm +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required. WARNING: untranslated string: ovpn no connections = No active OpenVPN connections WARNING: untranslated string: ovpn port in root range = A port number of 1024 or higher is required. WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pak update = Update WARNING: untranslated string: pakfire already busy = Pakfire is already performing a task. Please try again later. WARNING: untranslated string: pakfire finished = Pakfire has finished! Returning... diff --git a/doc/language_issues.tr b/doc/language_issues.tr index c65623544..51895180b 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -878,6 +878,11 @@ WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive clients = unknown string WARNING: untranslated string: Captive delete logo = Delete Logo WARNING: untranslated string: Disabled = Disabled @@ -1109,11 +1114,14 @@ WARNING: untranslated string: openvpn cert expires soon = Expires Soon WARNING: untranslated string: openvpn cert has expired = Expired WARNING: untranslated string: optional = Optional WARNING: untranslated string: otp qrcode = OTP QRCode +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pak update = Update WARNING: untranslated string: pakfire already busy = Pakfire is already performing a task. Please try again later. WARNING: untranslated string: pakfire finished = Pakfire has finished! Returning... diff --git a/doc/language_missings b/doc/language_missings index 6af76df07..cbab174f8 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -5,6 +5,10 @@ < access point name is invalid < access point name is required < advproxy update information +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < aliases default interface < ansi t1.483 < backup archive @@ -43,6 +47,7 @@ < Captive heading voucher < Captive invalid coupon < Captive please enter a coupon code +< CHACHA20-POLY1305 < choose media < could not connect to www ipfire org < cryptographic settings @@ -76,8 +81,11 @@ < notes < okay < optional +< ovpn ciphers < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher +< ovpn unsupported cipher selected < quick control < random number generator daemon < regenerate host certificate @@ -112,6 +120,11 @@ < access point name is invalid < access point name is required < addon +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM +< CHACHA20-POLY1305 < cpu frequency < dhcp fixed ip address in dynamic range < dns servers @@ -130,8 +143,11 @@ < log drop hostile out < openvpn cert expires soon < openvpn cert has expired +< ovpn ciphers < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher +< ovpn unsupported cipher selected < regenerate host certificate < reiserfs warning1 < reiserfs warning2 @@ -145,15 +161,23 @@ ############################################################################ # Checking cgi-bin translations for language: fr # ############################################################################ +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < ansi t1.483 < bewan adsl pci st < bewan adsl usb +< CHACHA20-POLY1305 < extrahd because it it outside the allowed mount path < g.dtm < g.lite < hostile networks total +< ovpn ciphers < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher +< ovpn unsupported cipher selected < system time < timeformat < upload fcdsl.o @@ -188,6 +212,10 @@ < advproxy wpad label dst_noproxy_url < advproxy wpad title < advproxy wpad view pac +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < aliases default interface < asn lookup failed < autonomous system @@ -263,6 +291,7 @@ < Captive vout < Captive WiFi coupon < Captive wrong ext +< CHACHA20-POLY1305 < check all < core update < cpu frequency @@ -516,12 +545,15 @@ < outgoing compression in bytes per second < outgoing overhead in bytes per second < ovpn add conf +< ovpn ciphers < ovpn connection name < ovpn error md5 < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher < ovpn rw connection log < ovpn tls auth +< ovpn unsupported cipher selected < ovpn warning rfc3280 < pakfire already busy < pakfire finished @@ -710,6 +742,10 @@ < advproxy wpad label dst_noproxy_url < advproxy wpad title < advproxy wpad view pac +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < aliases default interface < asn lookup failed < atm device @@ -787,6 +823,7 @@ < Captive vout < Captive WiFi coupon < Captive wrong ext +< CHACHA20-POLY1305 < check all < cpu frequency < crypto error @@ -1062,6 +1099,7 @@ < outgoing compression in bytes per second < outgoing overhead in bytes per second < ovpn add conf +< ovpn ciphers < ovpn connection name < ovpn crypt options < ovpn engines @@ -1070,9 +1108,11 @@ < ovpn fallback cipher help < ovpn generating the root and host certificates < ovpn ha +< ovpn if ncp is disabled we must have cipher < ovpn reneg sec < ovpn rw connection log < ovpn tls auth +< ovpn unsupported cipher selected < ovpn warning rfc3280 < pakfire already busy < pakfire finished @@ -1266,6 +1306,10 @@ < advproxy wpad label dst_noproxy_url < advproxy wpad title < advproxy wpad view pac +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < age second < age seconds < age shour @@ -1389,6 +1433,7 @@ < ccd routes < ccd subnet < ccd used +< CHACHA20-POLY1305 < check all < community rules < ConnSched dial @@ -1928,6 +1973,7 @@ < outgoing firewall access < outgoing overhead in bytes per second < ovpn add conf +< ovpn ciphers < ovpn connection name < ovpn crypt options < ovpn engines @@ -1938,6 +1984,7 @@ < ovpn fallback cipher help < ovpn generating the root and host certificates < ovpn ha +< ovpn if ncp is disabled we must have cipher < ovpn mgmt in root range < ovpn mtu-disc < ovpn mtu-disc and mtu not 1500 @@ -1953,6 +2000,7 @@ < ovpn routes push options < ovpn rw connection log < ovpn tls auth +< ovpn unsupported cipher selected < ovpn warning rfc3280 < pakfire already busy < pakfire finished @@ -2262,6 +2310,10 @@ < advproxy wpad label dst_noproxy_url < advproxy wpad title < advproxy wpad view pac +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < age second < age seconds < age shour @@ -2385,6 +2437,7 @@ < ccd routes < ccd subnet < ccd used +< CHACHA20-POLY1305 < check all < community rules < ConnSched dial @@ -2932,6 +2985,7 @@ < outgoing overhead in bytes per second < outgoing traffic in bytes per second < ovpn add conf +< ovpn ciphers < ovpn connection name < ovpn crypt options < ovpn engines @@ -2940,6 +2994,7 @@ < ovpn fallback cipher help < ovpn generating the root and host certificates < ovpn ha +< ovpn if ncp is disabled we must have cipher < ovpn mgmt in root range < ovpn mtu-disc < ovpn mtu-disc and mtu not 1500 @@ -2953,6 +3008,7 @@ < ovpn reneg sec < ovpn rw connection log < ovpn tls auth +< ovpn unsupported cipher selected < ovpn warning rfc3280 < pakfire already busy < pakfire finished @@ -3248,6 +3304,10 @@ < advproxy wpad label dst_noproxy_url < advproxy wpad title < advproxy wpad view pac +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < aliases default interface < asn lookup failed < autonomous system @@ -3269,6 +3329,7 @@ < cake profile pppoe-vcmux 32 < cake profile raw 0 < Captive delete logo +< CHACHA20-POLY1305 < core update < cpu frequency < crypto error @@ -3438,12 +3499,15 @@ < openvpn cert has expired < optional < otp qrcode +< ovpn ciphers < ovpn connection name < ovpn error md5 < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher < ovpn rw connection log < ovpn tls auth +< ovpn unsupported cipher selected < ovpn warning rfc3280 < pakfire already busy < pakfire finished diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 83aa3d499..06abb5f58 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -47,6 +47,29 @@ use CGI::Carp 'fatalsToBrowser'; my %mainsettings = (); &General::readhash("${General::swroot}/main/settings", \%mainsettings); +# Supported ciphers for NCP +my @SUPPORTED_CIPHERS = ( + "AES-256-GCM", + "AES-128-GCM", + "AES-256-CBC", + "AES-128-CBC", + "CHACHA20-POLY1305", +); + +my $DEFAULT_CIPHERS = "AES-256-GCM|AES-128-GCM|CHACHA20-POLY1305"; + +# Translations for the cipher selection +my %CIPHERS = ( + # AES + "AES-256-GCM" => $Lang::tr{'AES-256-GCM'}, + "AES-128-GCM" => $Lang::tr{'AES-128-GCM'}, + "AES-256-CBC" => $Lang::tr{'AES-256-CBC'}, + "AES-128-CBC" => $Lang::tr{'AES-128-CBC'}, + + # ChaCha20-Poly1305 + "CHACHA20-POLY1305" => $Lang::tr{'CHACHA20-POLY1305'}, +); + ### ### Initialize variables ### @@ -235,8 +258,19 @@ sub writeserverconf { } print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n"; - print CONF "ncp-disable\n"; - print CONF "cipher $sovpnsettings{DCIPHER}\n"; + + # Cryptography + if ($sovpnsettings{'DATACIPHERS'} eq '') { + print CONF "ncp-disable\n"; + } else { + print CONF "data-ciphers " . $sovpnsettings{'DATACIPHERS'} =~ s/\|/:/gr . "\n"; + } + + # Enable fallback cipher? + if ($sovpnsettings{'DCIPHER'} ne '') { + print CONF "data-ciphers-fallback $sovpnsettings{'DCIPHER'}\n"; + } + print CONF "auth $sovpnsettings{'DAUTH'}\n"; # Set TLSv2 as minimum print CONF "tls-version-min 1.2\n"; @@ -673,11 +707,29 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; + $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'}; $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; my @temp=(); + # If NCP is disabled, we need the fallback cipher + if ($cgiparams{'DATACIPHERS'} eq '' && $cgiparams{'DCIPHER'} eq '') { + $errormessage = $Lang::tr{'ovpn if ncp is disabled we must have cipher'}; + goto ADV_ERROR; + } + + # Split data ciphers + my @dataciphers = split(/\|/, $cgiparams{'DATACIPHERS'}); + + # Check if all ciphers are supported + foreach my $cipher (@dataciphers) { + if (!grep(/^$cipher$/, @SUPPORTED_CIPHERS)) { + $errormessage = $Lang::tr{'ovpn unsupported cipher selected'}; + goto ADV_ERROR; + } + } + if ($cgiparams{'FRAGMENT'} eq '') { delete $vpnsettings{'FRAGMENT'}; } else { @@ -2125,7 +2177,20 @@ else $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } - print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; + + # Cryptography + + # If no data ciphers have been selected, we try to use the fallback cipher + if ($vpnsettings{'DATACIPHERS'} eq '') { + print CLIENTCONF "ncp-disable\r\n"; + + if ($vpnsettings{'DCIPHER'} ne '') { + print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n"; + } + } else { + # Otherwise we don't write anything because the server and client will negotiate + } + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; if ($vpnsettings{'TLSAUTH'} eq 'on') { @@ -2477,6 +2542,9 @@ END read_routepushfile; ADV_ERROR: + if ($cgiparams{'DATACIPHERS'} eq '') { + $cgiparams{'DATACIPHERS'} = $DEFAULT_CIPHERS; + } if ($cgiparams{'DAUTH'} eq '') { $cgiparams{'DAUTH'} = 'SHA512'; } @@ -2524,6 +2592,15 @@ ADV_ERROR: $selected{'LOG_VERB'}{'11'} = ''; $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; + # Split data ciphers + my @data_ciphers = split(/\|/, $cgiparams{'DATACIPHERS'}); + + # Select the correct ones + $selected{'DATACIPHERS'} = (); + foreach my $cipher (@SUPPORTED_CIPHERS) { + $selected{'DATACIPHERS'}{$cipher} = grep(/^$cipher$/, @data_ciphers) ? "selected" : ""; + } + $selected{'DCIPHER'}{'AES-256-GCM'} = ''; $selected{'DCIPHER'}{'AES-192-GCM'} = ''; $selected{'DCIPHER'}{'AES-128-GCM'} = ''; @@ -2573,6 +2650,30 @@ ADV_ERROR: + + + $Lang::tr{'ovpn ciphers'} + + + +