From: Michael Tremer Date: Tue, 19 Mar 2024 18:32:50 +0000 (+0100) Subject: ovpnmain.cgi: Implement cipher negotiation for RW clients X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=49801863ecd4570c9e1fbbb67c83b739ecc11e5f;p=people%2Fms%2Fipfire-2.x.git ovpnmain.cgi: Implement cipher negotiation for RW clients Signed-off-by: Michael Tremer --- diff --git a/doc/language_issues.de b/doc/language_issues.de index e024cf279..60a42175e 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -931,6 +931,11 @@ WARNING: translation string unused: zoneconf val vlan amount assignment error WARNING: translation string unused: zoneconf val vlan tag assignment error WARNING: translation string unused: zoneconf val vlan tag range error WARNING: translation string unused: zoneconf val zoneslave amount error +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: access point name = Access Point Name WARNING: untranslated string: access point name is invalid = Access Point Name is invalid WARNING: untranslated string: access point name is required = Access Point Name is required @@ -1006,9 +1011,12 @@ WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Dae WARNING: untranslated string: no entries = No entries at the moment. WARNING: untranslated string: oops something went wrong = Oops, something went wrong... WARNING: untranslated string: optional = Optional +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pakfire invalid tree = Invalid repository selected WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS) WARNING: untranslated string: regenerate host certificate = Renew Host Certificate diff --git a/doc/language_issues.en b/doc/language_issues.en index a8d6f4c2d..b398e25ed 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1,9 +1,14 @@ WARNING: untranslated string: 24 hours = 24 Hours +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit WARNING: untranslated string: Act as = Act as: WARNING: untranslated string: Add Level7 rule = Add Level7 rule WARNING: untranslated string: Add Port Rule = Add port rule WARNING: untranslated string: Add Rule = Add rule WARNING: untranslated string: Add a route = Add a route +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive = Captive Portal WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive GAIN ACCESS = GAIN ACCESS @@ -1422,6 +1427,7 @@ WARNING: untranslated string: outgoing overhead in bytes per second = Outgoing O WARNING: untranslated string: outgoing traffic in bytes per second = Outgoing Traffic WARNING: untranslated string: ovpn = OpenVPN WARNING: untranslated string: ovpn add conf = Additional configuration +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn con stat = OpenVPN Connection Statistics WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn crypt options = Cryptographic options @@ -1430,6 +1436,7 @@ WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-a WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn ha = Hash algorithm +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required. WARNING: untranslated string: ovpn no connections = No active OpenVPN connections WARNING: untranslated string: ovpn on blue = OpenVPN on BLUE: @@ -1445,6 +1452,7 @@ WARNING: untranslated string: ovpn subnet = OpenVPN subnet: WARNING: untranslated string: ovpn subnet is invalid = OpenVPN subnet is invalid. WARNING: untranslated string: ovpn subnet overlap = OpenVPN Subnet overlaps with : WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pagerefresh = Page is beeing refreshed, please wait. WARNING: untranslated string: pak update = Update WARNING: untranslated string: pakfire accept all = Do you want to install all packages? diff --git a/doc/language_issues.es b/doc/language_issues.es index f37af3014..735fe3d80 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -1002,6 +1002,11 @@ WARNING: translation string unused: zoneconf val vlan amount assignment error WARNING: translation string unused: zoneconf val vlan tag assignment error WARNING: translation string unused: zoneconf val vlan tag range error WARNING: translation string unused: zoneconf val zoneslave amount error +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive clients = unknown string WARNING: untranslated string: access point name = Access Point Name @@ -1069,9 +1074,12 @@ WARNING: untranslated string: no data = unknown string WARNING: untranslated string: oops something went wrong = Oops, something went wrong... WARNING: untranslated string: openvpn cert expires soon = Expires Soon WARNING: untranslated string: openvpn cert has expired = Expired +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pakfire ago = ago. WARNING: untranslated string: processors = Processors WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS) diff --git a/doc/language_issues.fr b/doc/language_issues.fr index e8b3d5e21..0aa069111 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -972,6 +972,11 @@ WARNING: translation string unused: zoneconf val vlan amount assignment error WARNING: translation string unused: zoneconf val vlan tag assignment error WARNING: translation string unused: zoneconf val vlan tag range error WARNING: translation string unused: zoneconf val zoneslave amount error +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: bypassed = Bypassed WARNING: untranslated string: core notice 3 = available. WARNING: untranslated string: data transfer = Data Transfer @@ -1017,9 +1022,12 @@ WARNING: untranslated string: ips throughput = Throughput WARNING: untranslated string: last updated = Last Updated WARNING: untranslated string: load average = Load Average WARNING: untranslated string: oops something went wrong = Oops, something went wrong... +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pakfire ago = ago. WARNING: untranslated string: processors = Processors WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS) diff --git a/doc/language_issues.it b/doc/language_issues.it index 35c84aa26..ce9f2657f 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -905,6 +905,11 @@ WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: 24 hours = 24 Hours +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive = Captive Portal WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive GAIN ACCESS = GAIN ACCESS @@ -1254,12 +1259,15 @@ WARNING: untranslated string: otp qrcode = OTP QRCode WARNING: untranslated string: outgoing compression in bytes per second = Outgoing compression WARNING: untranslated string: outgoing overhead in bytes per second = Outgoing Overhead WARNING: untranslated string: ovpn add conf = Additional configuration +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pak update = Update WARNING: untranslated string: pakfire already busy = Pakfire is already performing a task. Please try again later. WARNING: untranslated string: pakfire finished = Pakfire has finished! Returning... diff --git a/doc/language_issues.nl b/doc/language_issues.nl index d3c2a6d6c..1d9df3022 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -906,6 +906,11 @@ WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: 24 hours = 24 Hours +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive = Captive Portal WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive GAIN ACCESS = GAIN ACCESS @@ -1278,14 +1283,17 @@ WARNING: untranslated string: otp qrcode = OTP QRCode WARNING: untranslated string: outgoing compression in bytes per second = Outgoing compression WARNING: untranslated string: outgoing overhead in bytes per second = Outgoing Overhead WARNING: untranslated string: ovpn add conf = Additional configuration +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn crypt options = Cryptographic options WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn ha = Hash algorithm +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pakfire already busy = Pakfire is already performing a task. Please try again later. WARNING: untranslated string: pakfire finished = Pakfire has finished! Returning... WARNING: untranslated string: pakfire finished error = Pakfire has finished! Errors occurred, please check the log output before proceeding. diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 1b1e7bf05..ec63c0aa6 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -816,6 +816,11 @@ WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: 24 hours = 24 Hours +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive = Captive Portal WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive GAIN ACCESS = GAIN ACCESS @@ -1440,6 +1445,7 @@ WARNING: untranslated string: outgoing compression in bytes per second = Outgoin WARNING: untranslated string: outgoing firewall access = Outgoing Firewall Access WARNING: untranslated string: outgoing overhead in bytes per second = Outgoing Overhead WARNING: untranslated string: ovpn add conf = Additional configuration +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn crypt options = Cryptographic options WARNING: untranslated string: ovpn errmsg green already pushed = Route for green network is always set @@ -1447,6 +1453,7 @@ WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-a WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn ha = Hash algorithm +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required. WARNING: untranslated string: ovpn no connections = No active OpenVPN connections WARNING: untranslated string: ovpn port in root range = A port number of 1024 or higher is required. @@ -1455,6 +1462,7 @@ WARNING: untranslated string: ovpn routes push = Routes (one per line) e.g. 192. WARNING: untranslated string: ovpn routes push options = Route push options WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pak update = Update WARNING: untranslated string: pakfire already busy = Pakfire is already performing a task. Please try again later. WARNING: untranslated string: pakfire finished = Pakfire has finished! Returning... diff --git a/doc/language_issues.ru b/doc/language_issues.ru index dbbecfeda..249df9230 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -809,7 +809,12 @@ WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: 24 hours = 24 Hours +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit WARNING: untranslated string: Add a route = Add a route +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive = Captive Portal WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive GAIN ACCESS = GAIN ACCESS @@ -1437,17 +1442,20 @@ WARNING: untranslated string: outgoing firewall access = Outgoing Firewall Acces WARNING: untranslated string: outgoing overhead in bytes per second = Outgoing Overhead WARNING: untranslated string: outgoing traffic in bytes per second = Outgoing Traffic WARNING: untranslated string: ovpn add conf = Additional configuration +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn crypt options = Cryptographic options WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn ha = Hash algorithm +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required. WARNING: untranslated string: ovpn no connections = No active OpenVPN connections WARNING: untranslated string: ovpn port in root range = A port number of 1024 or higher is required. WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pak update = Update WARNING: untranslated string: pakfire already busy = Pakfire is already performing a task. Please try again later. WARNING: untranslated string: pakfire finished = Pakfire has finished! Returning... diff --git a/doc/language_issues.tr b/doc/language_issues.tr index c20fe603b..eaaa90a15 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -933,6 +933,11 @@ WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive clients = unknown string WARNING: untranslated string: Captive delete logo = Delete Logo WARNING: untranslated string: Disabled = Disabled @@ -1168,12 +1173,15 @@ WARNING: untranslated string: openvpn cert expires soon = Expires Soon WARNING: untranslated string: openvpn cert has expired = Expired WARNING: untranslated string: optional = Optional WARNING: untranslated string: otp qrcode = OTP QRCode +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pak update = Update WARNING: untranslated string: pakfire already busy = Pakfire is already performing a task. Please try again later. WARNING: untranslated string: pakfire finished = Pakfire has finished! Returning... diff --git a/doc/language_missings b/doc/language_missings index 236c49bd5..cd29d5f9e 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -5,6 +5,10 @@ < access point name is invalid < access point name is required < advproxy update information +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < aliases default interface < ansi t1.483 < backup archive @@ -43,6 +47,7 @@ < Captive heading voucher < Captive invalid coupon < Captive please enter a coupon code +< CHACHA20-POLY1305 < choose media < could not connect to www ipfire org < cryptographic settings @@ -80,9 +85,12 @@ < okay < oops something went wrong < optional +< ovpn ciphers < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher < ovpn roadwarrior server +< ovpn unsupported cipher selected < quick control < random number generator daemon < regenerate host certificate @@ -123,7 +131,12 @@ < access point name is invalid < access point name is required < addon +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < bypassed +< CHACHA20-POLY1305 < cpu frequency < data transfer < dhcp fixed ip address in dynamic range @@ -151,9 +164,12 @@ < oops something went wrong < openvpn cert expires soon < openvpn cert has expired +< ovpn ciphers < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher < ovpn roadwarrior server +< ovpn unsupported cipher selected < processors < regenerate host certificate < reg_file_data_sampling @@ -179,10 +195,15 @@ ############################################################################ # Checking cgi-bin translations for language: fr # ############################################################################ +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < ansi t1.483 < bewan adsl pci st < bewan adsl usb < bypassed +< CHACHA20-POLY1305 < data transfer < extrahd because it it outside the allowed mount path < fwdfw syn flood protection @@ -196,9 +217,12 @@ < last updated < load average < oops something went wrong +< ovpn ciphers < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher < ovpn roadwarrior server +< ovpn unsupported cipher selected < processors < reg_file_data_sampling < scanned @@ -245,6 +269,10 @@ < advproxy wpad label dst_noproxy_url < advproxy wpad title < advproxy wpad view pac +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < aliases default interface < asn lookup failed < autonomous system @@ -321,6 +349,7 @@ < Captive vout < Captive WiFi coupon < Captive wrong ext +< CHACHA20-POLY1305 < check all < core update < cpu frequency @@ -583,13 +612,16 @@ < outgoing compression in bytes per second < outgoing overhead in bytes per second < ovpn add conf +< ovpn ciphers < ovpn connection name < ovpn error md5 < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher < ovpn roadwarrior server < ovpn rw connection log < ovpn tls auth +< ovpn unsupported cipher selected < ovpn warning rfc3280 < pakfire already busy < pakfire finished @@ -789,6 +821,10 @@ < advproxy wpad label dst_noproxy_url < advproxy wpad title < advproxy wpad view pac +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < aliases default interface < asn lookup failed < atm device @@ -867,6 +903,7 @@ < Captive vout < Captive WiFi coupon < Captive wrong ext +< CHACHA20-POLY1305 < check all < cpu frequency < crypto error @@ -1151,6 +1188,7 @@ < outgoing compression in bytes per second < outgoing overhead in bytes per second < ovpn add conf +< ovpn ciphers < ovpn connection name < ovpn crypt options < ovpn engines @@ -1159,10 +1197,12 @@ < ovpn fallback cipher help < ovpn generating the root and host certificates < ovpn ha +< ovpn if ncp is disabled we must have cipher < ovpn reneg sec < ovpn roadwarrior server < ovpn rw connection log < ovpn tls auth +< ovpn unsupported cipher selected < ovpn warning rfc3280 < pakfire already busy < pakfire finished @@ -1367,6 +1407,10 @@ < advproxy wpad label dst_noproxy_url < advproxy wpad title < advproxy wpad view pac +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < age second < age seconds < age shour @@ -1491,6 +1535,7 @@ < ccd routes < ccd subnet < ccd used +< CHACHA20-POLY1305 < check all < community rules < ConnSched dial @@ -2039,6 +2084,7 @@ < outgoing firewall access < outgoing overhead in bytes per second < ovpn add conf +< ovpn ciphers < ovpn connection name < ovpn crypt options < ovpn engines @@ -2049,6 +2095,7 @@ < ovpn fallback cipher help < ovpn generating the root and host certificates < ovpn ha +< ovpn if ncp is disabled we must have cipher < ovpn mgmt in root range < ovpn mtu-disc < ovpn mtu-disc and mtu not 1500 @@ -2065,6 +2112,7 @@ < ovpn routes push options < ovpn rw connection log < ovpn tls auth +< ovpn unsupported cipher selected < ovpn warning rfc3280 < pakfire already busy < pakfire finished @@ -2385,6 +2433,10 @@ < advproxy wpad label dst_noproxy_url < advproxy wpad title < advproxy wpad view pac +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < age second < age seconds < age shour @@ -2509,6 +2561,7 @@ < ccd routes < ccd subnet < ccd used +< CHACHA20-POLY1305 < check all < community rules < ConnSched dial @@ -3065,6 +3118,7 @@ < outgoing overhead in bytes per second < outgoing traffic in bytes per second < ovpn add conf +< ovpn ciphers < ovpn connection name < ovpn crypt options < ovpn engines @@ -3073,6 +3127,7 @@ < ovpn fallback cipher help < ovpn generating the root and host certificates < ovpn ha +< ovpn if ncp is disabled we must have cipher < ovpn mgmt in root range < ovpn mtu-disc < ovpn mtu-disc and mtu not 1500 @@ -3087,6 +3142,7 @@ < ovpn roadwarrior server < ovpn rw connection log < ovpn tls auth +< ovpn unsupported cipher selected < ovpn warning rfc3280 < pakfire already busy < pakfire finished @@ -3393,6 +3449,10 @@ < advproxy wpad label dst_noproxy_url < advproxy wpad title < advproxy wpad view pac +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < aliases default interface < asn lookup failed < autonomous system @@ -3415,6 +3475,7 @@ < cake profile pppoe-vcmux 32 < cake profile raw 0 < Captive delete logo +< CHACHA20-POLY1305 < core update < cpu frequency < crypto error @@ -3593,13 +3654,16 @@ < openvpn cert has expired < optional < otp qrcode +< ovpn ciphers < ovpn connection name < ovpn error md5 < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher < ovpn roadwarrior server < ovpn rw connection log < ovpn tls auth +< ovpn unsupported cipher selected < ovpn warning rfc3280 < pakfire already busy < pakfire finished diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index c78d9b208..ec55e9c8a 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -47,6 +47,29 @@ use CGI::Carp 'fatalsToBrowser'; my %mainsettings = (); &General::readhash("${General::swroot}/main/settings", \%mainsettings); +# Supported ciphers for NCP +my @SUPPORTED_CIPHERS = ( + "AES-256-GCM", + "AES-128-GCM", + "AES-256-CBC", + "AES-128-CBC", + "CHACHA20-POLY1305", +); + +my $DEFAULT_CIPHERS = "AES-256-GCM|AES-128-GCM|CHACHA20-POLY1305"; + +# Translations for the cipher selection +my %CIPHERS = ( + # AES + "AES-256-GCM" => $Lang::tr{'AES-256-GCM'}, + "AES-128-GCM" => $Lang::tr{'AES-128-GCM'}, + "AES-256-CBC" => $Lang::tr{'AES-256-CBC'}, + "AES-128-CBC" => $Lang::tr{'AES-128-CBC'}, + + # ChaCha20-Poly1305 + "CHACHA20-POLY1305" => $Lang::tr{'CHACHA20-POLY1305'}, +); + ### ### Initialize variables ### @@ -235,8 +258,19 @@ sub writeserverconf { } print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n"; - print CONF "ncp-disable\n"; - print CONF "cipher $sovpnsettings{DCIPHER}\n"; + + # Cryptography + if ($sovpnsettings{'DATACIPHERS'} eq '') { + print CONF "ncp-disable\n"; + } else { + print CONF "data-ciphers " . $sovpnsettings{'DATACIPHERS'} =~ s/\|/:/gr . "\n"; + } + + # Enable fallback cipher? + if ($sovpnsettings{'DCIPHER'} ne '') { + print CONF "data-ciphers-fallback $sovpnsettings{'DCIPHER'}\n"; + } + print CONF "auth $sovpnsettings{'DAUTH'}\n"; # Set TLSv2 as minimum print CONF "tls-version-min 1.2\n"; @@ -673,11 +707,29 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; + $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'}; $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; my @temp=(); + # If NCP is disabled, we need the fallback cipher + if ($cgiparams{'DATACIPHERS'} eq '' && $cgiparams{'DCIPHER'} eq '') { + $errormessage = $Lang::tr{'ovpn if ncp is disabled we must have cipher'}; + goto ADV_ERROR; + } + + # Split data ciphers + my @dataciphers = split(/\|/, $cgiparams{'DATACIPHERS'}); + + # Check if all ciphers are supported + foreach my $cipher (@dataciphers) { + if (!grep(/^$cipher$/, @SUPPORTED_CIPHERS)) { + $errormessage = $Lang::tr{'ovpn unsupported cipher selected'}; + goto ADV_ERROR; + } + } + if ($cgiparams{'FRAGMENT'} eq '') { delete $vpnsettings{'FRAGMENT'}; } else { @@ -2123,7 +2175,20 @@ else $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } - print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; + + # Cryptography + + # If no data ciphers have been selected, we try to use the fallback cipher + if ($vpnsettings{'DATACIPHERS'} eq '') { + print CLIENTCONF "ncp-disable\r\n"; + + if ($vpnsettings{'DCIPHER'} ne '') { + print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n"; + } + } else { + # Otherwise we don't write anything because the server and client will negotiate + } + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; if ($vpnsettings{'TLSAUTH'} eq 'on') { @@ -2475,6 +2540,9 @@ END read_routepushfile; ADV_ERROR: + if ($cgiparams{'DATACIPHERS'} eq '') { + $cgiparams{'DATACIPHERS'} = $DEFAULT_CIPHERS; + } if ($cgiparams{'DAUTH'} eq '') { $cgiparams{'DAUTH'} = 'SHA512'; } @@ -2522,6 +2590,15 @@ ADV_ERROR: $selected{'LOG_VERB'}{'11'} = ''; $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; + # Split data ciphers + my @data_ciphers = split(/\|/, $cgiparams{'DATACIPHERS'}); + + # Select the correct ones + $selected{'DATACIPHERS'} = (); + foreach my $cipher (@SUPPORTED_CIPHERS) { + $selected{'DATACIPHERS'}{$cipher} = grep(/^$cipher$/, @data_ciphers) ? "selected" : ""; + } + $selected{'DCIPHER'}{'AES-256-GCM'} = ''; $selected{'DCIPHER'}{'AES-192-GCM'} = ''; $selected{'DCIPHER'}{'AES-128-GCM'} = ''; @@ -2569,6 +2646,30 @@ ADV_ERROR: + + + $Lang::tr{'ovpn ciphers'} + + + +