ovpnmain.cgi: Refactor connection statistics page

No functional changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove ns-cert-type server

This option has been removed in OpenVPN 2.5. We do not support anything
prior to that.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove unnecessary client configuration options

We should send the most minimal configuration so that we do not
overwrite any sensible defaults.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Fix spacing in client configuration file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Use LF only without CR for config files

Fixes: #13355
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove the ZIP container around configuration files

Since we can now include everything in one file, there is no need to put
it in a ZIP container.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove the "insecure" client package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Include the PKCS12 certificate on config export

Before, OpenVPN did not support PKCS12 files in an embedded format. We
extracted the key and the certificate in PEM format instead.

This is no longer necessary and therefore we can simply include the
file.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Reindent generating the client configuration

There are no functional changes.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Refactor CCD pool configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove code to restart a connection

This could not be triggered.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Refactor the connection listing

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Enable legacy provider for auths, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Load the OpenSSL legacy provider if required

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Move "ROUTE_PUSH" settings into the main settings file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Fix checking custom routes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Reload the server after changing advanced settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove more unused variables

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Refactor the entire advanced settings page

There are no functional changes.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

CSS: Don't make headings so skinny

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove "additional configs"

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove client-to-client

This is a potential security issue. See #13636.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Hard-code keepalive packets

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Hard-code "verb 3"

There is no reason why users will need to change this.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Improve wording for RW settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

initscripts: Manually load the tun module for OpenVPN

The server cannot load the module itself.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove manual start/stop actions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Redesign the roadwarrior section

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

CSS: Make text/number inputs 100% wide, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Only allow removing X.509 when the server is not enabled

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove left-over code

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Move destination port to advanced settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Move MTU setting to advanced settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Move protocol setting to advanced settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove the old status indicator

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vulnerabilities.cgi: Use section

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vulnerabilities.cgi: Use CSS to colour the table

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

web: Explain memory consumption

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tor.cgi: Use new service function

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

CSS: Automatically stripe all tables

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

web: Create a function to show the service status

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Use global ethernet settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

OpenVPN: Rename "Global Settings" to "Roadwarrior Settings"

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Update language files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

initscripts: Silence error messages when testing if a process is running

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvpnctrl: Rewrite the entire thing

This binary because a major headache as it has been changed so many
times by so many people neglegting the code quality. Therefore, the
logic has now been moved into initscripts and the binary changed so that
it only serves as a SUID wrapper to call the initscripts.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

initscripts: Call the initscript to create firewall rules

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

initscripts: No longer restart OpenVPN when RED comes up/goes down

This is probably a relic from when dial-up connections where on trend
and systems were offline for long times of the day. Now, we should
always be on and there is no need to restart all those services on a
reconnect.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvpn-n2n: Implement deleting RRD databases

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvpn: Add an initscript for N2N connections

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvpnctrl: Remove the stuff we no longer need

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

initscripts: Start the OpenVPN Authenticator, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

initscripts: Add an initscript for OpenVPN RW

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

firewall: Split OpenVPN INPUT chains for RW & N2N

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove option to enable on ORANGE/BLUE

There is no point in not making this service available to any local
networks when it always has to be reachable from the Internet.

This still has to be reflected in the initscripts

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Migrate to subnet topology

For dynamic pools, this change is easy and does not require any extra
steps. For CCD clients however, we need to update the configuration to
replace the server IP address with the subnet mask.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Create functions to read CCD client/server routes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove comment that a restart is required

This is incorrect as we can change CCD data without restarting the
server.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Refactor writing CCD files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Drop validdotmask()

This is a totally braindead function that prevented some basic usability
by using the more modern prefix notation. It simply checks if there is a
freaking dot. Great!

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Drop hostsinnet

This is no longer needed as we can use the function that lists all
addresses that are in use and count them.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Refactor listing CCD addresses

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Refactor ccdmaxclients()

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Refactor modccnet()

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Refactor addccdnet()

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Move function to check CCD names here

This was in general-functions.pl for some reason.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Refactor function to remove a static pool

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove enabled marker files

Nothing is using these any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove any left-over traces of DH replacement

Since there is no way for the user to manipulate this any more, there is
no point in checking and showing the DH parameters.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove excess whitespace

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove more dead code

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Force NCP on clients

This change requires that all clients support NCP if they are set up
with a new connection. Existing clients remain supported using the
fallback cipher option.

This will result that connections with OpenVPN <= 2.3 cannot be set up
any more which is totally fine since that version is EOL.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvpn: Update to 2.6.9

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Completely remove compression for RW clients

We will use the "compress migrate" option which disables compression by
default. If a client has been found that wants to use compression, the
server will push "stub-v2" to disable it. If that does not work, the
server might fall back to compression.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Implement cipher negotiation for RW clients

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove presetting removed options

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove dead code

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Use SHA512 for hashing by default

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Keep the fallback cipher disabled by default

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Allow to disable the fallback cipher

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Rename cipher selection to fallback cipher

This is to keep ancient clients and clients that have NCP disabled
happy.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

lang: Update because of OpenVPN changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

CSS: Make all <select> and <textarea> use all available space

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Fix the completely fucked table layout

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Move the cryptographic options to the advanced page

Since we don't want people play too much with these, we move them to the
advanced settings page.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Fix resetting compression setting

The compression option was reset (disabled) when the Save button on the
main was being clicked.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove crypto error/warning boxes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove authorship comments

These are not very useful.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Don't mess with the OpenVPN status file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Move things that belong together together

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Don't create CCD configuration files on every call

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Reorganise loading external modules

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Don't include lang.pl again when its already loaded in header.pl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Don't load colours when they are already loaded in header.pl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove unused variable hack

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Drop newcleanssldatabase()

I have no idea why this was added when there is a function that does the
same already. The remove function also had typos in the path which
probably resulted in it not working very well.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Use the formatting function we already have

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Drop unused refresh code

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Tidy up starting/restarting the RW server

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Use default functions to check what subnets exist

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>