wireguard-functions.pl: Remove any carriage returns on import

Some files might include carriage returns which won't be removed by
chomp() on Linux. To be extra safe, we remove them manually.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core197: Ship wireguard-functions.pl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wireguard-functions.pl: Automatically skip IPv6 subnets

Since we do not support this and some VPN providers generate
configuration files that send any data over to them, we simply ignore
any IPv6 subnets.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

cpufrequtils: Drop unused patches

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core197: Update the status file in the roadwarrior configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core197: Ship updated collectd configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

collectd: Openvpn-2.6: fix statusfile name

Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core197: Ship the new cpupower script

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core197: Drop cpufrequtils

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

cpufrequtils: Drop package

This is now implemented in the core distribution.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

initscripts: Automatically enable CPU power saving features

This is a cleaned up implementation of the script that was previously
packaged in the cpufrequtils package.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core197: Migrate OpenVPN configuration changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core197: Ship BIND

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

bind: Update ot 9.20.11

For details see:
https://downloads.isc.org/isc/bind9/9.20.11/doc/arm/html/notes.html#notes-for-bind-9-20-11

"Notes for BIND 9.20.11
Security Fixes

    Fix a possible assertion failure when stale-answer-client-timeout is
    set to 0.

    In specific circumstances the named resolver process could exit with an
    assertion failure when stale answers were enabled and the
    stale-answer-client-timeout configuration option was set to 0. This has
    been fixed. (CVE-2025-40777) [GL #5372]

New Features

    Add support for the CO flag to dig.

    Add support for Compact Denial of Existence to dig. This includes
    showing the CO (Compact Answers OK) flag when displaying messages and
    adding an option to set the CO flag when making queries (dig +coflag).
    [GL #5319]

Bug Fixes

    Correct the default interface-interval from 60s to 60m.

    When the interface-interval parser was changed from a uint32 parser to
    a duration parser, the default value stayed at plain number 60 which
    now means 60 seconds instead of 60 minutes. The documentation also
    incorrectly states that the value is in minutes. That has been fixed.
    [GL #5246]

    Fix a purge-keys bug when using multiple views of a zone.

    Previously, when a DNSSEC key was purged by one zone view, other zone
    views would return an error about missing key files. This has been
    fixed. [GL #5315]

    Use IPv6 queries in delv +ns.

    delv +ns invokes the same code to perform name resolution as named, but
    it neglected to set up an IPv6 dispatch object first. Consequently, it
    was behaving more like named -4. It now sets up dispatch objects for
    both address families, and performs resolver queries to both IPv4 and
    IPv6 addresses, except when one of the address families has been
    suppressed by using delv -4 or delv -6. [GL #5352]"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zabbix_agentd: Openvpn-2.6: use the helper binary to read the status log

Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zabbix_agentd: Openvpn-2.6: fix pid name for services stats

Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zabbix_agentd: Add LocationDB functionality

Adds new IPFire specific monitoring capabilities to Zabbix Agent:
- ipfire.locationdb.lookup[<ip>,<ip>,...]: Perform IPFire LocationDB lookups
  from within Zabbix. Returns a JSON dict.
- ipfire.locationdb.version: Get LocationDB version timestamp in unixtime.

Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zabbix_agentd: Add WireGuard specific monitoring items

Adds new IPFire specific monitoring capabilities to Zabbix Agent:
- ipfire.wireguard.peers.discovery: Discovery of configured WireGuard
  clients. Returns a JSON array.
- ipfire.wireguard.statusreport.get: Parses and returns output of
  `wireguardctrl dump` as a JSON array.

Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zabbix_agentd: Add ARPing method for checking Internet Gateway

Since some ISP's block ICMP ping to their gateway ARPing can be an alternative.
This change adds arping alternatives for the regular (icmp) ping checks:
- ipfire.net.gateway.arping: Check if the Internet Gateway is reachable via ARPing
- ipfire.net.gateway.arpingtime: Measure the time it takes to ARPing the Internet Gateway

Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

zabbix_agentd: Update to 7.0.16 (LTS)

- Update from version 7.0.11 to 7.0.16
- Update of rootfile not required

Bugs fixed:
ZBX-26080 Fixed old file descriptors being held when external log rotation is used
ZBX-26121 Added default flags to net.dns.get arguments when none are specified
ZBX-26055 Fixed failure to refresh active checks when next refresh was faster than 60 seconds

Full changelogs since 7.0.11:
- https://www.zabbix.com/rn/rn7.0.12
- https://www.zabbix.com/rn/rn7.0.13
- https://www.zabbix.com/rn/rn7.0.14
- https://www.zabbix.com/rn/rn7.0.15
- https://www.zabbix.com/rn/rn7.0.16

Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core197: Ship unbound

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound 1.23.1: Fix for rootfile

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Update to 1.23.1

For details see:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-23-1

"Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from AOSP
Lab Nankai University."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core197: Ship OpenVPN changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvpn: Ignore existing PID files when starting processes

This is all not very organised and tidy. The init process seems to be
too cautious if there is a PID file left but there should not be any
harm in trying to start the same process twice when in doubt because
after all only one can bind to the same port at a time.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Accept an empty value for ENABLED

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Fix broken headline in N2N crypto section

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Revert "ovpnmain.cgi: Remove yet another "if (1)" statement"

This reverts commit 0dcafefb694d4e1ebef317f4d45f68216685ff25.

Removing this breaks creating N2N connections and I don't think there is
a way to fix this all properly without a major rewrite.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

services.cgi: Openvpn-2.6 rebase fix pid name for services page

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvpn: Fix typo in initscript

This prevented the authenticator from being shut down gracefully.

  https://lists.ipfire.org/development/1396727E-BF73-4015-B853-B3F854806B28@ipfire.org/T/#m41dd73643dc6fa0dd6d187f59f72277f9c5d072f

Reported-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Accept empty input for ENABLED

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Make checkboxes unselectable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Only load status when the server is running

Otherwise we would show the status if the service is no longer running
and show clients as connected which have only been connected when the
server was stopped.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Fix reading the current status file again

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove more dead code

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Fix path to the RW PID file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Use the helper binary to read the status log

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Log a better message if the RW log file could not be opened

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Tell the server the subnet in the old-fashioned way

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove some dead code

This prevented creating new connections and was never being used at all.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Revert "CSS: Make text/number inputs 100% wide, too"

This reverts commit f9beaa17f22a191919b2982511d4a4598ffcf81e.

This seems to break major parts of the layout on several pages.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

CSS: Fix merge error

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvpn: Update to 2.6.14

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvpn: Update to version 2.6.12

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Implement a better way to set defaults

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Load the main settings just once

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Use the same hash for the configuration like everywhere else

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Restart instead of reload

The option to reload the server does not seem to work well. The running
is process is performing a number of checks that make very little sense
and PID files get written by the user that launches the process (i.e.
root) instead of the user that the process is running as later on (i.e.
nobody). Since there is no chance to keep any existing connections alive
this way, we may just as well restart the service for now.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvpn-rw: Use a sensible name for the PID file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Give the status log a more sensible name

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Explicitly notify clients that the server is going down

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

i18n: Update note on the file format of the OpenVPN client configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Refactor top table of adding/creating connections

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove yet another "if (1)" statement

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Refactor connection statistics page

No functional changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove ns-cert-type server

This option has been removed in OpenVPN 2.5. We do not support anything
prior to that.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove unnecessary client configuration options

We should send the most minimal configuration so that we do not
overwrite any sensible defaults.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Fix spacing in client configuration file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Use LF only without CR for config files

Fixes: #13355
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove the ZIP container around configuration files

Since we can now include everything in one file, there is no need to put
it in a ZIP container.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove the "insecure" client package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Include the PKCS12 certificate on config export

Before, OpenVPN did not support PKCS12 files in an embedded format. We
extracted the key and the certificate in PEM format instead.

This is no longer necessary and therefore we can simply include the
file.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Reindent generating the client configuration

There are no functional changes.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Refactor CCD pool configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove code to restart a connection

This could not be triggered.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Refactor the connection listing

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Enable legacy provider for auths, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Load the OpenSSL legacy provider if required

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Move "ROUTE_PUSH" settings into the main settings file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Fix checking custom routes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Reload the server after changing advanced settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove more unused variables

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Refactor the entire advanced settings page

There are no functional changes.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

CSS: Don't make headings so skinny

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove "additional configs"

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove client-to-client

This is a potential security issue. See #13636.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Hard-code keepalive packets

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Hard-code "verb 3"

There is no reason why users will need to change this.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Improve wording for RW settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

initscripts: Manually load the tun module for OpenVPN

The server cannot load the module itself.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove manual start/stop actions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Redesign the roadwarrior section

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

CSS: Make text/number inputs 100% wide, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Only allow removing X.509 when the server is not enabled

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove left-over code

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Move destination port to advanced settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Move MTU setting to advanced settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Move protocol setting to advanced settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove the old status indicator

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vulnerabilities.cgi: Use section

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vulnerabilities.cgi: Use CSS to colour the table

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

web: Explain memory consumption

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tor.cgi: Use new service function

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

CSS: Automatically stripe all tables

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

web: Create a function to show the service status

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Use global ethernet settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

OpenVPN: Rename "Global Settings" to "Roadwarrior Settings"

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

make.sh: Update language files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

initscripts: Silence error messages when testing if a process is running

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvpnctrl: Rewrite the entire thing

This binary because a major headache as it has been changed so many
times by so many people neglegting the code quality. Therefore, the
logic has now been moved into initscripts and the binary changed so that
it only serves as a SUID wrapper to call the initscripts.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>