hostapd: Fix number of beamforming antennas

The bitmap is off by one.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Remove CONFIG_IEEE80211W

This option was removed and 802.11w is now always compiled in.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: ath11k also does not support Greenfield and Delayed Block ACK

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Allow to adjust the debug level

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Perform radar detection in the background

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Optionally select which antennas to use

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Add support for 802.11be

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Introduce new WiFi modes to accomodate all different modes

Using just 802.11ac does not entirely cover how the hardware could be
configured. Some devices support 20, 40, 80 or even 160 MHz channels
which is now being implemented here.

The channel offsets are computed manually or will be automatically
selected by hostapd if we are using ACS.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Fix a shell syntax error

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

wlanap.cgi: Remove the option to manually configure HT/VHT caps

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Automatically configure VHT capabilities

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Add experimental support for 802.11ax

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Allow to enable debugging

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Filter out some unsupported VHT caps by driver

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: ath12k does not support Greenfield either

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Fix shell syntax error

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: ath12k does not support Delayed Block ACK either

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Automatically determine supported capabilities

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Enable SHA256 for WPA2/1 PSK authentication

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Enable various options to improve security and interoperability

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Rebase the configuration on the upstream default config

Most options are added, but not enabled. There are however the following
changes:

  * Enable Operating Channel Validation
  * Enable Fast BSS Transition (802.11r)
  * Support for 802.11ax and 802.11be
  * Disable the internal randomness pool
  * Enable Interworking (802.11u)
  * Enable Fast Session Transfer (FST)
  * Enable Multiband Operation support

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Generate the configuration in the initscript

This will give us some more flexibility in the future.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

hostapd: Remove any unused variables from initscript

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core197: Ship unbound

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound 1.23.1: Fix for rootfile

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

unbound: Update to 1.23.1

For details see:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-23-1

"Fix RebirthDay Attack CVE-2025-5994, reported by Xiang Li from AOSP
Lab Nankai University."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

core197: Ship OpenVPN changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvpn: Ignore existing PID files when starting processes

This is all not very organised and tidy. The init process seems to be
too cautious if there is a PID file left but there should not be any
harm in trying to start the same process twice when in doubt because
after all only one can bind to the same port at a time.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Accept an empty value for ENABLED

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Fix broken headline in N2N crypto section

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Revert "ovpnmain.cgi: Remove yet another "if (1)" statement"

This reverts commit 0dcafefb694d4e1ebef317f4d45f68216685ff25.

Removing this breaks creating N2N connections and I don't think there is
a way to fix this all properly without a major rewrite.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

services.cgi: Openvpn-2.6 rebase fix pid name for services page

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvpn: Fix typo in initscript

This prevented the authenticator from being shut down gracefully.

  https://lists.ipfire.org/development/1396727E-BF73-4015-B853-B3F854806B28@ipfire.org/T/#m41dd73643dc6fa0dd6d187f59f72277f9c5d072f

Reported-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Accept empty input for ENABLED

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Make checkboxes unselectable

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Only load status when the server is running

Otherwise we would show the status if the service is no longer running
and show clients as connected which have only been connected when the
server was stopped.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Fix reading the current status file again

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove more dead code

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Fix path to the RW PID file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Use the helper binary to read the status log

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Log a better message if the RW log file could not be opened

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Tell the server the subnet in the old-fashioned way

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove some dead code

This prevented creating new connections and was never being used at all.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Revert "CSS: Make text/number inputs 100% wide, too"

This reverts commit f9beaa17f22a191919b2982511d4a4598ffcf81e.

This seems to break major parts of the layout on several pages.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

CSS: Fix merge error

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvpn: Update to 2.6.14

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvpn: Update to version 2.6.12

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Implement a better way to set defaults

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Load the main settings just once

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Use the same hash for the configuration like everywhere else

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Restart instead of reload

The option to reload the server does not seem to work well. The running
is process is performing a number of checks that make very little sense
and PID files get written by the user that launches the process (i.e.
root) instead of the user that the process is running as later on (i.e.
nobody). Since there is no chance to keep any existing connections alive
this way, we may just as well restart the service for now.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

openvpn-rw: Use a sensible name for the PID file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Give the status log a more sensible name

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Explicitly notify clients that the server is going down

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

i18n: Update note on the file format of the OpenVPN client configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Refactor top table of adding/creating connections

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove yet another "if (1)" statement

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Refactor connection statistics page

No functional changes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove ns-cert-type server

This option has been removed in OpenVPN 2.5. We do not support anything
prior to that.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove unnecessary client configuration options

We should send the most minimal configuration so that we do not
overwrite any sensible defaults.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Fix spacing in client configuration file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Use LF only without CR for config files

Fixes: #13355
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove the ZIP container around configuration files

Since we can now include everything in one file, there is no need to put
it in a ZIP container.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove the "insecure" client package

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Include the PKCS12 certificate on config export

Before, OpenVPN did not support PKCS12 files in an embedded format. We
extracted the key and the certificate in PEM format instead.

This is no longer necessary and therefore we can simply include the
file.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Reindent generating the client configuration

There are no functional changes.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Refactor CCD pool configuration

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove code to restart a connection

This could not be triggered.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Refactor the connection listing

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Enable legacy provider for auths, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Load the OpenSSL legacy provider if required

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Move "ROUTE_PUSH" settings into the main settings file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Fix checking custom routes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Reload the server after changing advanced settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove more unused variables

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Refactor the entire advanced settings page

There are no functional changes.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

CSS: Don't make headings so skinny

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove "additional configs"

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove client-to-client

This is a potential security issue. See #13636.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Hard-code keepalive packets

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Hard-code "verb 3"

There is no reason why users will need to change this.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Improve wording for RW settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

initscripts: Manually load the tun module for OpenVPN

The server cannot load the module itself.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove manual start/stop actions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Redesign the roadwarrior section

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

CSS: Make text/number inputs 100% wide, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Only allow removing X.509 when the server is not enabled

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove left-over code

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Move destination port to advanced settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Move MTU setting to advanced settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Move protocol setting to advanced settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Remove the old status indicator

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vulnerabilities.cgi: Use section

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

vulnerabilities.cgi: Use CSS to colour the table

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

web: Explain memory consumption

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

tor.cgi: Use new service function

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

CSS: Automatically stripe all tables

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

web: Create a function to show the service status

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ovpnmain.cgi: Use global ethernet settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

OpenVPN: Rename "Global Settings" to "Roadwarrior Settings"

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>