From 4c234aa1ea320ceba596d8cf88373b7abe8ee282 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 19 Mar 2024 19:32:50 +0100 Subject: [PATCH] ovpnmain.cgi: Implement cipher negotiation for RW clients Signed-off-by: Michael Tremer --- doc/language_issues.de | 8 +++ doc/language_issues.en | 8 +++ doc/language_issues.es | 8 +++ doc/language_issues.fr | 8 +++ doc/language_issues.it | 8 +++ doc/language_issues.nl | 8 +++ doc/language_issues.pl | 8 +++ doc/language_issues.ru | 8 +++ doc/language_issues.tr | 8 +++ doc/language_missings | 64 ++++++++++++++++++++++ html/cgi-bin/ovpnmain.cgi | 109 ++++++++++++++++++++++++++++++++++++-- langs/en/cgi-bin/en.pl | 8 +++ 12 files changed, 249 insertions(+), 4 deletions(-) diff --git a/doc/language_issues.de b/doc/language_issues.de index 1ab7fc240..424481b4c 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -927,6 +927,11 @@ WARNING: translation string unused: zoneconf val vlan amount assignment error WARNING: translation string unused: zoneconf val vlan tag assignment error WARNING: translation string unused: zoneconf val vlan tag range error WARNING: translation string unused: zoneconf val zoneslave amount error +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: access point name = Access Point Name WARNING: untranslated string: access point name is invalid = Access Point Name is invalid WARNING: untranslated string: access point name is required = Access Point Name is required @@ -1005,9 +1010,12 @@ WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Dae WARNING: untranslated string: no entries = No entries at the moment. WARNING: untranslated string: oops something went wrong = Oops, something went wrong... WARNING: untranslated string: optional = Optional +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pakfire invalid tree = Invalid repository selected WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS) WARNING: untranslated string: regenerate host certificate = Renew Host Certificate diff --git a/doc/language_issues.en b/doc/language_issues.en index 7573b35ce..9c60e3e38 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1,9 +1,14 @@ WARNING: untranslated string: 24 hours = 24 Hours +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit WARNING: untranslated string: Act as = Act as: WARNING: untranslated string: Add Level7 rule = Add Level7 rule WARNING: untranslated string: Add Port Rule = Add port rule WARNING: untranslated string: Add Rule = Add rule WARNING: untranslated string: Add a route = Add a route +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive = Captive Portal WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive GAIN ACCESS = GAIN ACCESS @@ -1441,6 +1446,7 @@ WARNING: untranslated string: outgoing overhead in bytes per second = Outgoing O WARNING: untranslated string: outgoing traffic in bytes per second = Outgoing Traffic WARNING: untranslated string: ovpn = OpenVPN WARNING: untranslated string: ovpn add conf = Additional configuration +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn con stat = OpenVPN Connection Statistics WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn crypt options = Cryptographic options @@ -1449,6 +1455,7 @@ WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-a WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn ha = Hash algorithm +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required. WARNING: untranslated string: ovpn no connections = No active OpenVPN connections WARNING: untranslated string: ovpn on blue = OpenVPN on BLUE: @@ -1464,6 +1471,7 @@ WARNING: untranslated string: ovpn subnet = OpenVPN subnet: WARNING: untranslated string: ovpn subnet is invalid = OpenVPN subnet is invalid. WARNING: untranslated string: ovpn subnet overlap = OpenVPN Subnet overlaps with : WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pagerefresh = Page is beeing refreshed, please wait. WARNING: untranslated string: pak update = Update WARNING: untranslated string: pakfire ago = ago. diff --git a/doc/language_issues.es b/doc/language_issues.es index 11ee46ba7..949675bc0 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -983,6 +983,11 @@ WARNING: translation string unused: zoneconf val vlan amount assignment error WARNING: translation string unused: zoneconf val vlan tag assignment error WARNING: translation string unused: zoneconf val vlan tag range error WARNING: translation string unused: zoneconf val zoneslave amount error +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive clients = unknown string WARNING: untranslated string: ca name must only contain characters and spaces = unknown string @@ -1025,8 +1030,11 @@ WARNING: untranslated string: ids provider eol = (EOL) WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: no data = unknown string WARNING: untranslated string: online = Online +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pakfire ago = ago. WARNING: untranslated string: route config changed = unknown string WARNING: untranslated string: routing config added = unknown string diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 07fd48d4a..4362f9992 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -964,6 +964,11 @@ WARNING: translation string unused: zoneconf val vlan amount assignment error WARNING: translation string unused: zoneconf val vlan tag assignment error WARNING: translation string unused: zoneconf val vlan tag range error WARNING: translation string unused: zoneconf val zoneslave amount error +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: allowed subnets = Allowed Subnets WARNING: untranslated string: bypassed = Bypassed WARNING: untranslated string: ca name must only contain characters and spaces = unknown string @@ -1029,9 +1034,12 @@ WARNING: untranslated string: malformed private key = Malformed Private Key WARNING: untranslated string: malformed public key = Malformed Public Key WARNING: untranslated string: online = Online WARNING: untranslated string: oops something went wrong = Oops, something went wrong... +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pakfire ago = ago. WARNING: untranslated string: password has quotation mark = Password contains an illegal double quotation mark. WARNING: untranslated string: processors = Processors diff --git a/doc/language_issues.it b/doc/language_issues.it index ff5025cc4..23554dbe5 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -898,6 +898,11 @@ WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: 24 hours = 24 Hours +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive = Captive Portal WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive GAIN ACCESS = GAIN ACCESS @@ -1267,12 +1272,15 @@ WARNING: untranslated string: otp qrcode = OTP QRCode WARNING: untranslated string: outgoing compression in bytes per second = Outgoing compression WARNING: untranslated string: outgoing overhead in bytes per second = Outgoing Overhead WARNING: untranslated string: ovpn add conf = Additional configuration +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pak update = Update WARNING: untranslated string: pakfire already busy = Pakfire is already performing a task. Please try again later. WARNING: untranslated string: pakfire finished = Pakfire has finished! Returning... diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 371605b8e..6e4348d65 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -898,6 +898,11 @@ WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: 24 hours = 24 Hours +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive = Captive Portal WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive GAIN ACCESS = GAIN ACCESS @@ -1290,14 +1295,17 @@ WARNING: untranslated string: otp qrcode = OTP QRCode WARNING: untranslated string: outgoing compression in bytes per second = Outgoing compression WARNING: untranslated string: outgoing overhead in bytes per second = Outgoing Overhead WARNING: untranslated string: ovpn add conf = Additional configuration +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn crypt options = Cryptographic options WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn ha = Hash algorithm +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pakfire already busy = Pakfire is already performing a task. Please try again later. WARNING: untranslated string: pakfire finished = Pakfire has finished! Returning... WARNING: untranslated string: pakfire finished error = Pakfire has finished! Errors occurred, please check the log output before proceeding. diff --git a/doc/language_issues.pl b/doc/language_issues.pl index 2da3f6de9..e12dce223 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -808,6 +808,11 @@ WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: 24 hours = 24 Hours +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive = Captive Portal WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive GAIN ACCESS = GAIN ACCESS @@ -1452,6 +1457,7 @@ WARNING: untranslated string: outgoing compression in bytes per second = Outgoin WARNING: untranslated string: outgoing firewall access = Outgoing Firewall Access WARNING: untranslated string: outgoing overhead in bytes per second = Outgoing Overhead WARNING: untranslated string: ovpn add conf = Additional configuration +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn crypt options = Cryptographic options WARNING: untranslated string: ovpn errmsg green already pushed = Route for green network is always set @@ -1459,6 +1465,7 @@ WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-a WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn ha = Hash algorithm +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required. WARNING: untranslated string: ovpn no connections = No active OpenVPN connections WARNING: untranslated string: ovpn port in root range = A port number of 1024 or higher is required. @@ -1467,6 +1474,7 @@ WARNING: untranslated string: ovpn routes push = Routes (one per line) e.g. 192. WARNING: untranslated string: ovpn routes push options = Route push options WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pak update = Update WARNING: untranslated string: pakfire already busy = Pakfire is already performing a task. Please try again later. WARNING: untranslated string: pakfire finished = Pakfire has finished! Returning... diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 217e0ca56..4230c8953 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -801,7 +801,12 @@ WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: 24 hours = 24 Hours +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit WARNING: untranslated string: Add a route = Add a route +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive = Captive Portal WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive GAIN ACCESS = GAIN ACCESS @@ -1449,17 +1454,20 @@ WARNING: untranslated string: outgoing firewall access = Outgoing Firewall Acces WARNING: untranslated string: outgoing overhead in bytes per second = Outgoing Overhead WARNING: untranslated string: outgoing traffic in bytes per second = Outgoing Traffic WARNING: untranslated string: ovpn add conf = Additional configuration +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn crypt options = Cryptographic options WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn ha = Hash algorithm +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required. WARNING: untranslated string: ovpn no connections = No active OpenVPN connections WARNING: untranslated string: ovpn port in root range = A port number of 1024 or higher is required. WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pak update = Update WARNING: untranslated string: pakfire already busy = Pakfire is already performing a task. Please try again later. WARNING: untranslated string: pakfire finished = Pakfire has finished! Returning... diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 9674b3d7b..53eff868d 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -925,6 +925,11 @@ WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive clients = unknown string WARNING: untranslated string: Captive delete logo = Delete Logo WARNING: untranslated string: Disabled = Disabled @@ -1180,12 +1185,15 @@ WARNING: untranslated string: openvpn cert expires soon = Expires Soon WARNING: untranslated string: openvpn cert has expired = Expired WARNING: untranslated string: optional = Optional WARNING: untranslated string: otp qrcode = OTP QRCode +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pak update = Update WARNING: untranslated string: pakfire already busy = Pakfire is already performing a task. Please try again later. WARNING: untranslated string: pakfire finished = Pakfire has finished! Returning... diff --git a/doc/language_missings b/doc/language_missings index 8aab09f69..8a091e64f 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -5,6 +5,10 @@ < access point name is invalid < access point name is required < advproxy update information +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < aliases default interface < allowed subnets < ansi t1.483 @@ -45,6 +49,7 @@ < Captive heading voucher < Captive invalid coupon < Captive please enter a coupon code +< CHACHA20-POLY1305 < choose media < could not connect to www ipfire org < cryptographic settings @@ -82,9 +87,12 @@ < okay < oops something went wrong < optional +< ovpn ciphers < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher < ovpn roadwarrior server +< ovpn unsupported cipher selected < quick control < random number generator daemon < regenerate host certificate @@ -127,20 +135,33 @@ ############################################################################ # Checking cgi-bin translations for language: es # ############################################################################ +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM +< CHACHA20-POLY1305 < dns servers < ids provider eol < online +< ovpn ciphers < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher +< ovpn unsupported cipher selected ############################################################################ # Checking cgi-bin translations for language: fr # ############################################################################ +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < allowed subnets < ansi t1.483 < bewan adsl pci st < bewan adsl usb < bypassed < ca name must only contain characters or spaces +< CHACHA20-POLY1305 < configuration file < data transfer < done @@ -172,9 +193,12 @@ < malformed public key < online < oops something went wrong +< ovpn ciphers < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher < ovpn roadwarrior server +< ovpn unsupported cipher selected < password has quotation mark < processors < public key @@ -269,6 +293,10 @@ < advproxy wpad label dst_noproxy_url < advproxy wpad title < advproxy wpad view pac +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < aliases default interface < allowed subnets < asn lookup failed @@ -347,6 +375,7 @@ < Captive vout < Captive WiFi coupon < Captive wrong type +< CHACHA20-POLY1305 < check all < configuration file < core update @@ -627,13 +656,16 @@ < outgoing compression in bytes per second < outgoing overhead in bytes per second < ovpn add conf +< ovpn ciphers < ovpn connection name < ovpn error md5 < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher < ovpn roadwarrior server < ovpn rw connection log < ovpn tls auth +< ovpn unsupported cipher selected < ovpn warning rfc3280 < pakfire already busy < pakfire finished @@ -881,6 +913,10 @@ < advproxy wpad label dst_noproxy_url < advproxy wpad title < advproxy wpad view pac +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < aliases default interface < allowed subnets < asn lookup failed @@ -961,6 +997,7 @@ < Captive vout < Captive WiFi coupon < Captive wrong type +< CHACHA20-POLY1305 < check all < configuration file < cpu frequency @@ -1263,6 +1300,7 @@ < outgoing compression in bytes per second < outgoing overhead in bytes per second < ovpn add conf +< ovpn ciphers < ovpn connection name < ovpn crypt options < ovpn engines @@ -1271,10 +1309,12 @@ < ovpn fallback cipher help < ovpn generating the root and host certificates < ovpn ha +< ovpn if ncp is disabled we must have cipher < ovpn reneg sec < ovpn roadwarrior server < ovpn rw connection log < ovpn tls auth +< ovpn unsupported cipher selected < ovpn warning rfc3280 < pakfire already busy < pakfire finished @@ -1526,6 +1566,10 @@ < advproxy wpad label dst_noproxy_url < advproxy wpad title < advproxy wpad view pac +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < age second < age seconds < age shour @@ -1652,6 +1696,7 @@ < ccd routes < ccd subnet < ccd used +< CHACHA20-POLY1305 < check all < community rules < configuration file @@ -2218,6 +2263,7 @@ < outgoing firewall access < outgoing overhead in bytes per second < ovpn add conf +< ovpn ciphers < ovpn connection name < ovpn crypt options < ovpn engines @@ -2228,6 +2274,7 @@ < ovpn fallback cipher help < ovpn generating the root and host certificates < ovpn ha +< ovpn if ncp is disabled we must have cipher < ovpn mgmt in root range < ovpn mtu-disc < ovpn mtu-disc and mtu not 1500 @@ -2244,6 +2291,7 @@ < ovpn routes push options < ovpn rw connection log < ovpn tls auth +< ovpn unsupported cipher selected < ovpn warning rfc3280 < pakfire already busy < pakfire finished @@ -2612,6 +2660,10 @@ < advproxy wpad label dst_noproxy_url < advproxy wpad title < advproxy wpad view pac +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < age second < age seconds < age shour @@ -2738,6 +2790,7 @@ < ccd routes < ccd subnet < ccd used +< CHACHA20-POLY1305 < check all < community rules < configuration file @@ -3312,6 +3365,7 @@ < outgoing overhead in bytes per second < outgoing traffic in bytes per second < ovpn add conf +< ovpn ciphers < ovpn connection name < ovpn crypt options < ovpn engines @@ -3320,6 +3374,7 @@ < ovpn fallback cipher help < ovpn generating the root and host certificates < ovpn ha +< ovpn if ncp is disabled we must have cipher < ovpn mgmt in root range < ovpn mtu-disc < ovpn mtu-disc and mtu not 1500 @@ -3334,6 +3389,7 @@ < ovpn roadwarrior server < ovpn rw connection log < ovpn tls auth +< ovpn unsupported cipher selected < ovpn warning rfc3280 < pakfire already busy < pakfire finished @@ -3688,6 +3744,10 @@ < advproxy wpad label dst_noproxy_url < advproxy wpad title < advproxy wpad view pac +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < aliases default interface < allowed subnets < asn lookup failed @@ -3712,6 +3772,7 @@ < cake profile raw 0 < ca name must only contain characters or spaces < Captive delete logo +< CHACHA20-POLY1305 < configuration file < core update < cpu frequency @@ -3908,13 +3969,16 @@ < openvpn cert has expired < optional < otp qrcode +< ovpn ciphers < ovpn connection name < ovpn error md5 < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher < ovpn roadwarrior server < ovpn rw connection log < ovpn tls auth +< ovpn unsupported cipher selected < ovpn warning rfc3280 < pakfire already busy < pakfire finished diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 3e738f73d..1c1b45984 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -47,6 +47,29 @@ use CGI::Carp 'fatalsToBrowser'; my %mainsettings = (); &General::readhash("${General::swroot}/main/settings", \%mainsettings); +# Supported ciphers for NCP +my @SUPPORTED_CIPHERS = ( + "AES-256-GCM", + "AES-128-GCM", + "AES-256-CBC", + "AES-128-CBC", + "CHACHA20-POLY1305", +); + +my $DEFAULT_CIPHERS = "AES-256-GCM|AES-128-GCM|CHACHA20-POLY1305"; + +# Translations for the cipher selection +my %CIPHERS = ( + # AES + "AES-256-GCM" => $Lang::tr{'AES-256-GCM'}, + "AES-128-GCM" => $Lang::tr{'AES-128-GCM'}, + "AES-256-CBC" => $Lang::tr{'AES-256-CBC'}, + "AES-128-CBC" => $Lang::tr{'AES-128-CBC'}, + + # ChaCha20-Poly1305 + "CHACHA20-POLY1305" => $Lang::tr{'CHACHA20-POLY1305'}, +); + ### ### Initialize variables ### @@ -235,8 +258,19 @@ sub writeserverconf { } print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n"; - print CONF "ncp-disable\n"; - print CONF "cipher $sovpnsettings{DCIPHER}\n"; + + # Cryptography + if ($sovpnsettings{'DATACIPHERS'} eq '') { + print CONF "ncp-disable\n"; + } else { + print CONF "data-ciphers " . $sovpnsettings{'DATACIPHERS'} =~ s/\|/:/gr . "\n"; + } + + # Enable fallback cipher? + if ($sovpnsettings{'DCIPHER'} ne '') { + print CONF "data-ciphers-fallback $sovpnsettings{'DCIPHER'}\n"; + } + print CONF "auth $sovpnsettings{'DAUTH'}\n"; # Set TLSv2 as minimum print CONF "tls-version-min 1.2\n"; @@ -673,11 +707,29 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; + $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'}; $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; my @temp=(); + # If NCP is disabled, we need the fallback cipher + if ($cgiparams{'DATACIPHERS'} eq '' && $cgiparams{'DCIPHER'} eq '') { + $errormessage = $Lang::tr{'ovpn if ncp is disabled we must have cipher'}; + goto ADV_ERROR; + } + + # Split data ciphers + my @dataciphers = split(/\|/, $cgiparams{'DATACIPHERS'}); + + # Check if all ciphers are supported + foreach my $cipher (@dataciphers) { + if (!grep(/^$cipher$/, @SUPPORTED_CIPHERS)) { + $errormessage = $Lang::tr{'ovpn unsupported cipher selected'}; + goto ADV_ERROR; + } + } + if ($cgiparams{'FRAGMENT'} eq '') { delete $vpnsettings{'FRAGMENT'}; } else { @@ -2123,7 +2175,20 @@ else $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } - print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; + + # Cryptography + + # If no data ciphers have been selected, we try to use the fallback cipher + if ($vpnsettings{'DATACIPHERS'} eq '') { + print CLIENTCONF "ncp-disable\r\n"; + + if ($vpnsettings{'DCIPHER'} ne '') { + print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n"; + } + } else { + # Otherwise we don't write anything because the server and client will negotiate + } + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; if ($vpnsettings{'TLSAUTH'} eq 'on') { @@ -2476,6 +2541,9 @@ END read_routepushfile; ADV_ERROR: + if ($cgiparams{'DATACIPHERS'} eq '') { + $cgiparams{'DATACIPHERS'} = $DEFAULT_CIPHERS; + } if ($cgiparams{'DAUTH'} eq '') { $cgiparams{'DAUTH'} = 'SHA512'; } @@ -2523,6 +2591,15 @@ ADV_ERROR: $selected{'LOG_VERB'}{'11'} = ''; $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; + # Split data ciphers + my @data_ciphers = split(/\|/, $cgiparams{'DATACIPHERS'}); + + # Select the correct ones + $selected{'DATACIPHERS'} = (); + foreach my $cipher (@SUPPORTED_CIPHERS) { + $selected{'DATACIPHERS'}{$cipher} = grep(/^$cipher$/, @data_ciphers) ? "selected" : ""; + } + $selected{'DCIPHER'}{'AES-256-GCM'} = ''; $selected{'DCIPHER'}{'AES-192-GCM'} = ''; $selected{'DCIPHER'}{'AES-128-GCM'} = ''; @@ -2570,6 +2647,30 @@ ADV_ERROR: + + + $Lang::tr{'ovpn ciphers'} + + + +