From ab5af7d868b30eb062e456a9482b1a6d3dddc571 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 19 Mar 2024 19:32:50 +0100 Subject: [PATCH] ovpnmain.cgi: Implement cipher negotiation for RW clients Signed-off-by: Michael Tremer --- doc/language_issues.de | 8 +++ doc/language_issues.en | 8 +++ doc/language_issues.es | 8 +++ doc/language_issues.fr | 8 +++ doc/language_issues.it | 8 +++ doc/language_issues.nl | 8 +++ doc/language_issues.pl | 8 +++ doc/language_issues.ru | 8 +++ doc/language_issues.tr | 8 +++ doc/language_issues.tw | 9 +++- doc/language_issues.zh | 9 +++- doc/language_missings | 80 ++++++++++++++++++++++++++++ html/cgi-bin/ovpnmain.cgi | 109 ++++++++++++++++++++++++++++++++++++-- langs/en/cgi-bin/en.pl | 8 +++ 14 files changed, 281 insertions(+), 6 deletions(-) diff --git a/doc/language_issues.de b/doc/language_issues.de index cf2ee2a83..dd3e0c2ca 100644 --- a/doc/language_issues.de +++ b/doc/language_issues.de @@ -926,6 +926,11 @@ WARNING: translation string unused: zoneconf val vlan amount assignment error WARNING: translation string unused: zoneconf val vlan tag assignment error WARNING: translation string unused: zoneconf val vlan tag range error WARNING: translation string unused: zoneconf val zoneslave amount error +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: access point name = Access Point Name WARNING: untranslated string: access point name is invalid = Access Point Name is invalid WARNING: untranslated string: access point name is required = Access Point Name is required @@ -1005,9 +1010,12 @@ WARNING: untranslated string: netbios nameserver daemon = NetBIOS Nameserver Dae WARNING: untranslated string: no entries = No entries at the moment. WARNING: untranslated string: oops something went wrong = Oops, something went wrong... WARNING: untranslated string: optional = Optional +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pakfire invalid tree = Invalid repository selected WARNING: untranslated string: quality of service = Quality of Service WARNING: untranslated string: reg_file_data_sampling = Register File Data Sampling (RFDS) diff --git a/doc/language_issues.en b/doc/language_issues.en index 10e64fdc4..5a94de80c 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -1,9 +1,14 @@ WARNING: untranslated string: 24 hours = 24 Hours +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit WARNING: untranslated string: Act as = Act as: WARNING: untranslated string: Add Level7 rule = Add Level7 rule WARNING: untranslated string: Add Port Rule = Add port rule WARNING: untranslated string: Add Rule = Add rule WARNING: untranslated string: Add a route = Add a route +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive = Captive Portal WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive GAIN ACCESS = GAIN ACCESS @@ -1444,6 +1449,7 @@ WARNING: untranslated string: outgoing overhead in bytes per second = Outgoing O WARNING: untranslated string: outgoing traffic in bytes per second = Outgoing Traffic WARNING: untranslated string: ovpn = OpenVPN WARNING: untranslated string: ovpn add conf = Additional configuration +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn con stat = OpenVPN Connection Statistics WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn crypt options = Cryptographic options @@ -1452,6 +1458,7 @@ WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-a WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn ha = Hash algorithm +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required. WARNING: untranslated string: ovpn no connections = No active OpenVPN connections WARNING: untranslated string: ovpn on blue = OpenVPN on BLUE: @@ -1467,6 +1474,7 @@ WARNING: untranslated string: ovpn subnet = OpenVPN subnet: WARNING: untranslated string: ovpn subnet is invalid = OpenVPN subnet is invalid. WARNING: untranslated string: ovpn subnet overlap = OpenVPN Subnet overlaps with : WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pagerefresh = Page is beeing refreshed, please wait. WARNING: untranslated string: pak update = Update WARNING: untranslated string: pakfire ago = ago. diff --git a/doc/language_issues.es b/doc/language_issues.es index 1de155a26..f29c3d5f2 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -982,6 +982,11 @@ WARNING: translation string unused: zoneconf val vlan amount assignment error WARNING: translation string unused: zoneconf val vlan tag assignment error WARNING: translation string unused: zoneconf val vlan tag range error WARNING: translation string unused: zoneconf val zoneslave amount error +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive clients = unknown string WARNING: untranslated string: ca name must only contain characters and spaces = unknown string @@ -1026,8 +1031,11 @@ WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: mdstat = Mdstat WARNING: untranslated string: no data = unknown string WARNING: untranslated string: online = Online +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pakfire ago = ago. WARNING: untranslated string: quality of service = Quality of Service WARNING: untranslated string: route config changed = unknown string diff --git a/doc/language_issues.fr b/doc/language_issues.fr index d5b396b6e..797e12e09 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -963,6 +963,11 @@ WARNING: translation string unused: zoneconf val vlan amount assignment error WARNING: translation string unused: zoneconf val vlan tag assignment error WARNING: translation string unused: zoneconf val vlan tag range error WARNING: translation string unused: zoneconf val zoneslave amount error +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: allowed subnets = Allowed Subnets WARNING: untranslated string: bypassed = Bypassed WARNING: untranslated string: ca name must only contain characters and spaces = unknown string @@ -1030,9 +1035,12 @@ WARNING: untranslated string: malformed public key = Malformed Public Key WARNING: untranslated string: mdstat = Mdstat WARNING: untranslated string: online = Online WARNING: untranslated string: oops something went wrong = Oops, something went wrong... +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pakfire ago = ago. WARNING: untranslated string: password has quotation mark = Password contains an illegal double quotation mark. WARNING: untranslated string: processors = Processors diff --git a/doc/language_issues.it b/doc/language_issues.it index 6b0138a25..4e485fb56 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -897,6 +897,11 @@ WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: 24 hours = 24 Hours +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive = Captive Portal WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive GAIN ACCESS = GAIN ACCESS @@ -1268,12 +1273,15 @@ WARNING: untranslated string: otp qrcode = OTP QRCode WARNING: untranslated string: outgoing compression in bytes per second = Outgoing compression WARNING: untranslated string: outgoing overhead in bytes per second = Outgoing Overhead WARNING: untranslated string: ovpn add conf = Additional configuration +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pak update = Update WARNING: untranslated string: pakfire already busy = Pakfire is already performing a task. Please try again later. WARNING: untranslated string: pakfire finished = Pakfire has finished! Returning... diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 2ba12ffe6..fa70b03f2 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -897,6 +897,11 @@ WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: 24 hours = 24 Hours +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive = Captive Portal WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive GAIN ACCESS = GAIN ACCESS @@ -1291,14 +1296,17 @@ WARNING: untranslated string: otp qrcode = OTP QRCode WARNING: untranslated string: outgoing compression in bytes per second = Outgoing compression WARNING: untranslated string: outgoing overhead in bytes per second = Outgoing Overhead WARNING: untranslated string: ovpn add conf = Additional configuration +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn crypt options = Cryptographic options WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn ha = Hash algorithm +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pakfire already busy = Pakfire is already performing a task. Please try again later. WARNING: untranslated string: pakfire finished = Pakfire has finished! Returning... WARNING: untranslated string: pakfire finished error = Pakfire has finished! Errors occurred, please check the log output before proceeding. diff --git a/doc/language_issues.pl b/doc/language_issues.pl index e6fda715e..8acd76cb8 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -807,6 +807,11 @@ WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: 24 hours = 24 Hours +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive = Captive Portal WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive GAIN ACCESS = GAIN ACCESS @@ -1453,6 +1458,7 @@ WARNING: untranslated string: outgoing compression in bytes per second = Outgoin WARNING: untranslated string: outgoing firewall access = Outgoing Firewall Access WARNING: untranslated string: outgoing overhead in bytes per second = Outgoing Overhead WARNING: untranslated string: ovpn add conf = Additional configuration +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn crypt options = Cryptographic options WARNING: untranslated string: ovpn errmsg green already pushed = Route for green network is always set @@ -1460,6 +1466,7 @@ WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-a WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn ha = Hash algorithm +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required. WARNING: untranslated string: ovpn no connections = No active OpenVPN connections WARNING: untranslated string: ovpn port in root range = A port number of 1024 or higher is required. @@ -1468,6 +1475,7 @@ WARNING: untranslated string: ovpn routes push = Routes (one per line) e.g. 192. WARNING: untranslated string: ovpn routes push options = Route push options WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pak update = Update WARNING: untranslated string: pakfire already busy = Pakfire is already performing a task. Please try again later. WARNING: untranslated string: pakfire finished = Pakfire has finished! Returning... diff --git a/doc/language_issues.ru b/doc/language_issues.ru index d8d5edff3..44f2542c2 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -800,7 +800,12 @@ WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: yearly firewallhits WARNING: untranslated string: 24 hours = 24 Hours +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit WARNING: untranslated string: Add a route = Add a route +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive = Captive Portal WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive GAIN ACCESS = GAIN ACCESS @@ -1450,17 +1455,20 @@ WARNING: untranslated string: outgoing firewall access = Outgoing Firewall Acces WARNING: untranslated string: outgoing overhead in bytes per second = Outgoing Overhead WARNING: untranslated string: outgoing traffic in bytes per second = Outgoing Traffic WARNING: untranslated string: ovpn add conf = Additional configuration +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn crypt options = Cryptographic options WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. WARNING: untranslated string: ovpn ha = Hash algorithm +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn mgmt in root range = A port number of 1024 or higher is required. WARNING: untranslated string: ovpn no connections = No active OpenVPN connections WARNING: untranslated string: ovpn port in root range = A port number of 1024 or higher is required. WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pak update = Update WARNING: untranslated string: pakfire already busy = Pakfire is already performing a task. Please try again later. WARNING: untranslated string: pakfire finished = Pakfire has finished! Returning... diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 85f23bd12..5d545e7b5 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -924,6 +924,11 @@ WARNING: translation string unused: xtaccess all error WARNING: translation string unused: xtaccess bad transfert WARNING: translation string unused: year-graph WARNING: translation string unused: yearly firewallhits +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive clients = unknown string WARNING: untranslated string: Captive delete logo = Delete Logo WARNING: untranslated string: Disabled = Disabled @@ -1181,12 +1186,15 @@ WARNING: untranslated string: openvpn cert expires soon = Expires Soon WARNING: untranslated string: openvpn cert has expired = Expired WARNING: untranslated string: optional = Optional WARNING: untranslated string: otp qrcode = OTP QRCode +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn connection name = Connection Name WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. WARNING: untranslated string: ovpn roadwarrior server = OpenVPN Roadwarrior Server WARNING: untranslated string: ovpn rw connection log = OpenVPN Roadwarrior Connections Log WARNING: untranslated string: ovpn tls auth = TLS Channel Protection: +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pak update = Update WARNING: untranslated string: pakfire already busy = Pakfire is already performing a task. Please try again later. WARNING: untranslated string: pakfire finished = Pakfire has finished! Returning... diff --git a/doc/language_issues.tw b/doc/language_issues.tw index 320572ab7..a4e5fcda0 100644 --- a/doc/language_issues.tw +++ b/doc/language_issues.tw @@ -25,7 +25,6 @@ WARNING: translation string unused: Captive wrong ext WARNING: translation string unused: ConnSched scheduler WARNING: translation string unused: ConnSched select profile WARNING: translation string unused: Daily -WARNING: translation string unused: Disabled WARNING: translation string unused: Existing Files WARNING: translation string unused: HDD temperature WARNING: translation string unused: Level7 rule @@ -989,6 +988,11 @@ WARNING: translation string unused: zoneconf val vlan amount assignment error WARNING: translation string unused: zoneconf val vlan tag assignment error WARNING: translation string unused: zoneconf val vlan tag range error WARNING: translation string unused: zoneconf val zoneslave amount error +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive clients = unknown string WARNING: untranslated string: Captive wrong type = Uploaded file has wrong filetype @@ -1035,8 +1039,11 @@ WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: max bandwidth = Maximum bandwidth WARNING: untranslated string: no data = unknown string WARNING: untranslated string: online = Online +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pakfire confirm upgrades = Do you want to install all upgrades? WARNING: untranslated string: pakfire deps = Package dependencies: WARNING: untranslated string: pakfire errors = Errors occurred: diff --git a/doc/language_issues.zh b/doc/language_issues.zh index 320572ab7..a4e5fcda0 100644 --- a/doc/language_issues.zh +++ b/doc/language_issues.zh @@ -25,7 +25,6 @@ WARNING: translation string unused: Captive wrong ext WARNING: translation string unused: ConnSched scheduler WARNING: translation string unused: ConnSched select profile WARNING: translation string unused: Daily -WARNING: translation string unused: Disabled WARNING: translation string unused: Existing Files WARNING: translation string unused: HDD temperature WARNING: translation string unused: Level7 rule @@ -989,6 +988,11 @@ WARNING: translation string unused: zoneconf val vlan amount assignment error WARNING: translation string unused: zoneconf val vlan tag assignment error WARNING: translation string unused: zoneconf val vlan tag range error WARNING: translation string unused: zoneconf val zoneslave amount error +WARNING: untranslated string: AES-128-CBC = AES - CBC Mode - 128 Bit +WARNING: untranslated string: AES-128-GCM = AES - GCM Mode - 128 Bit +WARNING: untranslated string: AES-256-CBC = AES - CBC Mode - 256 Bit +WARNING: untranslated string: AES-256-GCM = AES - GCM Mode - 256 Bit +WARNING: untranslated string: CHACHA20-POLY1305 = ChaCha20-Poly1305 WARNING: untranslated string: Captive ACTIVATE = unknown string WARNING: untranslated string: Captive clients = unknown string WARNING: untranslated string: Captive wrong type = Uploaded file has wrong filetype @@ -1035,8 +1039,11 @@ WARNING: untranslated string: info messages = unknown string WARNING: untranslated string: max bandwidth = Maximum bandwidth WARNING: untranslated string: no data = unknown string WARNING: untranslated string: online = Online +WARNING: untranslated string: ovpn ciphers = Ciphers WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation. +WARNING: untranslated string: ovpn if ncp is disabled we must have cipher = If you want to disable cipher negotiation, you will have to select a fallback cipher. +WARNING: untranslated string: ovpn unsupported cipher selected = Unknown cipher selected WARNING: untranslated string: pakfire confirm upgrades = Do you want to install all upgrades? WARNING: untranslated string: pakfire deps = Package dependencies: WARNING: untranslated string: pakfire errors = Errors occurred: diff --git a/doc/language_missings b/doc/language_missings index 30a6e8f48..6a0aff127 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -5,6 +5,10 @@ < access point name is invalid < access point name is required < advproxy update information +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < aliases default interface < allowed subnets < ansi t1.483 @@ -45,6 +49,7 @@ < Captive heading voucher < Captive invalid coupon < Captive please enter a coupon code +< CHACHA20-POLY1305 < choose media < could not connect to www ipfire org < cryptographic settings @@ -83,9 +88,12 @@ < okay < oops something went wrong < optional +< ovpn ciphers < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher < ovpn roadwarrior server +< ovpn unsupported cipher selected < quality of service < quick control < random number generator daemon @@ -129,23 +137,36 @@ ############################################################################ # Checking cgi-bin translations for language: es # ############################################################################ +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM +< CHACHA20-POLY1305 < dns servers < ids provider eol < indirect target selection < mdstat < online +< ovpn ciphers < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher +< ovpn unsupported cipher selected < quality of service ############################################################################ # Checking cgi-bin translations for language: fr # ############################################################################ +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < allowed subnets < ansi t1.483 < bewan adsl pci st < bewan adsl usb < bypassed < ca name must only contain characters or spaces +< CHACHA20-POLY1305 < configuration file < data transfer < done @@ -179,9 +200,12 @@ < mdstat < online < oops something went wrong +< ovpn ciphers < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher < ovpn roadwarrior server +< ovpn unsupported cipher selected < password has quotation mark < processors < public key @@ -277,6 +301,10 @@ < advproxy wpad label dst_noproxy_url < advproxy wpad title < advproxy wpad view pac +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < aliases default interface < allowed subnets < asn lookup failed @@ -355,6 +383,7 @@ < Captive vout < Captive WiFi coupon < Captive wrong type +< CHACHA20-POLY1305 < check all < configuration file < core update @@ -637,13 +666,16 @@ < outgoing compression in bytes per second < outgoing overhead in bytes per second < ovpn add conf +< ovpn ciphers < ovpn connection name < ovpn error md5 < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher < ovpn roadwarrior server < ovpn rw connection log < ovpn tls auth +< ovpn unsupported cipher selected < ovpn warning rfc3280 < pakfire already busy < pakfire finished @@ -892,6 +924,10 @@ < advproxy wpad label dst_noproxy_url < advproxy wpad title < advproxy wpad view pac +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < aliases default interface < allowed subnets < asn lookup failed @@ -972,6 +1008,7 @@ < Captive vout < Captive WiFi coupon < Captive wrong type +< CHACHA20-POLY1305 < check all < configuration file < cpu frequency @@ -1276,6 +1313,7 @@ < outgoing compression in bytes per second < outgoing overhead in bytes per second < ovpn add conf +< ovpn ciphers < ovpn connection name < ovpn crypt options < ovpn engines @@ -1284,10 +1322,12 @@ < ovpn fallback cipher help < ovpn generating the root and host certificates < ovpn ha +< ovpn if ncp is disabled we must have cipher < ovpn reneg sec < ovpn roadwarrior server < ovpn rw connection log < ovpn tls auth +< ovpn unsupported cipher selected < ovpn warning rfc3280 < pakfire already busy < pakfire finished @@ -1540,6 +1580,10 @@ < advproxy wpad label dst_noproxy_url < advproxy wpad title < advproxy wpad view pac +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < age second < age seconds < age shour @@ -1666,6 +1710,7 @@ < ccd routes < ccd subnet < ccd used +< CHACHA20-POLY1305 < check all < community rules < configuration file @@ -2234,6 +2279,7 @@ < outgoing firewall access < outgoing overhead in bytes per second < ovpn add conf +< ovpn ciphers < ovpn connection name < ovpn crypt options < ovpn engines @@ -2244,6 +2290,7 @@ < ovpn fallback cipher help < ovpn generating the root and host certificates < ovpn ha +< ovpn if ncp is disabled we must have cipher < ovpn mgmt in root range < ovpn mtu-disc < ovpn mtu-disc and mtu not 1500 @@ -2260,6 +2307,7 @@ < ovpn routes push options < ovpn rw connection log < ovpn tls auth +< ovpn unsupported cipher selected < ovpn warning rfc3280 < pakfire already busy < pakfire finished @@ -2629,6 +2677,10 @@ < advproxy wpad label dst_noproxy_url < advproxy wpad title < advproxy wpad view pac +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < age second < age seconds < age shour @@ -2755,6 +2807,7 @@ < ccd routes < ccd subnet < ccd used +< CHACHA20-POLY1305 < check all < community rules < configuration file @@ -3331,6 +3384,7 @@ < outgoing overhead in bytes per second < outgoing traffic in bytes per second < ovpn add conf +< ovpn ciphers < ovpn connection name < ovpn crypt options < ovpn engines @@ -3339,6 +3393,7 @@ < ovpn fallback cipher help < ovpn generating the root and host certificates < ovpn ha +< ovpn if ncp is disabled we must have cipher < ovpn mgmt in root range < ovpn mtu-disc < ovpn mtu-disc and mtu not 1500 @@ -3353,6 +3408,7 @@ < ovpn roadwarrior server < ovpn rw connection log < ovpn tls auth +< ovpn unsupported cipher selected < ovpn warning rfc3280 < pakfire already busy < pakfire finished @@ -3708,6 +3764,10 @@ < advproxy wpad label dst_noproxy_url < advproxy wpad title < advproxy wpad view pac +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < aliases default interface < allowed subnets < asn lookup failed @@ -3732,6 +3792,7 @@ < cake profile raw 0 < ca name must only contain characters or spaces < Captive delete logo +< CHACHA20-POLY1305 < configuration file < core update < cpu frequency @@ -3930,13 +3991,16 @@ < openvpn cert has expired < optional < otp qrcode +< ovpn ciphers < ovpn connection name < ovpn error md5 < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher < ovpn roadwarrior server < ovpn rw connection log < ovpn tls auth +< ovpn unsupported cipher selected < ovpn warning rfc3280 < pakfire already busy < pakfire finished @@ -4111,15 +4175,23 @@ # Checking cgi-bin translations for language: tw # ############################################################################ < advproxy errmsg invalid user/password +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < aliases default interface < Captive wrong type +< CHACHA20-POLY1305 < dns servers < guaranteed bandwidth < indirect target selection < max bandwidth < online +< ovpn ciphers < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher +< ovpn unsupported cipher selected < pakfire confirm upgrades < pakfire deps < pakfire errors @@ -4136,15 +4208,23 @@ # Checking cgi-bin translations for language: zh # ############################################################################ < advproxy errmsg invalid user/password +< AES-128-CBC +< AES-128-GCM +< AES-256-CBC +< AES-256-GCM < aliases default interface < Captive wrong type +< CHACHA20-POLY1305 < dns servers < guaranteed bandwidth < indirect target selection < max bandwidth < online +< ovpn ciphers < ovpn fallback cipher < ovpn fallback cipher help +< ovpn if ncp is disabled we must have cipher +< ovpn unsupported cipher selected < pakfire confirm upgrades < pakfire deps < pakfire errors diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 3e738f73d..1c1b45984 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -47,6 +47,29 @@ use CGI::Carp 'fatalsToBrowser'; my %mainsettings = (); &General::readhash("${General::swroot}/main/settings", \%mainsettings); +# Supported ciphers for NCP +my @SUPPORTED_CIPHERS = ( + "AES-256-GCM", + "AES-128-GCM", + "AES-256-CBC", + "AES-128-CBC", + "CHACHA20-POLY1305", +); + +my $DEFAULT_CIPHERS = "AES-256-GCM|AES-128-GCM|CHACHA20-POLY1305"; + +# Translations for the cipher selection +my %CIPHERS = ( + # AES + "AES-256-GCM" => $Lang::tr{'AES-256-GCM'}, + "AES-128-GCM" => $Lang::tr{'AES-128-GCM'}, + "AES-256-CBC" => $Lang::tr{'AES-256-CBC'}, + "AES-128-CBC" => $Lang::tr{'AES-128-CBC'}, + + # ChaCha20-Poly1305 + "CHACHA20-POLY1305" => $Lang::tr{'CHACHA20-POLY1305'}, +); + ### ### Initialize variables ### @@ -235,8 +258,19 @@ sub writeserverconf { } print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n"; - print CONF "ncp-disable\n"; - print CONF "cipher $sovpnsettings{DCIPHER}\n"; + + # Cryptography + if ($sovpnsettings{'DATACIPHERS'} eq '') { + print CONF "ncp-disable\n"; + } else { + print CONF "data-ciphers " . $sovpnsettings{'DATACIPHERS'} =~ s/\|/:/gr . "\n"; + } + + # Enable fallback cipher? + if ($sovpnsettings{'DCIPHER'} ne '') { + print CONF "data-ciphers-fallback $sovpnsettings{'DCIPHER'}\n"; + } + print CONF "auth $sovpnsettings{'DAUTH'}\n"; # Set TLSv2 as minimum print CONF "tls-version-min 1.2\n"; @@ -673,11 +707,29 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; + $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'}; $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; my @temp=(); + # If NCP is disabled, we need the fallback cipher + if ($cgiparams{'DATACIPHERS'} eq '' && $cgiparams{'DCIPHER'} eq '') { + $errormessage = $Lang::tr{'ovpn if ncp is disabled we must have cipher'}; + goto ADV_ERROR; + } + + # Split data ciphers + my @dataciphers = split(/\|/, $cgiparams{'DATACIPHERS'}); + + # Check if all ciphers are supported + foreach my $cipher (@dataciphers) { + if (!grep(/^$cipher$/, @SUPPORTED_CIPHERS)) { + $errormessage = $Lang::tr{'ovpn unsupported cipher selected'}; + goto ADV_ERROR; + } + } + if ($cgiparams{'FRAGMENT'} eq '') { delete $vpnsettings{'FRAGMENT'}; } else { @@ -2123,7 +2175,20 @@ else $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } - print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; + + # Cryptography + + # If no data ciphers have been selected, we try to use the fallback cipher + if ($vpnsettings{'DATACIPHERS'} eq '') { + print CLIENTCONF "ncp-disable\r\n"; + + if ($vpnsettings{'DCIPHER'} ne '') { + print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n"; + } + } else { + # Otherwise we don't write anything because the server and client will negotiate + } + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; if ($vpnsettings{'TLSAUTH'} eq 'on') { @@ -2476,6 +2541,9 @@ END read_routepushfile; ADV_ERROR: + if ($cgiparams{'DATACIPHERS'} eq '') { + $cgiparams{'DATACIPHERS'} = $DEFAULT_CIPHERS; + } if ($cgiparams{'DAUTH'} eq '') { $cgiparams{'DAUTH'} = 'SHA512'; } @@ -2523,6 +2591,15 @@ ADV_ERROR: $selected{'LOG_VERB'}{'11'} = ''; $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; + # Split data ciphers + my @data_ciphers = split(/\|/, $cgiparams{'DATACIPHERS'}); + + # Select the correct ones + $selected{'DATACIPHERS'} = (); + foreach my $cipher (@SUPPORTED_CIPHERS) { + $selected{'DATACIPHERS'}{$cipher} = grep(/^$cipher$/, @data_ciphers) ? "selected" : ""; + } + $selected{'DCIPHER'}{'AES-256-GCM'} = ''; $selected{'DCIPHER'}{'AES-192-GCM'} = ''; $selected{'DCIPHER'}{'AES-128-GCM'} = ''; @@ -2570,6 +2647,30 @@ ADV_ERROR: + + + $Lang::tr{'ovpn ciphers'} + + + +