From 49abe7afb1868315b96643afe08c12fa1b339e3a Mon Sep 17 00:00:00 2001 From: Erik Kapfer Date: Sun, 11 May 2014 09:24:04 +0200 Subject: [PATCH] OpenVPN:Add HMAC, cipher 'n2n' and DH key selection. Fixes and new design. Added HMAC algorithm selection menu for N2N and RW. Added cipher selection menu for N2N connections. Added DH key selection also for existing installations incl. DH key upload possibility. Adjusted the ovpn main WUI design to IPSec WUI. Extend key lenght for CA, cert and control channel with faktor 2. Some code and typo cleanup. Bugfixes for #10317, #10149, #10462, #10463 V.2 New changes: Integrated changes in langs and ovpnmain.cgi until 20.03.2014 2.15-Beta3. ovpn.cnf have now default bits of 2048 instead of 1024. ovpn.cnf default_md works now with sha256 instead of md5. Bugfix: By new installation the auth directive for RWs is faded out #10462 Comment 15. Added error message if the crl should be displayed but no crl is present. v.3 New changes #10462 Comment 20: Updated to core version 77. Deleted manual name award in DH key upload section, name will be given automatically now. Added sha512WithRSAEncryption instead of sha1WithRSAEncryption for "Root Certificate". Added tls-auth support for Roadwarriors. Added crypto engine support for N2N and Roadwarriors. --- config/ovpn/openssl/ovpn.cnf | 92 +-- html/cgi-bin/ovpnmain.cgi | 1219 +++++++++++++++++++++++----------- langs/de/cgi-bin/de.pl | 33 +- langs/en/cgi-bin/en.pl | 33 +- 4 files changed, 935 insertions(+), 442 deletions(-) diff --git a/config/ovpn/openssl/ovpn.cnf b/config/ovpn/openssl/ovpn.cnf index d82c04b904..ab026c1095 100644 --- a/config/ovpn/openssl/ovpn.cnf +++ b/config/ovpn/openssl/ovpn.cnf @@ -1,46 +1,46 @@ -HOME = . -RANDFILE = /var/ipfire/ovpn/ca/.rnd -oid_section = new_oids +HOME = . +RANDFILE = /var/ipfire/ovpn/ca/.rnd +oid_section = new_oids [ new_oids ] [ ca ] -default_ca = openvpn +default_ca = openvpn [ openvpn ] -dir = /var/ipfire/ovpn -certs = $dir/certs -crl_dir = $dir/crl -database = $dir/certs/index.txt -new_certs_dir = $dir/certs -certificate = $dir/ca/cacert.pem -serial = $dir/certs/serial -crl = $dir/crl.pem -private_key = $dir/ca/cakey.pem -RANDFILE = $dir/ca/.rand -x509_extensions = usr_cert -default_days = 999999 -default_crl_days= 30 -default_md = md5 -preserve = no -policy = policy_match -email_in_dn = no +dir = /var/ipfire/ovpn +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/certs/index.txt +new_certs_dir = $dir/certs +certificate = $dir/ca/cacert.pem +serial = $dir/certs/serial +crl = $dir/crl.pem +private_key = $dir/ca/cakey.pem +RANDFILE = $dir/ca/.rand +x509_extensions = usr_cert +default_days = 999999 +default_crl_days = 30 +default_md = sha256 +preserve = no +policy = policy_match +email_in_dn = no [ policy_match ] -countryName = optional -stateOrProvinceName = optional -organizationName = optional -organizationalUnitName = optional -commonName = supplied -emailAddress = optional +countryName = optional +stateOrProvinceName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional [ req ] -default_bits = 1024 -default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes -x509_extensions = v3_ca -string_mask = nombstr +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca +string_mask = nombstr [ req_distinguished_name ] countryName = Country Name (2 letter code) @@ -73,31 +73,31 @@ challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] -basicConstraints=CA:FALSE +basicConstraints = CA:FALSE nsComment = "OpenSSL Generated Certificate" -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always [ server ] # JY ADDED -- Make a cert with nsCertType set to "server" -basicConstraints=CA:FALSE +basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer:always +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always [ v3_req ] -basicConstraints = CA:FALSE -keyUsage = nonRepudiation, digitalSignature, keyEncipherment +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always -basicConstraints = CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true [ crl_ext ] -authorityKeyIdentifier=keyid:always,issuer:always +authorityKeyIdentifier = keyid:always,issuer:always [ engine ] -default = openssl +default = openssl diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 877e09cb11..0c9e73d5b8 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2013 IPFire Team # +# Copyright (C) 2007-2014 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -19,7 +19,7 @@ # # ############################################################################### ### -# Based on IPFireCore 55 +# Based on IPFireCore 77 ### use CGI; use CGI qw/:standard/; @@ -80,6 +80,8 @@ $cgiparams{'COMPRESSION'} = 'off'; $cgiparams{'ONLY_PROPOSED'} = 'off'; $cgiparams{'ACTION'} = ''; $cgiparams{'CA_NAME'} = ''; +$cgiparams{'DH_NAME'} = 'dh1024.pem'; +$cgiparams{'DHLENGHT'} = ''; $cgiparams{'DHCP_DOMAIN'} = ''; $cgiparams{'DHCP_DNS'} = ''; $cgiparams{'DHCP_WINS'} = ''; @@ -88,6 +90,10 @@ $cgiparams{'DCOMPLZO'} = 'off'; $cgiparams{'MSSFIX'} = ''; $cgiparams{'number'} = ''; $cgiparams{'PMTU_DISCOVERY'} = ''; +$cgiparams{'DCIPHER'} = ''; +$cgiparams{'DAUTH'} = ''; +$cgiparams{'TLSAUTH'} = ''; +$cgiparams{'ENGINES'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; unless (-e $routes_push_file) { system("touch $routes_push_file"); } unless (-e "${General::swroot}/ovpn/ccd.conf") { system("touch ${General::swroot}/ovpn/ccd.conf"); } @@ -243,10 +249,10 @@ sub writeserverconf { print CONF "ifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600\n"; print CONF "client-config-dir /var/ipfire/ovpn/ccd\n"; print CONF "tls-server\n"; - print CONF "ca /var/ipfire/ovpn/ca/cacert.pem\n"; - print CONF "cert /var/ipfire/ovpn/certs/servercert.pem\n"; - print CONF "key /var/ipfire/ovpn/certs/serverkey.pem\n"; - print CONF "dh /var/ipfire/ovpn/ca/dh1024.pem\n"; + print CONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; + print CONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n"; + print CONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n"; + print CONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n"; my @tempovpnsubnet = split("\/",$sovpnsettings{'DOVPN_SUBNET'}); print CONF "server $tempovpnsubnet[0] $tempovpnsubnet[1]\n"; #print CONF "push \"route $netsettings{'GREEN_NETADDRESS'} $netsettings{'GREEN_NETMASK'}\"\n"; @@ -313,6 +319,19 @@ sub writeserverconf { print CONF "status-version 1\n"; print CONF "status /var/log/ovpnserver.log 30\n"; print CONF "cipher $sovpnsettings{DCIPHER}\n"; + if ($sovpnsettings{'DAUTH'} eq '') { + print CONF ""; + } else { + print CONF "auth $sovpnsettings{'DAUTH'}\n"; + } + if ($sovpnsettings{'TLSAUTH'} eq 'on') { + print CONF "tls-auth ${General::swroot}/ovpn/ca/ta.key 0\n"; + } + if ($sovpnsettings{ENGINES} eq 'disabled') { + print CONF ""; + } else { + print CONF "engine $sovpnsettings{ENGINES}\n"; + } if ($sovpnsettings{DCOMPLZO} eq 'on') { print CONF "comp-lzo\n"; } @@ -731,6 +750,9 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; $vpnsettings{'PMTU_DISCOVERY'} = $cgiparams{'PMTU_DISCOVERY'}; + $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; + $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; + $vpnsettings{'ENGINES'} = $cgiparams{'ENGINES'}; my @temp=(); if ($cgiparams{'FRAGMENT'} eq '') { @@ -743,12 +765,20 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'FRAGMENT'} = $cgiparams{'FRAGMENT'}; } } + if ($cgiparams{'MSSFIX'} ne 'on') { delete $vpnsettings{'MSSFIX'}; } else { $vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'}; } + # Create ta.key for tls-auth if not presant + if ($cgiparams{'TLSAUTH'} eq 'on') { + if ( ! -e "${General::swroot}/ovpn/ca/ta.key") { + system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/ca/ta.key") + } + } + if (($cgiparams{'PMTU_DISCOVERY'} eq 'yes') || ($cgiparams{'PMTU_DISCOVERY'} eq 'maybe') || ($cgiparams{'PMTU_DISCOVERY'} eq 'no' )) { @@ -925,9 +955,21 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "ca ${General::swroot}/ovpn/ca/cacert.pem\n"; print SERVERCONF "cert ${General::swroot}/ovpn/certs/servercert.pem\n"; print SERVERCONF "key ${General::swroot}/ovpn/certs/serverkey.pem\n"; - print SERVERCONF "dh ${General::swroot}/ovpn/ca/dh1024.pem\n"; + print SERVERCONF "dh ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}\n"; print SERVERCONF "# Cipher\n"; - print SERVERCONF "cipher AES-256-CBC\n"; + print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n"; + if ($cgiparams{'DAUTH'} eq '') { + print SERVERCONF "auth SHA1\n"; + } else { + print SERVERCONF "# HMAC algorithm\n"; + print SERVERCONF "auth $cgiparams{'DAUTH'}\n"; + } + if ($cgiparams{'ENGINES'} eq 'disabled') { + print SERVERCONF ""; + } else { + print SERVERCONF "# Crypto engine\n"; + print SERVERCONF "engine $cgiparams{'ENGINES'}\n"; + } if ($cgiparams{'COMPLZO'} eq 'on') { print SERVERCONF "# Enable Compression\n"; print SERVERCONF "comp-lzo\r\n"; @@ -1014,8 +1056,20 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "# Auth. Client\n"; print CLIENTCONF "tls-client\n"; print CLIENTCONF "# Cipher\n"; - print CLIENTCONF "cipher AES-256-CBC\n"; + print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n"; print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n"; + if ($cgiparams{'DAUTH'} eq '') { + print CLIENTCONF "auth SHA1\n"; + } else { + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth $cgiparams{'DAUTH'}\n"; + } + if ($cgiparams{'ENGINES'} eq 'disabled') { + print CLIENTCONF ""; + } else { + print CLIENTCONF "# Crypto engine\n"; + print CLIENTCONF "engine $cgiparams{'ENGINES'}\n"; + } if ($cgiparams{'COMPLZO'} eq 'on') { print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\r\n"; @@ -1114,11 +1168,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $errormessage = $Lang::tr{'invalid port'}; goto SETTINGS_ERROR; } - - if ($cgiparams{'DDEST_PORT'} <= 1023) { - $errormessage = $Lang::tr{'ovpn port in root range'}; - goto SETTINGS_ERROR; - } $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'}; $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'}; @@ -1144,7 +1193,7 @@ SETTINGS_ERROR: ### ### Reset all step 2 ### -}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'} && $cgiparams{'AREUSURE'} eq 'yes') { +}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'} && $cgiparams{'AREUSURE'} eq 'yes') { my $file = ''; &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); @@ -1154,37 +1203,67 @@ SETTINGS_ERROR: } } while ($file = glob("${General::swroot}/ovpn/ca/*")) { - unlink $file + unlink $file; } while ($file = glob("${General::swroot}/ovpn/certs/*")) { - unlink $file + unlink $file; } while ($file = glob("${General::swroot}/ovpn/crls/*")) { - unlink $file + unlink $file; } &cleanssldatabase(); if (open(FILE, ">${General::swroot}/ovpn/caconfig")) { print FILE ""; close FILE; } - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + if (open(FILE, ">${General::swroot}/ovpn/ccdroute")) { + print FILE ""; + close FILE; + } + if (open(FILE, ">${General::swroot}/ovpn/ccdroute2")) { + print FILE ""; + close FILE; + } + while ($file = glob("${General::swroot}/ovpn/ccd/*")) { + unlink $file + } + if (open(FILE, ">${General::swroot}/ovpn/ovpn-leases.db")) { + print FILE ""; + close FILE; + } + if (open(FILE, ">${General::swroot}/ovpn/ovpnconfig")) { + print FILE ""; + close FILE; + } + while ($file = glob("${General::swroot}/ovpn/n2nconf/*")) { + system ("rm -rf $file"); + } + #&writeserverconf(); ### ### Reset all step 1 ### -}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reset'}) { +}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'remove x509'}) { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); - &Header::openbigbox('100%', 'LEFT', '', ''); - &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'}); - print <
- - $Lang::tr{'capswarning'}: - $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'} - - -
+ &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'left', '', ''); + &Header::openbox('100%', 'left', $Lang::tr{'are you sure'}); + print < + + + + + + + +
+ + $Lang::tr{'capswarning'}: + $Lang::tr{'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections'}
+
+ + END ; &Header::closebox(); @@ -1192,6 +1271,104 @@ END &Header::closepage(); exit (0); +### +### Generate DH key step 2 +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'} && $cgiparams{'AREUSURE'} eq 'yes') { + # Delete if old key exists + if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { + unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; + } + # Create Diffie Hellmann Parameter + system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache', + '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); + if ($?) { + $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; + unlink ("${General::swroot}/ovpn/ca/dh1024.pem"); + } + +### +### Generate DH key step 1 +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate dh key'}) { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'gen dh'}:"); + print < + + + + + $Lang::tr{'ovpn dh'}: + +
+ + + + +
+ + + + $Lang::tr{'capswarning'}: $Lang::tr{'dh key warn'} + + + + + + + + + +
$Lang::tr{'dh key warn1'}

+ +END + ; + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit (0); + +### +### Upload DH key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload dh key'}) { + if (ref ($cgiparams{'FH'}) ne 'Fh') { + $errormessage = $Lang::tr{'there was no file upload'}; + goto UPLOADCA_ERROR; + } + # Move uploaded dh key to a temporary file + (my $fh, my $filename) = tempfile( ); + if (copy ($cgiparams{'FH'}, $fh) != 1) { + $errormessage = $!; + goto UPLOADCA_ERROR; + } + my $temp = `/usr/bin/openssl dhparam -text -in $filename`; + if ($temp !~ /DH Parameters: \((1024|2048|3072|4096) bit\)/) { + $errormessage = $Lang::tr{'not a valid dh key'}; + unlink ($filename); + goto UPLOADCA_ERROR; + } else { + # Delete if old key exists + if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { + unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; + } + move($filename, "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"); + if ($? ne 0) { + $errormessage = "$Lang::tr{'dh key move failed'}: $!"; + unlink ($filename); + goto UPLOADCA_ERROR; + } + } + ### ### Upload CA Certificate ### @@ -1268,7 +1445,7 @@ END if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem") { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:"); my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; @@ -1345,10 +1522,10 @@ END } if ($assignedcerts) { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); &Header::openbox('100%', 'LEFT', $Lang::tr{'are you sure'}); - print <
@@ -1380,7 +1557,7 @@ END $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) { my $output; &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) { &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:"); @@ -1646,7 +1823,7 @@ END } } else { # child unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-days', '999999', '-newkey', 'rsa:2048', + '-days', '999999', '-newkey', 'rsa:4096', '-sha512', '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", '-out', "${General::swroot}/ovpn/ca/cacert.pem", '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { @@ -1677,7 +1854,7 @@ END } } else { # child unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-newkey', 'rsa:1024', + '-newkey', 'rsa:2048', '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", '-out', "${General::swroot}/ovpn/certs/serverreq.pem", '-extensions', 'server', @@ -1729,8 +1906,7 @@ END } # Create Diffie Hellmann Parameter system('/usr/bin/openssl', 'dhparam', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-out', "${General::swroot}/ovpn/ca/dh1024.pem", - '1024' ); + '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); @@ -1748,7 +1924,7 @@ END ROOTCERT_ERROR: if ($cgiparams{'ACTION'} ne '') { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); if ($errormessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); @@ -1757,7 +1933,7 @@ END &Header::closebox(); } &Header::openbox('100%', 'LEFT', "$Lang::tr{'generate root/host certificates'}:"); - print < @@ -1790,19 +1966,38 @@ END } print ">$country"; } - print < - + + + + - - + +
$Lang::tr{'organization name'}: 
$Lang::tr{'ovpn dh'}: +
    
* $Lang::tr{'this field may be blank'}
- $Lang::tr{'capswarning'}: - $Lang::tr{'generating the root and host certificates may take a long time. it can take up to several minutes on older hardware. please be patient'} -

+ + $Lang::tr{'capswarning'}: $Lang::tr{'ovpn generating the root and host certificates'} + + + + + + + +
$Lang::tr{'dh key warn'}
$Lang::tr{'dh key warn1'}

+ + + @@ -1818,7 +2013,7 @@ END END ; &Header::closebox(); - + print ""; &Header::closebigbox(); &Header::closepage(); exit(0) @@ -1950,13 +2145,20 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ print CLIENTCONF "ns-cert-type server\n"; print CLIENTCONF "# Auth. Client\n"; print CLIENTCONF "tls-client\n"; - print CLIENTCONF "# Cipher\n"; - print CLIENTCONF "cipher AES-256-CBC\n"; + print CLIENTCONF "# Cipher\n"; + print CLIENTCONF "cipher $confighash{$cgiparams{'KEY'}}[40]\n"; if ($confighash{$cgiparams{'KEY'}}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12") { print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12\r\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n"; - } - if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') { + } + if ($confighash{$cgiparams{'KEY'}}[39] eq '') { + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth SHA1\n"; + } else { + print CLIENTCONF "# HMAC algorithm\n"; + print CLIENTCONF "auth $confighash{$cgiparams{'KEY'}}[39]\n"; + } + if ($confighash{$cgiparams{'KEY'}}[30] eq 'on') { print CLIENTCONF "# Enable Compression\n"; print CLIENTCONF "comp-lzo\r\n"; } @@ -2051,6 +2253,15 @@ else $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; + if ($vpnsettings{'DAUTH'} eq '') { + print CLIENTCONF ""; + } else { + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; + } + if ($vpnsettings{'TLSAUTH'} eq 'on') { + print CLIENTCONF "tls-auth ta.key 1\r\n"; + $zip->addFile( "${General::swroot}/ovpn/ca/ta.key", "ta.key") or die "Can't add file ta.key\n"; + } if ($vpnsettings{DCOMPLZO} eq 'on') { print CLIENTCONF "comp-lzo\r\n"; } @@ -2180,7 +2391,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:"); my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; @@ -2192,15 +2403,40 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { &Header::closepage(); exit(0); } + +### +### Display Diffie-Hellman key +### +} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show dh'}) { + + if (! -e "${General::swroot}/ovpn/ca/dh1024.pem") { + $errormessage = $Lang::tr{'not present'}; + } else { + &Header::showhttpheaders(); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); + &Header::openbigbox('100%', 'LEFT', '', ''); + &Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:"); + my $output = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`; + $output = &Header::cleanhtml($output,"y"); + print "
$output
\n"; + &Header::closebox(); + print ""; + &Header::closebigbox(); + &Header::closepage(); + exit(0); + } + ### ### Display Certificate Revoke List ### } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show crl'}) { # &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - if ( -f "${General::swroot}/ovpn/crls/cacrl.pem") { + if (! -e "${General::swroot}/ovpn/crls/cacrl.pem") { + $errormessage = $Lang::tr{'not present'}; + } else { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:"); my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`; @@ -2245,17 +2481,26 @@ ADV_ERROR: if ($cgiparams{'PMTU_DISCOVERY'} eq '') { $cgiparams{'PMTU_DISCOVERY'} = 'off'; } + if ($cgiparams{'DAUTH'} eq '') { + $cgiparams{'DAUTH'} = 'SHA1'; + } + if ($cgiparams{'ENGINES'} eq '') { + $cgiparams{'ENGINES'} = 'disabled'; + } + if ($cgiparams{'TLSAUTH'} eq '') { + $cgiparams{'TLSAUTH'} = 'off'; + } $checked{'CLIENT2CLIENT'}{'off'} = ''; $checked{'CLIENT2CLIENT'}{'on'} = ''; $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED'; $checked{'REDIRECT_GW_DEF1'}{'off'} = ''; $checked{'REDIRECT_GW_DEF1'}{'on'} = ''; $checked{'REDIRECT_GW_DEF1'}{$cgiparams{'REDIRECT_GW_DEF1'}} = 'CHECKED'; - $selected{'ENGINES'}{$cgiparams{'ENGINES'}} = 'SELECTED'; $checked{'MSSFIX'}{'off'} = ''; $checked{'MSSFIX'}{'on'} = ''; $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED'; $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\''; + $selected{'LOG_VERB'}{'0'} = ''; $selected{'LOG_VERB'}{'1'} = ''; $selected{'LOG_VERB'}{'2'} = ''; $selected{'LOG_VERB'}{'3'} = ''; @@ -2267,8 +2512,22 @@ ADV_ERROR: $selected{'LOG_VERB'}{'9'} = ''; $selected{'LOG_VERB'}{'10'} = ''; $selected{'LOG_VERB'}{'11'} = ''; - $selected{'LOG_VERB'}{'0'} = ''; $selected{'LOG_VERB'}{$cgiparams{'LOG_VERB'}} = 'SELECTED'; + $selected{'DAUTH'}{'whirlpool'} = ''; + $selected{'DAUTH'}{'SHA512'} = ''; + $selected{'DAUTH'}{'SHA384'} = ''; + $selected{'DAUTH'}{'SHA256'} = ''; + $selected{'DAUTH'}{'SHA1'} = ''; + $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; + $checked{'TLSAUTH'}{'off'} = ''; + $checked{'TLSAUTH'}{'on'} = ''; + $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED'; + $selected{'ENGINES'}{'cryptodev'} = ''; + $selected{'ENGINES'}{'dynamic'} = ''; + $selected{'ENGINES'}{'aesni'} = ''; + $selected{'ENGINES'}{'padlock'} = ''; + $selected{'ENGINES'}{'disabled'} = ''; + $selected{'ENGINES'}{$cgiparams{'ENGINES'}} = 'SELECTED'; &Header::showhttpheaders(); &Header::openpage($Lang::tr{'status ovpn'}, 1, ''); @@ -2280,7 +2539,7 @@ ADV_ERROR: &Header::closebox(); } &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'}); - print <
$Lang::tr{'upload p12 file'}:  
@@ -2350,12 +2609,11 @@ print < - - + @@ -2367,53 +2625,84 @@ print <
fragment
$Lang::tr{'openvpn default'}: 1300
mssfix $Lang::tr{'openvpn default'}: on$Lang::tr{'openvpn default'}: off
- -
- + +
- + + - - - - - -
$Lang::tr{'log-options'}
VERB
+ HMAC tls-auth + + +
+ + END if ( -e "/var/run/openvpn.pid"){ print"
$Lang::tr{'attention'}:
$Lang::tr{'server restart'}

"; - print<   @@ -2429,7 +2718,7 @@ END }else{ -print<   @@ -2484,7 +2773,7 @@ if ($cgiparams{'ACTION'} eq "edit"){ &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd modify'}); - print < $Lang::tr{'ccd name'}: @@ -2498,7 +2787,7 @@ END &Header::closebox(); &Header::openbox('100%', 'LEFT',$Lang::tr{'ccd net'} ); - print < $Lang::tr{'ccd name'}$Lang::tr{'network'}$Lang::tr{'ccd used'} @@ -2508,7 +2797,7 @@ END else{ if (! -e "/var/run/openvpn.pid"){ &Header::openbox('100%', 'LEFT', $Lang::tr{'ccd add'}); - print < $Lang::tr{'ccd hint'}

@@ -2582,7 +2871,7 @@ END # # $Lang::tr{'protocol'} # protocol temp removed - print < $Lang::tr{'common name'} @@ -2661,7 +2950,7 @@ END } print ""; - print < @@ -2770,13 +3059,13 @@ END } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'add'} && $cgiparams{'TYPE'} eq '') { &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', $Lang::tr{'connection type'}); if ( -s "${General::swroot}/ovpn/settings") { - print <$Lang::tr{'connection type'}:
@@ -2797,7 +3086,7 @@ END } else { - print <$Lang::tr{'connection type'}:
@@ -2809,6 +3098,7 @@ END } &Header::closebox(); + print ""; &Header::closebigbox(); &Header::closepage(); exit (0); @@ -2944,7 +3234,8 @@ END my $complzoactive; my $mssfixactive; my $n2nfragment; -my @n2nmtudisc = split(/ /, (grep { /^mtu-disc/ } @firen2nconf)[0]);; +my $authactive; +my @n2nmtudisc = split(/ /, (grep { /^mtu-disc/ } @firen2nconf)[0]); my @n2nproto2 = split(/ /, (grep { /^proto/ } @firen2nconf)[0]); my @n2nproto = split(/-/, $n2nproto2[1]); my @n2nport = split(/ /, (grep { /^port/ } @firen2nconf)[0]); @@ -2961,7 +3252,9 @@ my @n2novpnsub = split(/\./,$n2novpnsuball[1]); my @n2nremsub = split(/ /, (grep { /^route/ } @firen2nconf)[0]); my @n2nmgmt = split(/ /, (grep { /^management/ } @firen2nconf)[0]); my @n2nlocalsub = split(/ /, (grep { /^# remsub/ } @firen2nconf)[0]); - +my @n2ncipher = split(/ /, (grep { /^cipher/ } @firen2nconf)[0]); +my @n2nauth = split(/ /, (grep { /^auth/ } @firen2nconf)[0]); +my @n2nengine = split(/ /, (grep { /^engine/ } @firen2nconf)[0]);; ### # m.a.d delete CR and LF from arrays for this chomp doesnt work @@ -2980,6 +3273,9 @@ $n2nlocalsub[2] =~ s/\n|\r//g; $n2nfragment[1] =~ s/\n|\r//g; $n2nmgmt[2] =~ s/\n|\r//g; $n2nmtudisc[1] =~ s/\n|\r//g; +$n2ncipher[1] =~ s/\n|\r//g; +$n2nauth[1] =~ s/\n|\r//g; +$n2nengine[1] =~ s/\n|\r//g; chomp ($complzoactive); chomp ($mssfixactive); @@ -3016,7 +3312,7 @@ foreach my $dkey (keys %confighash) { } ### -# Check im Dest Port is vaild +# Check if Dest Port is vaild ### foreach my $dkey (keys %confighash) { @@ -3033,7 +3329,7 @@ foreach my $dkey (keys %confighash) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 39) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 42) { $confighash{$key}[$i] = "";} $confighash{$key}[0] = 'off'; $confighash{$key}[1] = $n2nname[0]; @@ -3054,7 +3350,10 @@ foreach my $dkey (keys %confighash) { $confighash{$key}[29] = $n2nport[1]; $confighash{$key}[30] = $complzoactive; $confighash{$key}[31] = $n2ntunmtu[1]; - $confighash{$key}[38] = $n2nmtudisc[1]; + $confighash{$key}[38] = $n2nmtudisc[1]; + $confighash{$key}[39] = $n2nauth[1]; + $confighash{$key}[40] = $n2ncipher[1]; + $confighash{$key}[41] = 'disabled'; &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); @@ -3075,7 +3374,7 @@ foreach my $dkey (keys %confighash) { &Header::openbox('100%', 'LEFT', 'import ipfire net2net config'); } if ($errormessage eq ''){ - print <
$Lang::tr{'host to net vpn'}
@@ -3094,6 +3393,8 @@ foreach my $dkey (keys %confighash) { + +
  
$Lang::tr{'MTU'}$confighash{$key}[31]
$Lang::tr{'ovpn mtu-disc'}$confighash{$key}[38]
Management Port $confighash{$key}[22]
$Lang::tr{'ovpn hmac'}:$confighash{$key}[39]
$Lang::tr{'cipher'}$confighash{$key}[40]
  
END @@ -3111,7 +3412,7 @@ END } &Header::closebigbox(); &Header::closepage(); - exit(0); + exit(0); ## @@ -3164,33 +3465,37 @@ if ($confighash{$cgiparams{'KEY'}}) { $errormessage = $Lang::tr{'invalid key'}; goto VPNCONF_END; } - $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0]; - $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1]; - $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; - $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; - $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; - $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6]; - $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8]; - $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; + $cgiparams{'ENABLED'} = $confighash{$cgiparams{'KEY'}}[0]; + $cgiparams{'NAME'} = $confighash{$cgiparams{'KEY'}}[1]; + $cgiparams{'TYPE'} = $confighash{$cgiparams{'KEY'}}[3]; + $cgiparams{'AUTH'} = $confighash{$cgiparams{'KEY'}}[4]; + $cgiparams{'PSK'} = $confighash{$cgiparams{'KEY'}}[5]; + $cgiparams{'SIDE'} = $confighash{$cgiparams{'KEY'}}[6]; + $cgiparams{'LOCAL_SUBNET'} = $confighash{$cgiparams{'KEY'}}[8]; + $cgiparams{'REMOTE'} = $confighash{$cgiparams{'KEY'}}[10]; $cgiparams{'REMOTE_SUBNET'} = $confighash{$cgiparams{'KEY'}}[11]; - $cgiparams{'OVPN_MGMT'} = $confighash{$cgiparams{'KEY'}}[22]; - $cgiparams{'MSSFIX'} = $confighash{$cgiparams{'KEY'}}[23]; - $cgiparams{'FRAGMENT'} = $confighash{$cgiparams{'KEY'}}[24]; - $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; - $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26]; - $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[27]; - $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[28]; - $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[29]; - $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[30]; - $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[31]; - $cgiparams{'CHECK1'} = $confighash{$cgiparams{'KEY'}}[32]; + $cgiparams{'OVPN_MGMT'} = $confighash{$cgiparams{'KEY'}}[22]; + $cgiparams{'MSSFIX'} = $confighash{$cgiparams{'KEY'}}[23]; + $cgiparams{'FRAGMENT'} = $confighash{$cgiparams{'KEY'}}[24]; + $cgiparams{'REMARK'} = $confighash{$cgiparams{'KEY'}}[25]; + $cgiparams{'INTERFACE'} = $confighash{$cgiparams{'KEY'}}[26]; + $cgiparams{'OVPN_SUBNET'} = $confighash{$cgiparams{'KEY'}}[27]; + $cgiparams{'PROTOCOL'} = $confighash{$cgiparams{'KEY'}}[28]; + $cgiparams{'DEST_PORT'} = $confighash{$cgiparams{'KEY'}}[29]; + $cgiparams{'COMPLZO'} = $confighash{$cgiparams{'KEY'}}[30]; + $cgiparams{'MTU'} = $confighash{$cgiparams{'KEY'}}[31]; + $cgiparams{'CHECK1'} = $confighash{$cgiparams{'KEY'}}[32]; $name=$cgiparams{'CHECK1'} ; - $cgiparams{$name} = $confighash{$cgiparams{'KEY'}}[33]; - $cgiparams{'RG'} = $confighash{$cgiparams{'KEY'}}[34]; - $cgiparams{'CCD_DNS1'} = $confighash{$cgiparams{'KEY'}}[35]; - $cgiparams{'CCD_DNS2'} = $confighash{$cgiparams{'KEY'}}[36]; - $cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37]; + $cgiparams{$name} = $confighash{$cgiparams{'KEY'}}[33]; + $cgiparams{'RG'} = $confighash{$cgiparams{'KEY'}}[34]; + $cgiparams{'CCD_DNS1'} = $confighash{$cgiparams{'KEY'}}[35]; + $cgiparams{'CCD_DNS2'} = $confighash{$cgiparams{'KEY'}}[36]; + $cgiparams{'CCD_WINS'} = $confighash{$cgiparams{'KEY'}}[37]; $cgiparams{'PMTU_DISCOVERY'} = $confighash{$cgiparams{'KEY'}}[38]; + $cgiparams{'DAUTH'} = $confighash{$cgiparams{'KEY'}}[39]; + $cgiparams{'DCIPHER'} = $confighash{$cgiparams{'KEY'}}[40]; + $cgiparams{'TLSAUTH'} = $confighash{$cgiparams{'KEY'}}[41]; + $cgiparams{'ENGINES'} = $confighash{$cgiparams{'KEY'}}[42]; } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) { $cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'}); @@ -3727,6 +4032,8 @@ if ($cgiparams{'TYPE'} eq 'net') { } if ($cgiparams{'CERT_NAME'} !~ /^[a-zA-Z0-9 ,\.\-_]+$/) { $errormessage = $Lang::tr{'invalid input for name'}; + unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!"; + rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!"; goto VPNCONF_ERROR; } if ($cgiparams{'CERT_EMAIL'} ne '' && (! &General::validemail($cgiparams{'CERT_EMAIL'}))) { @@ -3799,7 +4106,7 @@ if ($cgiparams{'TYPE'} eq 'net') { } } else { # child unless (exec ('/usr/bin/openssl', 'req', '-nodes', '-rand', '/proc/interrupts:/proc/net/rt_cache', - '-newkey', 'rsa:1024', + '-newkey', 'rsa:2048', '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { @@ -3868,7 +4175,7 @@ if ($cgiparams{'TYPE'} eq 'net') { if (! $key) { $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 38) { $confighash{$key}[$i] = "";} + foreach my $i (0 .. 43) { $confighash{$key}[$i] = "";} } $confighash{$key}[0] = $cgiparams{'ENABLED'}; $confighash{$key}[1] = $cgiparams{'NAME'}; @@ -3887,13 +4194,13 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[6] = $cgiparams{'SIDE'}; $confighash{$key}[11] = $cgiparams{'REMOTE_SUBNET'}; } - $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'}; + $confighash{$key}[8] = $cgiparams{'LOCAL_SUBNET'}; $confighash{$key}[10] = $cgiparams{'REMOTE'}; - if ($cgiparams{'OVPN_MGMT'} eq '') { + if ($cgiparams{'OVPN_MGMT'} eq '') { $confighash{$key}[22] = $confighash{$key}[29]; - } else { + } else { $confighash{$key}[22] = $cgiparams{'OVPN_MGMT'}; - } + } $confighash{$key}[23] = $cgiparams{'MSSFIX'}; $confighash{$key}[24] = $cgiparams{'FRAGMENT'}; $confighash{$key}[25] = $cgiparams{'REMARK'}; @@ -3911,7 +4218,10 @@ if ($cgiparams{'TYPE'} eq 'net') { $confighash{$key}[35] = $cgiparams{'CCD_DNS1'}; $confighash{$key}[36] = $cgiparams{'CCD_DNS2'}; $confighash{$key}[37] = $cgiparams{'CCD_WINS'}; - $confighash{$key}[38] = $cgiparams{'PMTU_DISCOVERY'}; + $confighash{$key}[38] = $cgiparams{'PMTU_DISCOVERY'}; + $confighash{$key}[39] = $cgiparams{'DAUTH'}; + $confighash{$key}[40] = $cgiparams{'DCIPHER'}; + $confighash{$key}[42] = $cgiparams{'ENGINES'}; &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); @@ -4023,6 +4333,8 @@ if ($cgiparams{'TYPE'} eq 'net') { $cgiparams{'MSSFIX'} = 'on'; $cgiparams{'FRAGMENT'} = '1300'; $cgiparams{'PMTU_DISCOVERY'} = 'off'; + $cgiparams{'DAUTH'} = 'SHA1'; + $cgiparams{'ENGINES'} = 'disabled'; ### # m.a.d n2n end ### @@ -4087,10 +4399,55 @@ if ($cgiparams{'TYPE'} eq 'net') { } $checked{'PMTU_DISCOVERY'}{$cgiparams{'PMTU_DISCOVERY'}} = 'checked=\'checked\''; + $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; + $selected{'DCIPHER'}{'AES-256-CBC'} = ''; + $selected{'DCIPHER'}{'AES-192-CBC'} = ''; + $selected{'DCIPHER'}{'AES-128-CBC'} = ''; + $selected{'DCIPHER'}{'DESX-CBC'} = ''; + $selected{'DCIPHER'}{'SEED-CBC'} = ''; + $selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; + $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; + $selected{'DCIPHER'}{'CAST5-CBC'} = ''; + $selected{'DCIPHER'}{'BF-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-CBC'} = ''; + $selected{'DCIPHER'}{'DES-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-64-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-40-CBC'} = ''; + # If no cipher has been chossen yet, select + # the old default (AES-256-CBC) for compatiblity reasons. + if ($cgiparams{'DCIPHER'} eq '') { + $cgiparams{'DCIPHER'} = 'AES-256-CBC'; + } + $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; + $selected{'DAUTH'}{'whirlpool'} = ''; + $selected{'DAUTH'}{'SHA512'} = ''; + $selected{'DAUTH'}{'SHA384'} = ''; + $selected{'DAUTH'}{'SHA256'} = ''; + $selected{'DAUTH'}{'SHA1'} = ''; + # If no hash algorythm has been choosen yet, select + # the old default value (SHA1) for compatiblity reasons. + if ($cgiparams{'DAUTH'} eq '') { + $cgiparams{'DAUTH'} = 'SHA1'; + } + $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; + + $selected{'ENGINES'}{'disabled'} = ''; + $selected{'ENGINES'}{'cryptodev'} = ''; + $selected{'ENGINES'}{'dynamic'} = ''; + $selected{'ENGINES'}{'aesni'} = ''; + $selected{'ENGINES'}{'padlock'} = ''; + # If no engine has been choosen yet, select + # a default one (disabled). + if ($cgiparams{'ENGINES'} eq '') { + $cgiparams{'ENGINES'} = 'disabled'; + } + $selected{'ENGINES'}{$cgiparams{'ENGINES'}} = 'SELECTED'; if (1) { &Header::showhttpheaders(); - &Header::openpage($Lang::tr{'vpn configuration main'}, 1, ''); + &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); if ($errormessage) { &Header::openbox('100%', 'LEFT', $Lang::tr{'error messages'}); @@ -4148,48 +4505,103 @@ if ($cgiparams{'TYPE'} eq 'net') { - print <    $Lang::tr{'Act as'} + $Lang::tr{'remote host/ip'}: + $Lang::tr{'local subnet'} + $Lang::tr{'remote subnet'} + $Lang::tr{'ovpn subnet'} - $Lang::tr{'protocol'} - - - - $Lang::tr{'destination port'}: - - $Lang::tr{'comp-lzo'}   - - - mssfix   - - $Lang::tr{'openvpn default'}: on - - fragment   - - $Lang::tr{'openvpn default'}: 1300 + + $Lang::tr{'protocol'} + + + $Lang::tr{'destination port'}: + + + + $Lang::tr{'cipher'} + + + + $Lang::tr{'ovpn ha'}: + + + + + $Lang::tr{'ovpn engines'}   + + + + +
+ + Management Port ($Lang::tr{'openvpn default'}: $Lang::tr{'destination port'}):   + + + $Lang::tr{'MTU'}  - - $Lang::tr{'openvpn default'}: udp/tcp 1500/1400 - - Management Port  - - $Lang::tr{'openvpn default'}: $Lang::tr{'destination port'} + + $Lang::tr{'openvpn default'}: udp/tcp 1500/1400 + - - $Lang::tr{'ovpn mtu-disc'} + fragment   + + $Lang::tr{'openvpn default'}: 1300 + + + mssfix   + + $Lang::tr{'openvpn default'}: on + + + $Lang::tr{'comp-lzo'}   + + + + $Lang::tr{'ovpn mtu-disc'} $Lang::tr{'ovpn mtu-disc yes'} $Lang::tr{'ovpn mtu-disc maybe'} @@ -4260,7 +4672,7 @@ if ($cgiparams{'TYPE'} eq 'host') { if ($cgiparams{'TYPE'} eq 'host') { -print < $Lang::tr{'upload a certificate request'} @@ -4285,7 +4697,7 @@ END } else { -print < $Lang::tr{'generate a certificate'}  @@ -4319,7 +4731,7 @@ END ### if ($cgiparams{'TYPE'} eq 'host') { - print <  $Lang::tr{'valid till'} (days): @@ -4335,7 +4747,7 @@ if ($cgiparams{'TYPE'} eq 'host') { END }else{ - print <         @@ -4463,7 +4875,7 @@ END if (&haveOrangeNet() && $selorange == '1'){ print"";$selorange=0;}elsif(&haveOrangeNet() && $selorange == '0'){print"";} if ($selgreen == '1' || $other == '0'){ print"";$set=0;}else{print"";}; - print<DNS1: DNS2: WINS:
@@ -4519,10 +4931,13 @@ END if ($cgiparams{'DMTU'} eq '') { $cgiparams{'DMTU'} = '1400'; } + if ($cgiparams{'ENGINES'} eq '') { + $cgiparams{'ENGINES'} = 'disabled'; + } if ($cgiparams{'DOVPN_SUBNET'} eq '') { $cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0'; } - $checked{'ENABLED'}{'off'} = ''; + $checked{'ENABLED'}{'off'} = ''; $checked{'ENABLED'}{'on'} = ''; $checked{'ENABLED'}{$cgiparams{'ENABLED'}} = 'CHECKED'; $checked{'ENABLED_BLUE'}{'off'} = ''; @@ -4539,22 +4954,38 @@ END $selected{'DPROTOCOL'}{'tcp'} = ''; $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED'; - $selected{'DCIPHER'}{'DES-CBC'} = ''; - $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; + $selected{'DCIPHER'}{'AES-256-CBC'} = ''; + $selected{'DCIPHER'}{'AES-192-CBC'} = ''; + $selected{'DCIPHER'}{'AES-128-CBC'} = ''; $selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; $selected{'DCIPHER'}{'DESX-CBC'} = ''; + $selected{'DCIPHER'}{'SEED-CBC'} = ''; + $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; + $selected{'DCIPHER'}{'CAST5-CBC'} = ''; + $selected{'DCIPHER'}{'BF-CBC'} = ''; $selected{'DCIPHER'}{'RC2-CBC'} = ''; - $selected{'DCIPHER'}{'RC2-40-CBC'} = ''; + $selected{'DCIPHER'}{'DES-CBC'} = ''; $selected{'DCIPHER'}{'RC2-64-CBC'} = ''; - $selected{'DCIPHER'}{'BF-CBC'} = ''; - $selected{'DCIPHER'}{'CAST5-CBC'} = ''; - $selected{'DCIPHER'}{'AES-128-CBC'} = ''; - $selected{'DCIPHER'}{'AES-192-CBC'} = ''; - $selected{'DCIPHER'}{'AES-256-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; + $selected{'DCIPHER'}{'RC2-40-CBC'} = ''; $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; + + $selected{'DAUTH'}{'whirlpool'} = ''; + $selected{'DAUTH'}{'SHA512'} = ''; + $selected{'DAUTH'}{'SHA384'} = ''; + $selected{'DAUTH'}{'SHA256'} = ''; + $selected{'DAUTH'}{'SHA1'} = ''; + $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED'; + + $selected{'ENGINES'}{'cryptodev'} = ''; + $selected{'ENGINES'}{'dynamic'} = ''; + $selected{'ENGINES'}{'aesni'} = ''; + $selected{'ENGINES'}{'padlock'} = ''; + $selected{'ENGINES'}{'disabled'} = ''; + $selected{'ENGINES'}{$cgiparams{'ENGINES'}} = 'SELECTED'; + $checked{'DCOMPLZO'}{'off'} = ''; $checked{'DCOMPLZO'}{'on'} = ''; $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED'; @@ -4595,7 +5026,7 @@ END $activeonrun = "disabled='disabled'"; } &Header::openbox('100%', 'LEFT', $Lang::tr{'global settings'}); - print <   @@ -4629,26 +5060,31 @@ END $Lang::tr{'MTU'}  + + $Lang::tr{'cipher'} + + $Lang::tr{'comp-lzo'} - $Lang::tr{'cipher'} - + +

END ; @@ -4676,154 +5112,7 @@ END } print ""; &Header::closebox(); - &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}"); - print < - - $Lang::tr{'name'} - $Lang::tr{'subject'} - $Lang::tr{'action'} - -EOF - ; - my $col1="bgcolor='$color{'color22'}'"; - my $col2="bgcolor='$color{'color20'}'"; - if (-f "${General::swroot}/ovpn/ca/cacert.pem") { - my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; - $casubject =~ /Subject: (.*)[\n]/; - $casubject = $1; - $casubject =~ s+/Email+, E+; - $casubject =~ s/ ST=/ S=/; - print < - $Lang::tr{'root certificate'} - $casubject -
- - -
-
- - -
-   -END - ; - } else { - # display rootcert generation buttons - print < - $Lang::tr{'root certificate'}: - $Lang::tr{'not present'} -   -END - ; - } - - if (-f "${General::swroot}/ovpn/certs/servercert.pem") { - my $hostsubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; - $hostsubject =~ /Subject: (.*)[\n]/; - $hostsubject = $1; - $hostsubject =~ s+/Email+, E+; - $hostsubject =~ s/ ST=/ S=/; - - print < - $Lang::tr{'host certificate'} - $hostsubject -
- - -
-
- - -
-   -END - ; - } else { - # Nothing - print < - $Lang::tr{'host certificate'}: - $Lang::tr{'not present'} -   -END - ; - } - - if (! -f "${General::swroot}/ovpn/ca/cacert.pem") { - print "
"; - print ""; - print "
\n"; - } - - if (keys %cahash > 0) { - foreach my $key (keys %cahash) { - if (($key + 1) % 2) { - print "\n"; - } else { - print "\n"; - } - print "$cahash{$key}[0]\n"; - print "$cahash{$key}[1]\n"; - print < - - - - -
- - - -
-
- - - -
-END - ; - } - } - print ""; - - # If the file contains entries, print Key to action icons - if ( -f "${General::swroot}/ovpn/ca/cacert.pem") { - print < - -   $Lang::tr{'legend'}: -     $Lang::tr{ - $Lang::tr{'show certificate'} -     $Lang::tr{ - $Lang::tr{'download certificate'} - - -END -; - } - -print < - - - - -
$Lang::tr{'ca name'}:

-END -; - - - &Header::closebox(); - if ( $srunning eq "yes" ) { - print "
\n"; - }else{ - print "
\n"; - } if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) { ### @@ -4831,8 +5120,8 @@ END #$Lang::tr{'remark'}
L2089 ### - &Header::openbox('100%', 'LEFT', $Lang::tr{'Client status and controlc' }); - print < @@ -4907,7 +5196,7 @@ END #EXITING -- A graceful exit is in progress. #### - if (($tustate[1] eq 'CONNECTED') || ($tustate[1] eq 'WAIT')) { + if ($tustate[1] eq 'CONNECTED') { $col1="bgcolor='${Header::colourgreen}'"; $active = "$Lang::tr{'capsopen'}"; }else { @@ -4938,7 +5227,7 @@ END } - print <$active
@@ -4949,7 +5238,7 @@ END END ; if ($confighash{$key}[4] eq 'cert') { - print < @@ -4960,7 +5249,7 @@ END print " "; } if ($confighash{$key}[4] eq 'cert' && -f "${General::swroot}/ovpn/certs/$confighash{$key}[1].p12") { - print < @@ -4968,7 +5257,7 @@ END END ; } elsif ($confighash{$key}[4] eq 'cert') { - print < @@ -5004,45 +5293,215 @@ END # If the config file contains entries, print Key to action icons if ( $id ) { - print < -   $Lang::tr{'legend'}: -   $Lang::tr{ - $Lang::tr{'click to disable'} -     $Lang::tr{ - $Lang::tr{'show certificate'} -     $Lang::tr{ - $Lang::tr{'edit'} -     $Lang::tr{ - $Lang::tr{'remove'} +   $Lang::tr{'legend'}: +   $Lang::tr{ + $Lang::tr{'click to disable'} +     $Lang::tr{ + $Lang::tr{'show certificate'} +     $Lang::tr{ + $Lang::tr{'edit'} +     $Lang::tr{ + $Lang::tr{'remove'} -   -   ?OFF - $Lang::tr{'click to enable'} - ?FLOPPY - $Lang::tr{'download certificate'} - ?RELOAD - $Lang::tr{'dl client arch'} - +   +   ?OFF + $Lang::tr{'click to enable'} +     ?FLOPPY + $Lang::tr{'download certificate'} +     ?RELOAD + $Lang::tr{'dl client arch'} +
END ; } - print <
- - + + + +
END - ; - &Header::closebox(); -} -&Header::closepage(); + ; + &Header::closebox(); + } + &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate authorities'}"); + print < + + $Lang::tr{'name'} + $Lang::tr{'subject'} + $Lang::tr{'action'} + +END + ; + my $col1="bgcolor='$color{'color22'}'"; + my $col2="bgcolor='$color{'color20'}'"; + if (-f "${General::swroot}/ovpn/ca/cacert.pem") { + my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; + $casubject =~ /Subject: (.*)[\n]/; + $casubject = $1; + $casubject =~ s+/Email+, E+; + $casubject =~ s/ ST=/ S=/; + print < + $Lang::tr{'root certificate'} + $casubject +
+ + +
+
+ + +
+   +END + ; + } else { + # display rootcert generation buttons + print < + $Lang::tr{'root certificate'}: + $Lang::tr{'not present'} +   +END + ; + } + if (-f "${General::swroot}/ovpn/certs/servercert.pem") { + my $hostsubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + $hostsubject =~ /Subject: (.*)[\n]/; + $hostsubject = $1; + $hostsubject =~ s+/Email+, E+; + $hostsubject =~ s/ ST=/ S=/; + print < + $Lang::tr{'host certificate'} + $hostsubject +
+ + +
+
+ + +
+   +END + ; + } else { + # Nothing + print < + $Lang::tr{'host certificate'}: + $Lang::tr{'not present'} +   +END + ; + } + + if (! -f "${General::swroot}/ovpn/ca/cacert.pem") { + print "
"; + print ""; + print "
\n"; + } + + if (keys %cahash > 0) { + foreach my $key (keys %cahash) { + if (($key + 1) % 2) { + print "\n"; + } else { + print "\n"; + } + print "$cahash{$key}[0]\n"; + print "$cahash{$key}[1]\n"; + print < + + + + +
+ + + +
+
+ + + +
+END + ; + } + } + + print ""; + + # If the file contains entries, print Key to action icons + if ( -f "${General::swroot}/ovpn/ca/cacert.pem") { + print < + +   $Lang::tr{'legend'}: +     $Lang::tr{ + $Lang::tr{'show certificate'} +     $Lang::tr{ + $Lang::tr{'download certificate'} + + +END + ; + } + + print < +
+ + + + + + + + + + + + + + + + + + + + + +
$Lang::tr{'ca name'}: +
$Lang::tr{'ovpn dh upload'}: +

+END + ; + + if ( $srunning eq "yes" ) { + print "
\n"; + } else { + print "
\n"; + } + &Header::closebox(); +END + ; + +&Header::closepage(); diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 090510fe39..6a1f3f2863 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -7,6 +7,7 @@ 'Add Rule' => 'Regel hinzufügen', 'Add a route' => 'Eine Route hinzufügen', 'Async logging enabled' => 'Aktiviere asynchrones Schreiben des Syslogs', +'bit' => 'Bit', 'Choose Rule' => 'Wählen Sie eine der untenstehenden Regeln aus.', 'Class' => 'Klasse', 'Class was deleted' => 'wurde mit eventuell vorhandenen Unterklassen gelöscht', @@ -39,7 +40,7 @@ 'Local VPN IP' => 'Internes Netzwerk (GREEN)', 'MB read' => 'MB gelesen', 'MB written' => 'MB geschrieben', -'MTU' => 'MTU Size', +'MTU' => 'MTU Size:', 'Number of IPs for the pie chart' => 'Anzahl der angezeigten IPs im Diagramm', 'Number of Ports for the pie chart' => 'Anzahl der angezeigten Ports im Diagramm', 'OVPN' => 'OpenVPN', @@ -526,7 +527,7 @@ 'check for net traffic update' => 'Prüfe auf Net-Traffic-Updates', 'check vpn lr' => 'Überprüfen', 'choose config' => 'Konfiguration auswählen', -'cipher' => 'Verschlüsselung', +'cipher' => 'Verschlüsselung:', 'city' => 'Stadt', 'class in use' => 'Die aktuelle Klasse wird bereits verwendet.', 'clear cache' => 'Zwischenspeicher löschen', @@ -660,6 +661,10 @@ 'details' => 'Mehr', 'device' => 'Gerät', 'devices on blue' => 'Geräte auf Blau', +'dh' => 'Diffie-Hellman Key', +'dh key move failed' => 'Verschieben des Diffie-Hellman keys fehlgeschlagen.', +'dh key warn' => 'Diffie-Hellman Keys mit 1024 und 2048 Bit können mehrere Minuten, 3072 und 4096 Bit bis zu mehreren Stunden dauern. Bitte haben sie Geduld.', +'dh key warn1' => 'Bei schwachen Systemen oder Systeme mit wenig Entropie wird empfohlen lange Diffie-Hellman Keys über die Upload Funktion zu integrieren.', 'dhcp advopt add' => 'DHCP Option hinzufügen', 'dhcp advopt added' => 'DHCP Option hinzugefügt', 'dhcp advopt blank value' => 'Wert für DHCP Option darf nicht leer sein', @@ -1120,9 +1125,11 @@ 'fwhost wo subnet' => '(Ohne Subnetz)', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway-IP', +'gen dh' => 'Diffie-Hellman Key erzeugen', 'gen static key' => 'Statischen Schlüssel erzeugen', 'generate' => 'Root/Host-Zertifikate generieren', 'generate a certificate' => 'Erzeuge ein Zertifikat:', +'generate dh key' => 'Diffie-Hellman Key generieren', 'generate iso' => 'ISO erstellen', 'generate root/host certificates' => 'Erzeuge Root/Host-Zertifikate', 'generate tripwire keys and init' => 'Tripwire Initalisierung', @@ -1363,7 +1370,7 @@ 'log view' => 'Log Anzeige', 'log viewer' => 'Protokollansicht', 'log viewing options' => 'Log Ansichts-Optionen', -'log-options' => 'Logfile options', +'log-options' => 'Logfile Optionen', 'loged in at' => 'Angemeldet seit', 'logging' => 'Logging', 'logging server' => 'Protokollierungs-Server', @@ -1544,6 +1551,7 @@ 'nonetworkname' => 'Kein Netzwerkname wurde eingegeben', 'noservicename' => 'Kein Dienstname wurde eingegeben', 'not a valid ca certificate' => 'Kein gültiges CA Zertifikat.', +'not a valid dh key' => 'Kein gültiger Diffie-Hellman Schlüssel. Bitte nur 1024, 2048, 3072 oder 4096 Bit im PKCS#3 Format verwenden.', 'not enough disk space' => 'Nicht genügend Plattenplatz vorhanden', 'not present' => 'Nicht vorhanden', 'not running' => 'nicht gestartet', @@ -1633,12 +1641,19 @@ 'outgoing traffic in bytes per second' => 'Abgehender Verkehr', 'override mtu' => 'Überschreibe Standard MTU', 'ovpn' => 'OpenVPN', +'ovpn crypt options' => 'Kryptografieoptionen', 'ovpn con stat' => 'OpenVPN Verbindungs-Statistik', 'ovpn config' => 'OVPN-Konfiguration', 'ovpn device' => 'OpenVPN-Gerät', +'ovpn dh' => 'Diffie-Hellman Key Länge', +'ovpn dh upload' => 'Upload Diffie-Hellman Key', 'ovpn dl' => 'OVPN-Konfiguration downloaden', +'ovpn engines' => 'Krypto Engine', 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt', 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske', +'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.', +'ovpn hmac' => 'HMAC Optionen', +'ovpn ha' => 'Hash Algorithmus', 'ovpn log' => 'OVPN-Log', 'ovpn mgmt in root range' => 'Ein Port von 1024 oder höher ist erforderlich.', 'ovpn mtu-disc' => 'Path MTU Discovery', @@ -1649,14 +1664,14 @@ 'ovpn mtu-disc with mssfix or fragment' => 'Path MTU Discovery kann nicht gemeinsam mit mssfix oder fragment verwendet werden.', 'ovpn mtu-disc yes' => 'Forciert', 'ovpn no connections' => 'Keine aktiven OpenVPN Verbindungen', -'ovpn on blue' => 'OpenVPN auf BLAU', -'ovpn on orange' => 'OpenVPN auf ORANGE', -'ovpn on red' => 'OpenVPN auf ROT', +'ovpn on blue' => 'OpenVPN auf BLAU:', +'ovpn on orange' => 'OpenVPN auf ORANGE:', +'ovpn on red' => 'OpenVPN auf ROT:', 'ovpn port in root range' => 'Ein Port von 1024 oder höher ist erforderlich.', 'ovpn routes push' => 'Routen (eine pro Zeile) z.b. 192.168.10.0/255.255.255.0 192.168.20.0/24', 'ovpn routes push options' => 'Route push Optionen', 'ovpn server status' => 'OpenVPN-Server-Status', -'ovpn subnet' => 'OpenVPN-Subnetz (z.B. 10.0.10.0/255.255.255.0)', +'ovpn subnet' => 'OpenVPN-Subnetz:', 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.', 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit ', 'ovpn_fastio' => 'Fast-IO', @@ -1830,7 +1845,7 @@ 'resetglobals' => 'Globale Einstellungen zurücksetzen', 'resetpolicy' => 'Policy zurücksetzen', 'resetshares' => 'Shares zurücksetzen?', -'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections' => 'Das Zurücksetzen der VPN-Konfiguration wird die Root-CA, die Host-Zertifikate und alle weiteren Zertifikate und alle zertifikatsbasierten Verbindungen entfernen', +'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections' => 'Das Löschen des X509 wird die Root-CA, die Host-Zertifikate und alle zertifikatsbasierten Verbindungen entfernen.', 'restart' => 'Neustart', 'restart ovpn server' => 'OpenVPN-Server neu starten', 'restore' => 'Wiederherstellen', @@ -1900,6 +1915,7 @@ 'show ca certificate' => 'CA Zertifikat anzeigen', 'show certificate' => 'Zertifikat anzeigen', 'show crl' => 'Certificate Revocation List anzeigen', +'show dh' => 'Diffie-Hellman Key anzeigen', 'show host certificate' => 'Host-Zertifikat anzeigen', 'show last x lines' => 'die letzten x Zeilen anzeigen', 'show root certificate' => 'Root-Zertifikat anzeigen', @@ -2234,6 +2250,7 @@ 'upload a certificate' => 'Ein Zertifikat hochladen:', 'upload a certificate request' => 'Eine Zertifikatsanfrage hochladen:', 'upload ca certificate' => 'CA-Zertifikat hochladen', +'upload dh key' => 'Diffie-Hellman Key hochladen', 'upload file' => 'Datei zum hochladen', 'upload new ruleset' => 'Neuen Regelsatz hochladen', 'upload p12 file' => 'PKCS12-Datei hochladen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index de29f34ec4..99d905e41f 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -7,6 +7,7 @@ 'Add Rule' => 'Add rule', 'Add a route' => 'Add a route', 'Async logging enabled' => 'Enable asynchronous writing of the syslog file', +'bit' => 'bit', 'Choose Rule' => 'Choose one of the following rules.', 'Class' => 'Class', 'Class was deleted' => 'with potential subclasses was deleted', @@ -682,6 +683,7 @@ 'details' => 'Details', 'device' => 'Device', 'devices on blue' => 'Devices on BLUE', +'dh' => 'Diffie-Hellman Key', 'dhcp advopt add' => 'Add a DHCP option', 'dhcp advopt added' => 'DHCP option added', 'dhcp advopt blank value' => 'DHCP Option value cannot be empty.', @@ -713,6 +715,9 @@ 'dhcp server enabled' => 'DHCP server enabled. Restarting.', 'dhcp server enabled on blue interface' => 'DHCP server enabled on BLUE interface', 'dhcp-options' => 'DHCP push options', +'dh key warn' => 'Diffie-Hellman keys with 1024 and 2048 bit takes up to several minutes, 3072 and 4096 bit might needs several hours. Please be patient.', +'dh key warn1' => 'For weak systems or systems with little entropy it is recommended to integrate long Diffie-Hellman Keys by usage of the upload function.', +'dh key move failed' => 'Diffie-Hellman key move failed.', 'dial' => 'Connect', 'dial profile' => 'Connect with profile', 'dial user password' => 'Dial user password:', @@ -1148,9 +1153,11 @@ 'g.lite' => 'TO BE REMOVED', 'gateway' => 'Gateway', 'gateway ip' => 'Gateway IP', +'gen dh' => 'Generate Diffie-Hellman key', 'gen static key' => 'Generate a static key', 'generate' => 'Generate root/host zertifikate', 'generate a certificate' => 'Generate a certificate:', +'generate dh key' => 'Generate Diffie-Hellman key', 'generate iso' => 'Generate ISO', 'generate root/host certificates' => 'Generate root/host certificates', 'generate tripwire keys and init' => 'generate tripwire keys and init', @@ -1375,7 +1382,7 @@ 'local hard disk' => 'Hard disk', 'local master' => 'Local Master', 'local ntp server specified but not enabled' => 'Local NTP server specified but not enabled', -'local subnet' => 'Local Subnet:', +'local subnet' => 'Local subnet:', 'local subnet is invalid' => 'Local subnet is invalid.', 'local vpn hostname/ip' => 'Local VPN Hostname/IP', 'localkey' => 'Localkey', @@ -1573,6 +1580,7 @@ 'nonetworkname' => 'No Network Name entered', 'noservicename' => 'No Service Name entered', 'not a valid ca certificate' => 'Not a valid CA certificate.', +'not a valid dh key' => 'Not a valid Diffie-Hellman key. Please use 1024, 2048, 3072 or 4096 bit in PKCS#3 format.', 'not enough disk space' => 'Not enough disk space', 'not present' => 'Not present', 'not running' => 'not running', @@ -1665,10 +1673,17 @@ 'ovpn' => 'OpenVPN', 'ovpn con stat' => 'OpenVPN Connection Statistics', 'ovpn config' => 'OVPN-Config', +'ovpn crypt options' => 'Cryptographic options', +'ovpn engines' => 'Crypto engine', 'ovpn device' => 'OpenVPN device:', +'ovpn dh' => 'Diffie-Hellman key lenght', +'ovpn dh upload' => 'Upload Diffie-Hellman Key', 'ovpn dl' => 'OVPN-Config Download', 'ovpn errmsg green already pushed' => 'Route for green network is always set', 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask', +'ovpn generating the root and host certificates' => 'Generating the root and host certifictae can take a long time.', +'ovpn ha' => 'Hash algorithm', +'ovpn hmac' => 'HMAC options', 'ovpn log' => 'OVPN-Log', 'ovpn mgmt in root range' => 'A port number of 1024 or higher is required.', 'ovpn mtu-disc' => 'Path MTU Discovery', @@ -1679,18 +1694,18 @@ 'ovpn mtu-disc with mssfix or fragment' => 'Path MTU Discovery cannot be used with mssfix or fragment.', 'ovpn mtu-disc yes' => 'Forced', 'ovpn no connections' => 'No active OpenVPN connections', -'ovpn on blue' => 'OpenVPN on BLUE', -'ovpn on orange' => 'OpenVPN on ORANGE', -'ovpn on red' => 'OpenVPN on RED', +'ovpn on blue' => 'OpenVPN on BLUE:', +'ovpn on orange' => 'OpenVPN on ORANGE:', +'ovpn on red' => 'OpenVPN on RED:', 'ovpn port in root range' => 'A port number of 1024 or higher is required.', 'ovpn routes push' => 'Routes (one per line) e.g. 192.168.10.0/255.255.255.0 192.168.20.0/24', 'ovpn routes push options' => 'Route push options', 'ovpn server status' => 'Current OpenVPN server status:', -'ovpn subnet' => 'OpenVPN subnet (e.g. 10.0.10.0/255.255.255.0)', +'ovpn subnet' => 'OpenVPN subnet:', 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.', 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ', 'ovpn_fastio' => 'Fast-IO', -'ovpn_fragment' => 'Fragmentsize', +'teovpn_fragment' => 'Fragmentsize', 'ovpn_mssfix' => 'MSSFIX Size', 'ovpn_mtudisc' => 'MTU-Discovery', 'ovpn_processprio' => 'Process priority', @@ -1787,7 +1802,7 @@ 'profile saved' => 'Profile saved: ', 'profiles' => 'Profiles:', 'proto' => 'Proto', -'protocol' => 'Protocol', +'protocol' => 'Protocol:', 'proxy' => 'Proxy', 'proxy access graphs' => 'Proxy access graphs', 'proxy admin password' => 'Cache administrator password', @@ -1862,7 +1877,7 @@ 'resetglobals' => 'Reset global settings', 'resetpolicy' => 'Reset policy to default', 'resetshares' => 'Reset shares?', -'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections' => 'Resetting the VPN configuration will remove the root CA, the host certificate and all certificate based connections', +'resetting the vpn configuration will remove the root ca, the host certificate and all certificate based connections' => 'Resetting the X509 remove the root CA, the host certificate and all certificate based connections.', 'restart' => 'Restart', 'restart ovpn server' => 'Restart OpenVPN server', 'restore' => 'Restore', @@ -1934,6 +1949,7 @@ 'show ca certificate' => 'Show CA certificate', 'show certificate' => 'Show certificate', 'show crl' => 'Show certificate revocation list', +'show dh' => 'Show Diffie-Hellman key', 'show host certificate' => 'Show host certificate', 'show last x lines' => 'Show last x lines', 'show lines' => 'Show lines', @@ -2272,6 +2288,7 @@ 'upload a certificate' => 'Upload a certificate:', 'upload a certificate request' => 'Upload a certificate request:', 'upload ca certificate' => 'Upload CA certificate', +'upload dh key' => 'Upload Diffie-Hellman key', 'upload fcdsl.o' => 'TO BE REMOVED', 'upload file' => 'Upload file', 'upload new ruleset' => 'Upload new ruleset', -- 2.39.2