From 4fbf17f4a10fbf2a0ddeae1aa436cf26f6b3a035 Mon Sep 17 00:00:00 2001
From: Adolf Belka <adolf.belka@ipfire.org>
Date: Sun, 15 Oct 2023 15:34:16 +0200
Subject: [PATCH] ovpnmain.cgi update branch for NCP etc

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 844 ++++++++++++++++++++++++--------------
 langs/en/cgi-bin/en.pl    |  39 +-
 2 files changed, 550 insertions(+), 333 deletions(-)
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index eb89c50955..e480c8e2ad 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -79,6 +79,7 @@ my $name;
 my $col="";
 my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";
 my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";
+my @advcipherchar=();
 my $dhparameter = "/etc/ssl/ffdhe4096.pem";
 
 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
@@ -101,6 +102,7 @@ $cgiparams{'number'} = '';
 $cgiparams{'DCIPHER'} = '';
 $cgiparams{'DAUTH'} = '';
 $cgiparams{'TLSAUTH'} = '';
+$cgiparams{'DATACIPHERS'} = '';
 $routes_push_file = "${General::swroot}/ovpn/routes_push";
 # Perform crypto and configration test
 &pkiconfigcheck;
@@ -187,7 +189,7 @@ sub cleanssldatabase
     if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt")) {
 	print FILE "";
 	close FILE;
-    }
+    }my @advcipherchar=();
     if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt.attr")) {
       print FILE "";
       close FILE;
@@ -252,6 +254,20 @@ sub pkiconfigcheck
 		}
 	}
 
+	# Warning if deprecated 64-bit-block ciphers or weak HMAC is in usage
+	if (-f "${General::swroot}/ovpn/server.conf") {
+		my $oldciphers = "${General::swroot}/ovpn/server.conf";
+		open(FH, $oldciphers);
+		while(my $cipherstring = <FH>) {
+			if ($cipherstring =~ /BF-CBC|CAST5-CBC|DESX-CBC|DES-EDE-CBC|DES-EDE3-CBC|SHA1/) {
+				my @tempcipherstring = split(" ", $cipherstring);
+				$cryptowarning = "<br>$Lang::tr{'ovpn warning algorithm'}: <font color='red'>$tempcipherstring[1]</font></br>$Lang::tr{'ovpn warning 64 bit block cipher'}";
+				goto CRYPTO_WARNING;
+			}
+		}
+		close(FH);
+	}
+
 	CRYPTO_WARNING:
 }
 
@@ -329,15 +345,30 @@ sub writeserverconf {
     }
     print CONF "status-version 1\n";
     print CONF "status /var/run/ovpnserver.log 30\n";
-    print CONF "ncp-disable\n";
-    print CONF "cipher $sovpnsettings{DCIPHER}\n";
-	print CONF "auth $sovpnsettings{'DAUTH'}\n";
+    print CONF "data-ciphers-fallback $sovpnsettings{DCIPHER}\n";
+
+	# Data channel encryption
+	# Set seperator for data ciphers
+	@advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
+	# Add also algorithm from --data-ciphers directive
+	if ($sovpnsettings{'DATACIPHERS'} ne '') {
+		print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n";
+	}
+	
+    print CONF "auth $sovpnsettings{'DAUTH'}\n";
     # Set TLSv2 as minimum
     print CONF "tls-version-min 1.2\n";
 
-    if ($sovpnsettings{'TLSAUTH'} eq 'on') {
-	print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
-    }
+	# TLS control channel authentication
+	if ($sovpnsettings{'TLSAUTH'} ne 'off') {
+		if ($sovpnsettings{'TLSAUTH'} eq 'on') {
+			print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
+		}
+		if ($sovpnsettings{'TLSAUTH'} eq 'tls-crypt') {
+			print CONF "tls-crypt ${General::swroot}/ovpn/certs/tc.key\n";
+		}
+	}
+
     if ($sovpnsettings{DCOMPLZO} eq 'on') {
         print CONF "comp-lzo\n";
     }
@@ -795,62 +826,94 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'} ||
 ###
 
 if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
-    &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
-    #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
-    #DAN this value has to leave.
-#new settings for daemon
-    $vpnsettings{'LOG_VERB'} = $cgiparams{'LOG_VERB'};
-    $vpnsettings{'KEEPALIVE_1'} = $cgiparams{'KEEPALIVE_1'};
-    $vpnsettings{'KEEPALIVE_2'} = $cgiparams{'KEEPALIVE_2'};
-    $vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'};
-    $vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'};
-    $vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'};
-    $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
-    $vpnsettings{'ADDITIONAL_CONFIGS'} = $cgiparams{'ADDITIONAL_CONFIGS'};
-    $vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'};
-    $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'};
-    $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
-    $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'};
-    my @temp=();
+	&General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
+	$vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
+	$vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
+	$vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
+	$vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
+	$vpnsettings{'LOG_VERB'} = $cgiparams{'LOG_VERB'};
+	$vpnsettings{'KEEPALIVE_1'} = $cgiparams{'KEEPALIVE_1'};
+	$vpnsettings{'KEEPALIVE_2'} = $cgiparams{'KEEPALIVE_2'};
+	$vpnsettings{'MAX_CLIENTS'} = $cgiparams{'MAX_CLIENTS'};
+	$vpnsettings{'REDIRECT_GW_DEF1'} = $cgiparams{'REDIRECT_GW_DEF1'};
+	$vpnsettings{'CLIENT2CLIENT'} = $cgiparams{'CLIENT2CLIENT'};
+	$vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
+	$vpnsettings{'ADDITIONAL_CONFIGS'} = $cgiparams{'ADDITIONAL_CONFIGS'};
+	$vpnsettings{'DHCP_DOMAIN'} = $cgiparams{'DHCP_DOMAIN'};
+	$vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'};
+	$vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
+	$vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'};
+	my @temp=();
+    
+	# --data-ciphers needs at least one cipher
+	if ($cgiparams{'DATACIPHERS'} eq '') {
+		$errormessage = $Lang::tr{'ovpn errmsg invalid data cipher input'};
+		goto ADV_ENC_ERROR;
+	}
 
-    if ($cgiparams{'FRAGMENT'} eq '') {
-    	delete $vpnsettings{'FRAGMENT'};
-    } else {
+	# Create ta.key for tls-auth if not present
+	if ($cgiparams{'TLSAUTH'} eq 'on') {
+		if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
+			system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
+			if ($?) {
+				$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+				goto ADV_ENC_ERROR;
+			}
+		}
+	}
+
+	# Create tc.key for tls-crypt if not present
+	if ($cgiparams{'TLSAUTH'} eq 'tls-crypt') {
+		if ( ! -e "${General::swroot}/ovpn/certs/tc.key") {
+			system('/usr/sbin/openvpn', '--genkey', 'tls-crypt', "${General::swroot}/ovpn/certs/tc.key");
+			if ($?) {
+				$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+				goto ADV_ENC_ERROR;
+			}
+		}
+	}
+
+	if ($cgiparams{'FRAGMENT'} eq '') {
+	    	delete $vpnsettings{'FRAGMENT'};
+	    } else {
     	if ($cgiparams{'FRAGMENT'} !~ /^[0-9]+$/) {
-    	    $errormessage = "Incorrect value, please insert only numbers.";
-        goto ADV_ERROR;
-		} else {
-			$vpnsettings{'FRAGMENT'} = $cgiparams{'FRAGMENT'};
-    	}
-    }
+	    	    $errormessage = "Incorrect value, please insert only numbers.";
+	        goto ADV_ERROR;
+			} else {
+				$vpnsettings{'FRAGMENT'} = $cgiparams{'FRAGMENT'};
+		    	}
+	    }
 
-    if ($cgiparams{'MSSFIX'} ne 'on') {
-    	delete $vpnsettings{'MSSFIX'};
-    } else {
-    	$vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'};
-    }
+	if ($cgiparams{'MSSFIX'} ne 'on') {
+    		delete $vpnsettings{'MSSFIX'};
+	    } else {
+	    	$vpnsettings{'MSSFIX'} = $cgiparams{'MSSFIX'};
+	    }
 
-    if ($cgiparams{'DHCP_DOMAIN'} ne ''){
-	unless (&General::validdomainname($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) {
-		$errormessage = $Lang::tr{'invalid input for dhcp domain'};
-	goto ADV_ERROR;
-    	}
-    }
-    if ($cgiparams{'DHCP_DNS'} ne ''){
-	unless (&General::validfqdn($cgiparams{'DHCP_DNS'}) || &General::validip($cgiparams{'DHCP_DNS'})) {
-		$errormessage = $Lang::tr{'invalid input for dhcp dns'};
-	goto ADV_ERROR;
-    	}
-    }
-    if ($cgiparams{'DHCP_WINS'} ne ''){
-	unless (&General::validfqdn($cgiparams{'DHCP_WINS'}) || &General::validip($cgiparams{'DHCP_WINS'})) {
-		$errormessage = $Lang::tr{'invalid input for dhcp wins'};
+	if ($cgiparams{'DHCP_DOMAIN'} ne ''){
+		unless (&General::validdomainname($cgiparams{'DHCP_DOMAIN'}) || &General::validip($cgiparams{'DHCP_DOMAIN'})) {
+			$errormessage = $Lang::tr{'invalid input for dhcp domain'};
 		goto ADV_ERROR;
-    	}
-    }
-    if ($cgiparams{'ROUTES_PUSH'} ne ''){
-	@temp = split(/\n/,$cgiparams{'ROUTES_PUSH'});
-    	undef $vpnsettings{'ROUTES_PUSH'};
+	    	}
+	    }
+
+	if ($cgiparams{'DHCP_DNS'} ne ''){
+		unless (&General::validfqdn($cgiparams{'DHCP_DNS'}) || &General::validip($cgiparams{'DHCP_DNS'})) {
+			$errormessage = $Lang::tr{'invalid input for dhcp dns'};
+		goto ADV_ERROR;
+	    	}
+	    }
+
+	if ($cgiparams{'DHCP_WINS'} ne ''){
+		unless (&General::validfqdn($cgiparams{'DHCP_WINS'}) || &General::validip($cgiparams{'DHCP_WINS'})) {
+			$errormessage = $Lang::tr{'invalid input for dhcp wins'};
+			goto ADV_ERROR;
+	    	}
+	    }
+
+	if ($cgiparams{'ROUTES_PUSH'} ne ''){
+		@temp = split(/\n/,$cgiparams{'ROUTES_PUSH'});
+	    	undef $vpnsettings{'ROUTES_PUSH'};
 
    	foreach my $tmpip (@temp)
 	{
@@ -891,35 +954,39 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
 			$vpnsettings{'ROUTES_PUSH'} .= $tmpip."\n";
 		}
 	}
-    &write_routepushfile;
-	undef $vpnsettings{'ROUTES_PUSH'};
-    }
-	else {
-	undef $vpnsettings{'ROUTES_PUSH'};
 	&write_routepushfile;
-    }
-    if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 1024 )) {
-        $errormessage = $Lang::tr{'invalid input for max clients'};
-        goto ADV_ERROR;
-    }
-    if ($cgiparams{'KEEPALIVE_1'} ne '') {
-	if ($cgiparams{'KEEPALIVE_1'} !~ /^[0-9]+$/) {
-    	    $errormessage = $Lang::tr{'invalid input for keepalive 1'};
-        goto ADV_ERROR;
-	}
-    }
-    if ($cgiparams{'KEEPALIVE_2'} ne ''){
-	if ($cgiparams{'KEEPALIVE_2'} !~ /^[0-9]+$/) {
-    	    $errormessage = $Lang::tr{'invalid input for keepalive 2'};
-        goto ADV_ERROR;
-	}
-    }
-    if ($cgiparams{'KEEPALIVE_2'} < ($cgiparams{'KEEPALIVE_1'} * 2)){
-        $errormessage = $Lang::tr{'invalid input for keepalive 1:2'};
-        goto ADV_ERROR;
-    }
-    &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
-    &writeserverconf();#hier ok
+		undef $vpnsettings{'ROUTES_PUSH'};
+	    } else {
+		undef $vpnsettings{'ROUTES_PUSH'};
+		&write_routepushfile;
+	    }
+	    
+	if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 1024 )) {
+	        $errormessage = $Lang::tr{'invalid input for max clients'};
+	        goto ADV_ERROR;
+	    }
+	    
+	if ($cgiparams{'KEEPALIVE_1'} ne '') {
+		if ($cgiparams{'KEEPALIVE_1'} !~ /^[0-9]+$/) {
+	    	    $errormessage = $Lang::tr{'invalid input for keepalive 1'};
+	        goto ADV_ERROR;
+		}
+	    }
+	    
+	if ($cgiparams{'KEEPALIVE_2'} ne ''){
+		if ($cgiparams{'KEEPALIVE_2'} !~ /^[0-9]+$/) {
+	    	    $errormessage = $Lang::tr{'invalid input for keepalive 2'};
+	        goto ADV_ERROR;
+		}
+	    }
+
+	if ($cgiparams{'KEEPALIVE_2'} < ($cgiparams{'KEEPALIVE_1'} * 2)){
+	        $errormessage = $Lang::tr{'invalid input for keepalive 1:2'};
+	        goto ADV_ERROR;
+	    }
+
+	&General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
+	&writeserverconf();#hier ok
 }
 
 ###
@@ -970,7 +1037,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
 
   if ($cgiparams{'PROTOCOL'} eq 'tcp') {
   print SERVERCONF "proto tcp4-server\n";
-  print SERVERCONF "# Packet size\n";
+  print SERVERCONF "# Packet size\n";&writeserverconf();#hier ok
   if ($cgiparams{'MTU'} eq '') {$tunmtu = '1400'} else {$tunmtu = $cgiparams{'MTU'}};
   print SERVERCONF "tun-mtu $tunmtu\n";
   }
@@ -993,10 +1060,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
   print SERVERCONF "# Cipher\n";
   print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n";
 
-  # If GCM cipher is used, do not use --auth
+  # If AEAD cipher is used, do not use --auth
   if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
       ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
-      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM') ||
+      ($cgiparams{'DCIPHER'} eq 'ChaCha20-Poly1305')) {&writeserverconf();#hier ok
     print SERVERCONF unless "# HMAC algorithm\n";
     print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n";
   } else {
@@ -1098,10 +1166,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
   print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n";
   print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n";
 
-  # If GCM cipher is used, do not use --auth
+  # If AEAD cipher is used, do not use --auth
   if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
       ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
-      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM') ||
+      ($cgiparams{'DCIPHER'} eq 'ChaCha20-Poly1305')) {
     print CLIENTCONF unless "# HMAC algorithm\n";
     print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n";
   } else {
@@ -1207,18 +1276,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
 	goto SETTINGS_ERROR;
     }
 
-	# Create ta.key for tls-auth if not presant
-	if ($cgiparams{'TLSAUTH'} eq 'on') {
-		if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
-			# This system call is safe, because all arguements are passed as an array.
-			system("/usr/sbin/openvpn", "--genkey", "secret", "${General::swroot}/ovpn/certs/ta.key");
-			if ($?) {
-				$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
-				goto SETTINGS_ERROR;
-			}
-		}
-	}
-
     $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'};
     $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'};
     $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
@@ -1229,9 +1286,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
     $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
     $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
     $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
-    $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
-    $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
-    $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
 #wrtie enable
 
   if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {
@@ -1596,18 +1650,36 @@ END
 ### Download tls-auth key
 ###
 }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) {
-    if ( -f "${General::swroot}/ovpn/certs/ta.key" ) {
-	print "Content-Type: application/octet-stream\r\n";
-	print "Content-Disposition: filename=ta.key\r\n\r\n";
+ if ( -f "${General::swroot}/ovpn/certs/ta.key" ) {
+	 print "Content-Type: application/octet-stream\r\n";
+	 print "Content-Disposition: filename=ta.key\r\n\r\n";
 
-	open(FILE, "${General::swroot}/ovpn/certs/ta.key");
-	my @tmp = <FILE>;
-	close(FILE);
+	 open(FILE, "${General::swroot}/ovpn/certs/ta.key");
+	 my @tmp = <FILE>;
+	 close(FILE);
 
-	print @tmp;
+	 print @tmp;
 
-	exit(0);
-    }
+	 exit(0);
+ }
+
+###
+### Download tls-crypt key
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-crypt key'}) {
+	if ( -f "${General::swroot}/ovpn/certs/tc.key" ) {
+		print "Content-Type: application/octet-stream\r\n";
+		print "Content-Disposition: filename=tc.key\r\n\r\n";
+		
+	 open(FILE, "${General::swroot}/ovpn/certs/tc.key");
+	 my @tmp = <FILE>;
+	 close(FILE);
+
+	 print @tmp;
+
+		
+		exit(0);
+	}
 
 ###
 ### Form for generating a root certificate
@@ -2144,10 +2216,11 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
      $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", "$confighash{$cgiparams{'KEY'}}[1].p12") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1].p12\n";
    }
 
-   # If GCM cipher is used, do not use --auth
+   # If AEAD cipher is used, do not use --auth
    if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
        ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
-       ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
+       ($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM') ||
+       ($confighash{$cgiparams{'KEY'}}[40] eq 'ChaCha20-Poly1305')) {
         print CLIENTCONF unless "# HMAC algorithm\n";
         print CLIENTCONF unless "auth $confighash{$cgiparams{'KEY'}}[39]\n";
    } else {
@@ -2291,16 +2364,32 @@ else
 	$zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem")  or die "Can't add file cacert.pem\n";
 	$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
     }
-    print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
+
+	# Set seperator for --data-ciphers algorithms
+	@advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
+	print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n";
+
 	print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
 
-    if ($vpnsettings{'TLSAUTH'} eq 'on') {
-	if ($cgiparams{'MODE'} eq 'insecure') {
-		print CLIENTCONF ";";
-	}
-	print CLIENTCONF "tls-auth ta.key\r\n";
-	$zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key")  or die "Can't add file ta.key\n";
+	# Comment TLS-Auth directive if 'insecure' mode has been choosen
+	if ($vpnsettings{'TLSAUTH'} eq 'on') {
+		if ($cgiparams{'MODE'} eq 'insecure') {
+			print CLIENTCONF ";";
+		}
+		print CLIENTCONF "tls-auth ta.key\r\n";
+		$zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key")  or die "Can't add file ta.key\n";
     }
+
+	# Comment TLS-Crypt directive if 'insecure' mode has been choosen
+	if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt') {
+		if ($cgiparams{'MODE'} eq 'insecure') {
+			print CLIENTCONF ";";
+		}
+		print CLIENTCONF "tls-crypt tc.key\r\n";
+		$zip->addFile( "${General::swroot}/ovpn/certs/tc.key", "tc.key")  or die "Can't add file tc.key\n";
+	}
+
+
     if ($vpnsettings{DCOMPLZO} eq 'on') {
         print CLIENTCONF "comp-lzo\r\n";
     }
@@ -2372,7 +2461,19 @@ else
 	print CLIENTCONF "</key>\r\n\r\n";
 	close(FILE);
 
-	# TLS auth
+	# Print TLS-Crypt key to client.ovpn if 'insecure' has been selected
+	if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt') {
+		open(FILE, "<${General::swroot}/ovpn/certs/tc.key");
+		print CLIENTCONF "<tls-crypt>\r\n";
+		while (<FILE>) {
+			chomp($_);
+			print CLIENTCONF "$_\r\n";
+		}
+		print CLIENTCONF "</tls-crypt>\r\n\r\n";
+		close(FILE);
+	}
+
+	# Print TLS-Auth key to client.ovpn if 'insecure' has been selected
 	if ($vpnsettings{'TLSAUTH'} eq 'on') {
 		open(FILE, "<${General::swroot}/ovpn/certs/ta.key");
 		print CLIENTCONF "<tls-auth>\r\n";
@@ -2611,6 +2712,28 @@ END
 		&Header::closepage();
 		exit(0);
     }
+    
+###
+### Display tls-crypt key
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-crypt key'}) {
+
+	if (! -e "${General::swroot}/ovpn/certs/tc.key") {
+		$errormessage = $Lang::tr{'not present'};
+	} else {
+		&Header::showhttpheaders();
+		&Header::openpage($Lang::tr{'ovpn'}, 1, '');
+		&Header::openbigbox('100%', 'LEFT', '', '');
+		&Header::openbox('100%', 'LEFT', "$Lang::tr{'tc key'}");
+		my $output = `/bin/cat ${General::swroot}/ovpn/certs/tc.key`;
+		$output = &Header::cleanhtml($output,"y");
+		print "<pre>$output</pre>\n";
+		&Header::closebox();
+		print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
+		&Header::closebigbox();
+		&Header::closepage();
+		exit(0);
+	}
 
 ###
 ### Display Certificate Revoke List
@@ -2643,6 +2766,7 @@ END
     %cgiparams = ();
     %cahash = ();
     %confighash = ();
+    my @temp=();
     my $disabled;
     &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
     read_routepushfile;
@@ -2664,9 +2788,6 @@ ADV_ERROR:
     if ($cgiparams{'LOG_VERB'} eq '') {
 		$cgiparams{'LOG_VERB'} =  '3';
     }
-    if ($cgiparams{'TLSAUTH'} eq '') {
-		$cgiparams{'TLSAUTH'} = 'off';
-    }
     $checked{'CLIENT2CLIENT'}{'off'} = '';
     $checked{'CLIENT2CLIENT'}{'on'} = '';
     $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED';
@@ -2706,31 +2827,208 @@ ADV_ERROR:
 	&Header::closebox();
     }
     &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'});
+    
+	my $key = $cgiparams{'KEY'};
+	if (! $key) {
+		$key = &General::findhasharraykey (\%confighash);
+		foreach my $i (39.. 45) { $confighash{$key}[$i] = ""; }
+	}
+	$confighash{$key}[39] = $cgiparams{'DAUTH'};
+	$confighash{$key}[40] = $cgiparams{'DCIPHER'};
+	$confighash{$key}[41] = $cgiparams{'TLSAUTH'};
+	$confighash{$key}[42] = $cgiparams{'DATACIPHERS'};
+
+ADV_ENC_ERROR:
+
+	# Set default for hash message authentication code
+	if ($cgiparams{'DAUTH'} eq '') {
+		$cgiparams{'DAUTH'} =  'SHA512'; #[39];
+	}
+	$checked{'DAUTH'}{'SHA3-512'} = '';
+	$checked{'DAUTH'}{'SHA512'} = '';
+	$checked{'DAUTH'}{'SHA384'} = '';
+	$checked{'DAUTH'}{'SHA256'} = '';
+	$checked{'DAUTH'}{'whirlpool'} = '';
+	$checked{'DAUTH'}{'SHA1'} = '';
+	@temp = split('\|', $cgiparams{'DAUTH'});
+	foreach my $key (@temp) {$checked{'DAUTH'}{$key} = "selected='selected'"; }
+
+	# Set default for TLS control authentication
+	if ($cgiparams{'TLSAUTH'} eq '') {
+		$cgiparams{'TLSAUTH'} = 'tls-crypt'; #[41]
+	}
+	$checked{'TLSAUTH'}{'on'} = '';
+	$checked{'TLSAUTH'}{'off'} = '';
+	$checked{'TLSAUTH'}{'tls-crypt'} = '';
+	@temp = split('\|', $cgiparams{'TLSAUTH'});
+	foreach my $key (@temp) {$checked{'TLSAUTH'}{$key} = "selected='selected'"; }
+
+	# Set default for data-cipher-fallback (the old --cipher directive)
+	if ($cgiparams{'DCIPHER'} eq '') {
+		$cgiparams{'DCIPHER'} =  'AES-256-CBC'; #[40]
+	}
+	$checked{'DCIPHER'}{'AES-256-CBC'} = '';
+	$checked{'DCIPHER'}{'AES-192-CBC'} = '';
+	$checked{'DCIPHER'}{'AES-128-CBC'} = '';
+	$checked{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
+	$checked{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
+	$checked{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
+	$checked{'DCIPHER'}{'SEED-CBC'} = '';
+	$checked{'DCIPHER'}{'DES-EDE3-CBC'} = '';
+	$checked{'DCIPHER'}{'DESX-CBC'} = '';
+	$checked{'DCIPHER'}{'DES-EDE-CBC'} = '';
+	$checked{'DCIPHER'}{'BF-CBC'} = '';
+	$checked{'DCIPHER'}{'CAST5-CBC'} = '';
+	@temp = split('\|', $cgiparams{'DCIPHER'});
+	foreach my $key (@temp) {$checked{'DCIPHER'}{$key} = "selected='selected'"; }
+
+	# Set default data channel ciphers
+	if ($cgiparams{'DATACIPHERS'} eq '') {
+		$cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM'; #[42];
+	}
+	$checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = '';
+	$checked{'DATACIPHERS'}{'AES-256-GCM'} = '';
+	$checked{'DATACIPHERS'}{'AES-192-GCM'} = '';
+	$checked{'DATACIPHERS'}{'AES-128-GCM'} = '';
+	@temp = split('\|', $cgiparams{'DATACIPHERS'});
+	foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
+
+	# Save settings and display default if not configured
+	if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
+		$confighash{$cgiparams{'KEY'}}[39] = $cgiparams{'DAUTH'};
+	  	$confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'};
+	  	$confighash{$cgiparams{'KEY'}}[41] = $cgiparams{'TLSAUTH'};
+		$confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'};
+	} else {
+		$cgiparams{'DAUTH'} = $vpnsettings{'DAUTH'};
+  		$cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'};
+  		$cgiparams{'TLSAUTH'} = $vpnsettings{'TLSAUTH'};
+		$cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'};
+	}
+
+ADV_ENC_ERROR:
+
+	print<<END
+	<br />
+	<tr>
+		<td class='base'><b>$Lang::tr{'ovpn advanced encryption'}</b></td>
+	</tr>
+
+	<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
+	<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
+
+	<table width='100%'>
+		<thead>
+			<tr>
+				<th width="15%"></th>
+				<th>$Lang::tr{'ovpn data channel'}</th>
+				<th>$Lang::tr{'ovpn data channel fallback'}</th>
+			</tr>
+		</thead>
+		<tbody>
+			<tr>
+				<td class='boldbase' width="27%">$Lang::tr{'ovpn data encryption'}</td>
+				<td class='boldbase'>
+					<select name='DATACIPHERS' multiple='multiple' size='6' style='width: 100%'>
+						<option value='ChaCha20-Poly1305' $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'}>256 bit ChaCha20-Poly1305</option>
+						<option value='AES-256-GCM' $checked{'DATACIPHERS'}{'AES-256-GCM'}>256 $Lang::tr{'bit'} AES-GCM</option>
+						<option value='AES-192-GCM' $checked{'DATACIPHERS'}{'AES-192-GCM'}>192 $Lang::tr{'bit'} AES-GCM</option>
+						<option value='AES-128-GCM' $checked{'DATACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option>
+					</select>
+				</td>
+
+				<td class='boldbase'>
+					<select name='DCIPHER' size='6' style='width: 100%'>
+						<option value='AES-256-CBC' $checked{'DCIPHER'}{'AES-256-CBC'}>256 $Lang::tr{'bit'} AES-CBC</option>
+						<option value='AES-192-CBC' $checked{'DCIPHER'}{'AES-192-CBC'}>192 $Lang::tr{'bit'} AES-CBC</option>
+						<option value='AES-128-CBC' $checked{'DCIPHER'}{'AES-128-CBC'}>128 bit AES-CBC</option>
+						<option value='CAMELLIA-256-CBC' $checked{'DCIPHER'}{'CAMELLIA-256-CBC'}>256 $Lang::tr{'bit'} Camellia-CBC</option>
+						<option value='CAMELLIA-192-CBC' $checked{'DCIPHER'}{'CAMELLIA-192-CBC'}>192 $Lang::tr{'bit'} Camellia-CBC</option>
+						<option value='CAMELLIA-128-CBC' $checked{'DCIPHER'}{'CAMELLIA-128-CBC'}>128 $Lang::tr{'bit'} Camellia-CBC</option>
+						<option value='SEED-CBC' $checked{'DCIPHER'}{'SEED-CBC'}>128 $Lang::tr{'bit'} SEED-CBC</option>
+						<option value='DES-EDE3-CBC' $checked{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+						<option value='DESX-CBC' $checked{'DCIPHER'}{'DESX-CBC'}>DESX-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+						<option value='DES-EDE-CBC' $checked{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+						<option value='BF-CBC' $checked{'DCIPHER'}{'BF-CBC'}>BF-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+						<option value='CAST5-CBC' $checked{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC 128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option>
+					</select>
+				</td>				
+			</tr>
+		</tbody>
+	</table>
+
+	<br /><br />
+
+
+	<tr>
+		<td class='base'><b>$Lang::tr{'ovpn crypt options'}</b></td>
+	</tr>
+
+
+
+	<table width="100%">
+		<thead>
+			<tr>
+				<th width="15%"></th>
+				<th>$Lang::tr{'ovpn ha'}</th>
+				<th>$Lang::tr{'ovpn tls auth'}</th>
+			</tr>
+		</thead>
+		<tbody>
+			<tr>
+			
+				<td width="27%">$Lang::tr{'ovpn data channel authentication'}</td>
+				<td class='boldbase'>
+					<select name='DAUTH' size='6' style='width: 100%'>
+						<option value='SHA3-512' $checked{'DAUTH'}{'SHA3-512'}>SHA3 512 $Lang::tr{'bit'}</option>
+						<option value='SHA512' $checked{'DAUTH'}{'SHA512'}>SHA2 512 $Lang::tr{'bit'}</option>
+						<option value='SHA384' $checked{'DAUTH'}{'SHA384'}>SHA2 384 $Lang::tr{'bit'}</option>
+						<option value='SHA256' $checked{'DAUTH'}{'SHA256'}>SHA2 256 $Lang::tr{'bit'}</option>
+						<option value='whirlpool' $checked{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
+						<option value='SHA1' $checked{'DAUTH'}{'SHA1'}>SHA1 160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option>
+					</select>
+
+				<td class='boldbase'>
+					<select name='TLSAUTH' size='6' style='width: 100%' style="margin-right:-17px" size="11">
+						<option value='tls-crypt' $checked{'TLSAUTH'}{'tls-crypt'}>TLS-Crypt</option>
+						<option value='on' $checked{'TLSAUTH'}{'on'}>TLS-Auth</option>
+						<option value='off' $checked{'TLSAUTH'}{'off'}>Off</option>
+					</select>
+				</td>
+			</tr>
+		</tbody>
+	</table>
+	<br />
+	<hr>
+END
+;
+    
     print <<END;
     <form method='post' enctype='multipart/form-data'>
 <table width='100%' border=0>
+	<br />
 	<tr>
 		<td colspan='4'><b>$Lang::tr{'dhcp-options'}</b></td>
-    </tr>
-    <tr>
+    	</tr>
+    	<tr>
 		<td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
-    </tr>
-    <tr>
+    	</tr>
+    	<tr>
 		<td class='base'>Domain</td>
         <td><input type='TEXT' name='DHCP_DOMAIN' value='$cgiparams{'DHCP_DOMAIN'}' size='30'  /></td>
-    </tr>
-    <tr>
+    	</tr>
+    	<tr>
 		<td class='base'>DNS</td>
 		<td><input type='TEXT' name='DHCP_DNS' value='$cgiparams{'DHCP_DNS'}' size='30' /></td>
-    </tr>
-    <tr>
+    	</tr>
+    	<tr>
 		<td class='base'>WINS</td>
 		<td><input type='TEXT' name='DHCP_WINS' value='$cgiparams{'DHCP_WINS'}' size='30' /></td>
 	</tr>
-    <tr>
+    	<tr>
 		<td colspan='4'><b>$Lang::tr{'ovpn routes push options'}</b></td>
-    </tr>
-    <tr>
+    	</tr>
+    	<tr>
 		<td class='base'>$Lang::tr{'ovpn routes push'}</td>
 		<td colspan='2'>
 		<textarea name='ROUTES_PUSH' cols='26' rows='6' wrap='off'>
@@ -2744,11 +3042,14 @@ if ($cgiparams{'ROUTES_PUSH'} ne '')
 
 print <<END;
 </textarea></td>
-</tr>
-    </tr>
+	</tr>
+    	</tr>
 </table>
+<br />
 <hr size='1'>
+
 <table width='100%'>
+	<br />
 	<tr>
 		<td class='base'><b>$Lang::tr{'misc-options'}</b></td>
 	</tr>
@@ -2801,18 +3102,20 @@ print <<END;
 		<td><input type='TEXT' name='KEEPALIVE_2' value='$cgiparams{'KEEPALIVE_2'}' size='10' /></td>
 	</tr>
 </table>
+<br />
 
 <hr size='1'>
 <table width='100%'>
-    <tr>
-	<td class='base'><b>$Lang::tr{'log-options'}</b></td>
-    </tr>
-    <tr>
-	<td width='20%'></td> <td width='30%'> </td><td width='25%'> </td><td width='25%'></td>
-    </tr>
-
-    <tr><td class='base'>VERB</td>
-        <td><select name='LOG_VERB'>
+	<br />
+    	<tr>
+		<td class='base'><b>$Lang::tr{'log-options'}</b></td>
+    	</tr>
+    	<tr>
+		<td width='20%'></td> <td width='30%'> </td><td width='25%'> </td><td width='25%'></td>
+    	</tr>
+
+    	<tr><td class='base'>VERB</td>
+        	<td><select name='LOG_VERB'>
 			<option value='0'  $selected{'LOG_VERB'}{'0'}>0</option>
 			<option value='1'  $selected{'LOG_VERB'}{'1'}>1</option>
 			<option value='2'  $selected{'LOG_VERB'}{'2'}>2</option>
@@ -2825,15 +3128,15 @@ print <<END;
 			<option value='9'  $selected{'LOG_VERB'}{'9'}>9</option>
 			<option value='10' $selected{'LOG_VERB'}{'10'}>10</option>
 			<option value='11' $selected{'LOG_VERB'}{'11'}>11</option>
-	</td></select>
-    </table>
-
+		</td></select>
+    	</table>
+    	<br />
 <hr size='1'>
 END
 
 if ( -e "/var/run/openvpn.pid"){
 print"	<br><b><font color='#990000'>$Lang::tr{'attention'}:</b></font><br>
-		$Lang::tr{'server restart'}<br><br>
+		$Lang::tr{'server restart'}<br /><br />
 		<hr>";
 	print<<END;
 <table width='100%'>
@@ -2870,7 +3173,6 @@ END
     &Header::closepage();
     exit(0);
 
-
 # A.Marx CCD   Add,delete or edit CCD net
 
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ccd net'} ||
@@ -3582,36 +3884,36 @@ if ($confighash{$cgiparams{'KEY'}}) {
 		    $errormessage = $Lang::tr{'invalid key'};
 		    goto VPNCONF_END;
 		}
-		$cgiparams{'ENABLED'}		= $confighash{$cgiparams{'KEY'}}[0];
+		$cgiparams{'ENABLED'}	= $confighash{$cgiparams{'KEY'}}[0];
 		$cgiparams{'NAME'}		= $confighash{$cgiparams{'KEY'}}[1];
 		$cgiparams{'TYPE'}		= $confighash{$cgiparams{'KEY'}}[3];
-		$cgiparams{'AUTH'} 		= $confighash{$cgiparams{'KEY'}}[4];
+		$cgiparams{'AUTH'}		= $confighash{$cgiparams{'KEY'}}[4];
 		$cgiparams{'PSK'}		= $confighash{$cgiparams{'KEY'}}[5];
 		$cgiparams{'SIDE'}		= $confighash{$cgiparams{'KEY'}}[6];
 		$cgiparams{'LOCAL_SUBNET'}	= $confighash{$cgiparams{'KEY'}}[8];
 		$cgiparams{'REMOTE'}		= $confighash{$cgiparams{'KEY'}}[10];
-		$cgiparams{'REMOTE_SUBNET'} 	= $confighash{$cgiparams{'KEY'}}[11];
-		$cgiparams{'OVPN_MGMT'} 	= $confighash{$cgiparams{'KEY'}}[22];
-		$cgiparams{'MSSFIX'} 		= $confighash{$cgiparams{'KEY'}}[23];
-		$cgiparams{'FRAGMENT'} 		= $confighash{$cgiparams{'KEY'}}[24];
+		$cgiparams{'REMOTE_SUBNET'}	= $confighash{$cgiparams{'KEY'}}[11];
+		$cgiparams{'OVPN_MGMT'}	= $confighash{$cgiparams{'KEY'}}[22];
+		$cgiparams{'MSSFIX'}		= $confighash{$cgiparams{'KEY'}}[23];
+		$cgiparams{'FRAGMENT'}	= $confighash{$cgiparams{'KEY'}}[24];
 		$cgiparams{'REMARK'}		= $confighash{$cgiparams{'KEY'}}[25];
-		$cgiparams{'INTERFACE'}		= $confighash{$cgiparams{'KEY'}}[26];
+		$cgiparams{'INTERFACE'}	= $confighash{$cgiparams{'KEY'}}[26];
 		$cgiparams{'OVPN_SUBNET'} 	= $confighash{$cgiparams{'KEY'}}[27];
-		$cgiparams{'PROTOCOL'}	  	= $confighash{$cgiparams{'KEY'}}[28];
-		$cgiparams{'DEST_PORT'}	  	= $confighash{$cgiparams{'KEY'}}[29];
-		$cgiparams{'COMPLZO'}	  	= $confighash{$cgiparams{'KEY'}}[30];
-		$cgiparams{'MTU'}	  	= $confighash{$cgiparams{'KEY'}}[31];
-		$cgiparams{'CHECK1'}   		= $confighash{$cgiparams{'KEY'}}[32];
+		$cgiparams{'PROTOCOL'}  	= $confighash{$cgiparams{'KEY'}}[28];
+		$cgiparams{'DEST_PORT'}  	= $confighash{$cgiparams{'KEY'}}[29];
+		$cgiparams{'COMPLZO'}  	= $confighash{$cgiparams{'KEY'}}[30];
+		$cgiparams{'MTU'}		= $confighash{$cgiparams{'KEY'}}[31];
+		$cgiparams{'CHECK1'}		= $confighash{$cgiparams{'KEY'}}[32];
 		$name=$cgiparams{'CHECK1'}	;
 		$cgiparams{$name}		= $confighash{$cgiparams{'KEY'}}[33];
 		$cgiparams{'RG'}		= $confighash{$cgiparams{'KEY'}}[34];
-		$cgiparams{'CCD_DNS1'}		= $confighash{$cgiparams{'KEY'}}[35];
-		$cgiparams{'CCD_DNS2'}		= $confighash{$cgiparams{'KEY'}}[36];
-		$cgiparams{'CCD_WINS'}		= $confighash{$cgiparams{'KEY'}}[37];
+		$cgiparams{'CCD_DNS1'}	= $confighash{$cgiparams{'KEY'}}[35];
+		$cgiparams{'CCD_DNS2'}	= $confighash{$cgiparams{'KEY'}}[36];
+		$cgiparams{'CCD_WINS'}	= $confighash{$cgiparams{'KEY'}}[37];
 		$cgiparams{'DAUTH'}		= $confighash{$cgiparams{'KEY'}}[39];
-		$cgiparams{'DCIPHER'}		= $confighash{$cgiparams{'KEY'}}[40];
-		$cgiparams{'TLSAUTH'}		= $confighash{$cgiparams{'KEY'}}[41];
-		$cgiparams{'OTP_STATE'}		= $confighash{$cgiparams{'KEY'}}[43];
+		$cgiparams{'DCIPHER'}	= $confighash{$cgiparams{'KEY'}}[40];
+		$cgiparams{'OTP_STATE'}	= $confighash{$cgiparams{'KEY'}}[43];
+
 	} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
 	$cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
 
@@ -4379,12 +4681,12 @@ if ($cgiparams{'TYPE'} eq 'net') {
                        $confighash{$key}[41] = "no-pass";
                }
        }
-
-   $confighash{$key}[42] = 'HOTP/T30/6';
+       
+ 	$confighash{$key}[42] = 'HOTP/T30/6';
 	$confighash{$key}[43] = $cgiparams{'OTP_STATE'};
 	if (($confighash{$key}[43] eq 'on') && ($confighash{$key}[44] eq '')) {
 		my @otp_secret = &General::system_output("/usr/bin/openssl", "rand", "-hex", "20");
-      chomp($otp_secret[0]);
+       chomp($otp_secret[0]);
 		$confighash{$key}[44] = $otp_secret[0];
 	} elsif ($confighash{$key}[43] eq '') {
 		$confighash{$key}[44] = '';
@@ -4562,38 +4864,6 @@ if ($cgiparams{'TYPE'} eq 'net') {
     $checked{'MSSFIX'}{'on'} = '';
     $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
 
-    $selected{'DCIPHER'}{'AES-256-GCM'} = '';
-    $selected{'DCIPHER'}{'AES-192-GCM'} = '';
-    $selected{'DCIPHER'}{'AES-128-GCM'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-256-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-192-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-128-CBC'} = '';
-    $selected{'DCIPHER'}{'DESX-CBC'} = '';
-    $selected{'DCIPHER'}{'SEED-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
-    $selected{'DCIPHER'}{'CAST5-CBC'} = '';
-    $selected{'DCIPHER'}{'BF-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-CBC'} = '';
-    # If no cipher has been chossen yet, select
-    # the old default (AES-256-CBC) for compatiblity reasons.
-    if ($cgiparams{'DCIPHER'} eq '') {
-	$cgiparams{'DCIPHER'} = 'AES-256-CBC';
-    }
-    $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
-    $selected{'DAUTH'}{'whirlpool'} = '';
-    $selected{'DAUTH'}{'SHA512'} = '';
-    $selected{'DAUTH'}{'SHA384'} = '';
-    $selected{'DAUTH'}{'SHA256'} = '';
-    $selected{'DAUTH'}{'SHA1'} = '';
-    $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
-    $checked{'TLSAUTH'}{'off'} = '';
-    $checked{'TLSAUTH'}{'on'} = '';
-    $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
-
     if (1) {
 	&Header::showhttpheaders();
 	&Header::openpage($Lang::tr{'ovpn'}, 1, '');
@@ -4727,31 +4997,33 @@ if ($cgiparams{'TYPE'} eq 'net') {
 
 	<tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
 		<td><select name='DCIPHER'  id="n2ncipher" required>
+				<option value='ChaCha20-Poly1305'	$selected{'DCIPHER'}{'ChaCha20-Poly1305'}>CHACHA20-POLY1305 (256 $Lang::tr{'bit'})</option>
 				<option value='AES-256-GCM'		$selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
 				<option value='AES-192-GCM'		$selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
 				<option value='AES-128-GCM'		$selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
 				<option value='CAMELLIA-256-CBC'	$selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
 				<option value='CAMELLIA-192-CBC'	$selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
 				<option value='CAMELLIA-128-CBC'	$selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
-				<option value='AES-256-CBC' 	 	$selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'}, $Lang::tr{'default'})</option>
-				<option value='AES-192-CBC' 	 	$selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
-				<option value='AES-128-CBC' 	 	$selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
-				<option value='SEED-CBC' 			$selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
-				<option value='DES-EDE3-CBC'	 	$selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='DESX-CBC' 			$selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='DES-EDE-CBC' 		$selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='BF-CBC' 				$selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='CAST5-CBC' 			$selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+				<option value='AES-256-CBC'		$selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'}, $Lang::tr{'default'})</option>
+				<option value='AES-192-CBC'		$selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
+				<option value='AES-128-CBC'		$selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
+				<option value='SEED-CBC'		$selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
+				<option value='DES-EDE3-CBC'	$selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+				<option value='DESX-CBC'		$selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+				<option value='DES-EDE-CBC'		$selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+				<option value='BF-CBC'		$selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+				<option value='CAST5-CBC'		$selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
 			</select>
 		</td>
 
 		<td class='boldbase'>$Lang::tr{'ovpn ha'}:</td>
 		<td><select name='DAUTH' id="n2nhmac" $hmacdisabled>
-				<option value='whirlpool'		$selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
-				<option value='SHA512'			$selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
-				<option value='SHA384'			$selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
-				<option value='SHA256'			$selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
-				<option value='SHA1'			$selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
+				<option value='SHA3-512'    $selected{'DAUTH'}{'SHA3-512'}>SHA3 512 $Lang::tr{'bit'}</option>
+				<option value='SHA512'	$selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
+				<option value='SHA384'	$selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
+				<option value='SHA256'	$selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
+				<option value='whirlpool'	$selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
+				<option value='SHA1'		$selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
 			</select>
 		</td>
 	</tr>
@@ -4767,7 +5039,7 @@ print<<END;
 	<script>
 		var disable_options = false;
 		document.getElementById('n2ncipher').onchange = function () {
-			if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) {
+			if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM"||this.value == "CHACHA20-POLY1305")) {
 				document.getElementById('n2nhmac').setAttribute('disabled', true);
 			} else {
 				document.getElementById('n2nhmac').removeAttribute('disabled');
@@ -4940,7 +5212,7 @@ if ($cgiparams{'TYPE'} eq 'host') {
 	print <<END;
 	<table border='0' width='100%'>
 	<tr><td width='20%'>$Lang::tr{'enable otp'}:</td><td colspan='3'><input type='checkbox' name='OTP_STATE' $checked{'OTP_STATE'}{'on'} /></td></tr>
-	<tr><td width='20%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr>
+	<tr><td width='30%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr>
 	<tr><td colspan='4'><b><br>$Lang::tr{'ccd routes'}</b></td></tr>
 	<tr><td colspan='4'>&nbsp</td></tr>
 	<tr><td valign='top'>$Lang::tr{'ccd iroute'}</td><td align='left' width='30%'><textarea name='IR' cols='26' rows='6' wrap='off'>
@@ -5106,6 +5378,9 @@ END
     my @status = <FILE>;
     close(FILE);
 
+	# Perform crypto and configration test to display warnings or errors
+	&pkiconfigcheck;
+
     if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") {
 		if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) {
 		    my $ipaddr = <IPADDR>;
@@ -5119,9 +5394,6 @@ END
     }
 
 #default setzen
-    if ($cgiparams{'DCIPHER'} eq '') {
-		$cgiparams{'DCIPHER'} =  'AES-256-CBC';
-    }
     if ($cgiparams{'DDEST_PORT'} eq '') {
 		$cgiparams{'DDEST_PORT'} =  '1194';
     }
@@ -5131,21 +5403,6 @@ END
     if ($cgiparams{'MSSFIX'} eq '') {
 		$cgiparams{'MSSFIX'} = 'off';
     }
-	if ($cgiparams{'DAUTH'} eq '') {
-		if (-z "${General::swroot}/ovpn/ovpnconfig") {
-			$cgiparams{'DAUTH'} = 'SHA512';
-		}
-		foreach my $key (keys %confighash) {
-			if ($confighash{$key}[3] ne 'host') {
-				$cgiparams{'DAUTH'} = 'SHA512';
-			} else {
-				$cgiparams{'DAUTH'} = 'SHA1';
-			}
-		}
-	}
-	if ($cgiparams{'TLSAUTH'} eq '') {
-		$cgiparams{'TLSAUTH'} = 'off';
-	}
     if ($cgiparams{'DOVPN_SUBNET'} eq '') {
 		$cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
     }
@@ -5163,35 +5420,6 @@ END
     $selected{'DPROTOCOL'}{'tcp'} = '';
     $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
 
-    $selected{'DCIPHER'}{'AES-256-GCM'} = '';
-    $selected{'DCIPHER'}{'AES-192-GCM'} = '';
-    $selected{'DCIPHER'}{'AES-128-GCM'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-256-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-192-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-128-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
-    $selected{'DCIPHER'}{'DESX-CBC'} = '';
-    $selected{'DCIPHER'}{'SEED-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
-    $selected{'DCIPHER'}{'CAST5-CBC'} = '';
-    $selected{'DCIPHER'}{'BF-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-CBC'} = '';
-    $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
-
-    $selected{'DAUTH'}{'whirlpool'} = '';
-    $selected{'DAUTH'}{'SHA512'} = '';
-    $selected{'DAUTH'}{'SHA384'} = '';
-    $selected{'DAUTH'}{'SHA256'} = '';
-    $selected{'DAUTH'}{'SHA1'} = '';
-    $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
-
-    $checked{'TLSAUTH'}{'off'} = '';
-    $checked{'TLSAUTH'}{'on'} = '';
-    $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
-
     $checked{'DCOMPLZO'}{'off'} = '';
     $checked{'DCOMPLZO'}{'on'} = '';
     $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
@@ -5287,50 +5515,6 @@ END
         <td> <input type='TEXT' name='DMTU' VALUE='$cgiparams{'DMTU'}' size='5' /></td>
     </tr>
 
-	<tr><td colspan='4'><br></td></tr>
-	<tr>
-		<td class='base'><b>$Lang::tr{'ovpn crypt options'}:</b></td>
-	</tr>
-	<tr><td colspan='1'><br></td></tr>
-
-	<tr>
-		<td class='base'>$Lang::tr{'ovpn ha'}</td>
-		<td><select name='DAUTH'>
-				<option value='whirlpool'		$selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
-				<option value='SHA512'			$selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
-				<option value='SHA384'			$selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
-				<option value='SHA256'			$selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
-				<option value='SHA1'			$selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-			</select>
-		</td>
-
-		<td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
-		<td><select name='DCIPHER'>
-				<option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
-				<option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
-				<option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
-				<option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
-				<option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
-				<option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
-				<option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
-				<option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
-				<option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
-				<option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
-				<option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-			</select>
-		</td>
-	</tr>
-
-    <tr><td colspan='4'><br></td></tr>
-	<tr>
-		<td class='base'>$Lang::tr{'ovpn tls auth'}</td>
-		<td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td>
-	</tr>
-
     <tr><td colspan='4'><br><br></td></tr>
 END
 ;
@@ -5681,6 +5865,10 @@ END
     my $col3="bgcolor='$color{'color22'}'";
     # ta.key line
     my $col4="bgcolor='$color{'color20'}'";
+	# tc-v2.key line
+	my $col5="bgcolor='$color{'color22'}'";
+	# tc.key
+	my $col6="bgcolor='$color{'color20'}'";
 
     if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
 		my @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/cacert.pem");
@@ -5841,7 +6029,7 @@ END
 		# Nothing
 		print <<END;
 		<tr>
-			<td width='25%' class='base' $col4>$Lang::tr{'ta key'}:</td>
+			<td width='25%' class='base' $col4>$Lang::tr{'ta key'}</td>
 			<td class='base' $col4>$Lang::tr{'not present'}</td>
 			<td colspan='3' $col4>&nbsp;</td>
 		</tr>
@@ -5849,6 +6037,30 @@ END
 		;
     }
 
+	# Adding tc.key to chart
+	if (-f "${General::swroot}/ovpn/certs/tc.key") {
+		my $tcsubject = `/bin/cat ${General::swroot}/ovpn/certs/tc.key`;
+		$tcsubject    =~ /# (.*)[\n]/;
+		$tcsubject    = $1;
+		print <<END;
+
+		<tr>
+			<td class='base' $col6>$Lang::tr{'tc key'}</td>
+			<td class='base' $col6>$tcsubject</td>
+				<form method='post' name='frmtckey'><td width='3%' align='center' $col6>
+					<input type='hidden' name='ACTION' value='$Lang::tr{'show tls-crypt key'}' />
+					<input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show tls-crypt key'}' title='$Lang::tr{'show tls-crypt key'}' width='20' height='20' border='0' />
+				</form>
+				<form method='post' name='frmtckey'><td width='3%' align='center' $col6>
+					<input type='image' name='$Lang::tr{'download tls-crypt key'}' src='/images/media-floppy.png' alt='$Lang::tr{'download tls-crypt key'}' title='$Lang::tr{'download tls-crypt key'}' border='0' />
+					<input type='hidden' name='ACTION' value='$Lang::tr{'download tls-crypt key'}' />
+				</form>
+			<td width='4%' $col6>&nbsp;</td>
+		</tr>
+END
+;
+	}
+
     if (! -f "${General::swroot}/ovpn/ca/cacert.pem") {
         print "<tr><td colspan='5' align='center'><form method='post'>";
 		print "<input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' />";
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 7bbf7cd32d..213a10c281 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -412,6 +412,7 @@
 'advproxy wpad example dst_noproxy_url' => 'e.g. *.ipfire.org*',
 'advproxy wpad label dst_noproxy_ip' => 'Excluded IP Subnets (one per line)',
 'advproxy wpad label dst_noproxy_url' => 'Excluded URL s (one per line)',
+'advproxy wpad notice' => 'Notice: For WPAD/PAC to work properly, furtcher changes need to be made. Please see the <a href="https://wiki.ipfire.org/configuration/network/proxy/extend/wpad" target="_blank">Wiki</a>.',
 'advproxy wpad title' => 'Web Proxy Auto-Discovery Protocol (WPAD) / Proxy Auto-Config (PAC)',
 'advproxy wpad view pac' => 'Open PAC File',
 'again' => 'Again:',
@@ -826,7 +827,6 @@
 'dhcp dns update' => 'DNS Update',
 'dhcp dns update algo' => 'Algorithm',
 'dhcp dns update secret' => 'Secret',
-'dhcp fixed ip address in dynamic range' => 'Fixed IP Address in dynamic range',
 'dhcp fixed lease err1' => 'For a fix lease you have to enter the MAC address or the hostname, or you enter both.',
 'dhcp fixed lease help1' => 'IP Addresses might be entered as FQDN',
 'dhcp make fixed lease' => 'Add to fix leases',
@@ -859,7 +859,7 @@
 'display hostname in window title' => 'Display hostname in window title',
 'display traffic at home' => 'Display calculated traffic on startpage',
 'display webinterface effects' => 'Activate effects',
-'dl client arch' => 'Download Encrypted Client Package (zip)',
+'dl client arch' => 'Download Client Package (zip)',
 'dl client arch insecure' => 'Download insecure Client Package (zip)',
 'dmz' => 'DMZ',
 'dmz pinhole configuration' => 'DMZ pinhole configuration',
@@ -931,7 +931,6 @@
 'done' => 'Do it',
 'dos charset' => 'DOS Charset',
 'down and up speed' => 'Enter your Down- and Uplink-Speed <br /> and then press <i>Save</i>.',
-'downfall gather data sampling' => 'Downfall/Gather Data Sampling',
 'downlink' => 'Downlink',
 'downlink speed' => 'Downlink speed (kbit/sec)',
 'downlink std class' => 'downlink standard class',
@@ -943,7 +942,9 @@
 'download new ruleset' => 'Download new ruleset',
 'download pkcs12 file' => 'Download PKCS12 file',
 'download root certificate' => 'Download root certificate',
-'download tls-auth key' => 'Download tls-auth key',
+'download tls-auth key' => 'Download TLS-Auth key',
+'download tls-crypt key' => 'Download TLS-Crypt key',
+'download tls-crypt-v2 key' => 'Download TLS-Crypt-v2 server key',
 'dpd action' => 'Action',
 'dpd delay' => 'Delay',
 'dpd timeout' => 'Timeout',
@@ -1073,16 +1074,11 @@
 'external access rule removed' => ' External access rule removed; restarting access controller',
 'external aliases configuration' => 'External aliases configuration',
 'extrahd' => 'ExtraHD',
-'extrahd because it it outside the allowed mount path' => ', because it is outside the allowed mount path',
 'extrahd because there is already a device mounted' => ', because there is already a device mounted',
 'extrahd cant umount' => 'Can\'t umount',
 'extrahd detected drives' => 'detected drives',
 'extrahd install or load driver' => 'If your device isn\'t listed here, you need to install or load the driver.<br />If you can see your device but no partitions you have to create them first.',
 'extrahd maybe the device is in use' => '. Maybe the device is in use',
-'extrahd mounted' => 'Mounted',
-'extrahd no mount point given' => 'No mount point given',
-'extrahd not configured' => 'Not configured',
-'extrahd not mounted' => 'Not mounted',
 'extrahd to' => 'to',
 'extrahd to root' => 'to root',
 'extrahd unable to read' => 'Unable to read',
@@ -1946,8 +1942,6 @@
 'open connections' => 'Open Connections',
 'open to all' => 'Override external access to ALL',
 'openssl produced an error' => 'OpenSSL produced an error',
-'openvpn cert expires soon' => 'Expires Soon',
-'openvpn cert has expired' => 'Expired',
 'openvpn client' => 'OpenVPN client',
 'openvpn default' => 'Default',
 'openvpn destination port used' => 'The destination port is already used by another OpenVPN server.',
@@ -2008,14 +2002,22 @@
 'override mtu' => 'Override default MTU',
 'ovpn' => 'OpenVPN',
 'ovpn add conf' => 'Additional configuration',
+'ovpn advanced encryption' => 'Advanced encryption settings',
+'ovpn client version 25 cipher negotiation' => 'Negotiate encryption',
+'ovpn client version 25 warning' => 'Available with client version 2.5.0 and higher',
 'ovpn con stat' => 'OpenVPN Connection Statistics',
 'ovpn config' => 'OVPN-Config',
 'ovpn connection name' => 'Connection Name',
 'ovpn crypt options' => 'Cryptographic options',
+'ovpn data encryption' => 'Data-Channel encryption',
+'ovpn data channel authentication' => 'Data and channel authentication',
+'ovpn data channel' => 'Data-Channel',
+'ovpn data channel fallback' => 'Data-Channel fallback',
 'ovpn device' => 'OpenVPN device:',
 'ovpn dl' => 'OVPN-Config Download',
 'ovpn engines' => 'Crypto engine',
 'ovpn errmsg green already pushed' => 'Route for green network is always set',
+'ovpn errmsg invalid data cipher input' => 'The data cipher needs at least one cipher',
 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
 'ovpn generating the root and host certificates' => 'Generating the root and host certificate can take a long time.',
@@ -2042,7 +2044,9 @@
 'ovpn subnet' => 'OpenVPN subnet:',
 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.',
 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ',
-'ovpn tls auth' => 'TLS Channel Protection:',
+'ovpn tls auth' => 'TLS Channel Protection',
+'ovpn warning 64 bit block cipher' => 'This encryption algorithm is broken and will be removed in OpenVPN-2.7 <br>Please change this as soon as possible!</br>',
+'ovpn warning algorithm' => 'You configured the algorithm',
 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
 'ovpn_fastio' => 'Fast-IO',
 'ovpn_mssfix' => 'MSSFIX Size',
@@ -2208,8 +2212,6 @@
 'refresh index page while connected' => 'Refresh index.cgi page while connected',
 'refresh update list' => 'Refresh update list',
 'registered user rules' => 'Talos VRT rules for registered users',
-'reiserfs warning1' => 'Reiserfs is deprecated and scheduled to be removed from the kernel in 2025.',
-'reiserfs warning2' => 'Ensure a fresh installation is made using either ext4 or xfs filesystems before that date.',
 'release' => 'Release',
 'released' => 'Released',
 'reload' => 'reload',
@@ -2329,7 +2331,9 @@
 'show otp qrcode' => 'Show OTP QRCode',
 'show root certificate' => 'Show root certificate',
 'show share options' => 'Show shares options',
-'show tls-auth key' => 'Show tls-auth key',
+'show tls-auth key' => 'Show TLS-Auth key',
+'show tls-crypt key' => 'Show TLS-Crypt key',
+'show tls-crypt-v2 key' => 'Show TLS-Crypt-v2 key',
 'shuffle' => 'Shuffle',
 'shutdown' => 'Shutdown',
 'shutdown ask' => 'Shutdown?',
@@ -2376,7 +2380,6 @@
 'source port overlaps' => 'Source port range overlaps an existing port range.',
 'speaker off' => 'Speaker off:',
 'speaker on' => 'Speaker on:',
-'spec rstack overflow' => 'Speculative Return Stack Overflow',
 'spectre variant 1' => 'Spectre Variant 1',
 'spectre variant 2' => 'Spectre Variant 2',
 'spectre variant 4' => 'Spectre Variant 4',
@@ -2458,7 +2461,9 @@
 'system logs' => 'System Logs',
 'system status information' => 'System Status Information',
 'ta key' => 'TLS-Authentification-Key',
-'taa zombieload2' => 'TSX Async Abort/ZombieLoad v2',
+'tc key' => 'TLS-Cryptografic-Key',
+'tc v2 key' => 'TLS-Cryptografic-Key-version2',
+'taa zombieload2' => 'TSX Async Abort / ZombieLoad v2',
 'tcp more reliable' => 'TCP (more reliable)',
 'telephone not set' => 'Telephone not set.',
 'template' => 'Preset',
-- 
2.47.2


$Lang::tr{'dhcp-options'}

Domain
DNS
WINS
$Lang::tr{'ovpn routes push options'}
$Lang::tr{'ovpn routes push'}	@@ -2744,11 +3042,14 @@ if ($cgiparams{'ROUTES_PUSH'} ne '') print <<END;
$Lang::tr{'log-options'}

VERB
$Lang::tr{'log-options'}

VERB