@@ -80,6 +80,7 @@ my $col="";
my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";
my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";
my $dhparameter = "/etc/ssl/ffdhe4096.pem";
+my @advcipherchar=();
&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
$cgiparams{'ENABLED'} = 'off';
@@ -101,6 +102,7 @@ $cgiparams{'number'} = '';
$cgiparams{'DCIPHER'} = '';
$cgiparams{'DAUTH'} = '';
$cgiparams{'TLSAUTH'} = '';
+$cgiparams{'DATACIPHERS'} = '';
$routes_push_file = "${General::swroot}/ovpn/routes_push";
# Perform crypto and configration test
&pkiconfigcheck;
@@ -329,7 +331,12 @@ sub writeserverconf {
}
print CONF "status-version 1\n";
print CONF "status /var/run/ovpnserver.log 30\n";
- print CONF "ncp-disable\n";
+
+ # Data channel encryption
+ # Set seperator ':' for data ciphers
+ @advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
+ print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n";
+
print CONF "cipher $sovpnsettings{DCIPHER}\n";
print CONF "auth $sovpnsettings{'DAUTH'}\n";
# Set TLSv2 as minimum
@@ -811,8 +818,15 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
$vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'};
$vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'};
$vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'};
+ $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
my @temp=();
+ # data-ciphers needs at least one cipher
+ if ($cgiparams{'DATACIPHERS'} eq '') {
+ $errormessage = $Lang::tr{'ovpn errmsg invalid data cipher input'};
+ goto ADV_ERROR;
+ }
+
if ($cgiparams{'FRAGMENT'} eq '') {
delete $vpnsettings{'FRAGMENT'};
} else {
@@ -2291,7 +2305,12 @@ else
$zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n";
$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";
}
- print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
+
+ # Data cipher negotiation
+ # Set seperator ':' for --data-ciphers algorithms
+ @advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
+ print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n";
+
print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
if ($vpnsettings{'TLSAUTH'} eq 'on') {
@@ -2644,6 +2663,7 @@ END
%cahash = ();
%confighash = ();
my $disabled;
+ my @temp=();
&General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
read_routepushfile;
@@ -2652,6 +2672,18 @@ END
# $cgiparams{'CLIENT2CLIENT'} = 'on';
# }
ADV_ERROR:
+
+ # Set default data channel ciphers
+ if ($cgiparams{'DATACIPHERS'} eq '') {
+ $cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM';
+ }
+ $checked{'DATACIPHERS'}{'AES-256-GCM'} = '';
+ $checked{'DATACIPHERS'}{'AES-192-GCM'} = '';
+ $checked{'DATACIPHERS'}{'AES-128-GCM'} = '';
+ $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = '';
+ @temp = split('\|', $cgiparams{'DATACIPHERS'});
+ foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
+
if ($cgiparams{'MAX_CLIENTS'} eq '') {
$cgiparams{'MAX_CLIENTS'} = '100';
}
@@ -2706,9 +2738,64 @@ ADV_ERROR:
&Header::closebox();
}
&Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'});
+
+ # Set default data channel ciphers
+ if ($cgiparams{'DATACIPHERS'} eq '') {
+ $cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM';
+ }
+ $checked{'DATACIPHERS'}{'AES-256-GCM'} = '';
+ $checked{'DATACIPHERS'}{'AES-192-GCM'} = '';
+ $checked{'DATACIPHERS'}{'AES-128-GCM'} = '';
+ $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = '';
+ @temp = split('\|', $cgiparams{'DATACIPHERS'});
+ foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
+
+ if ($cgiparams{'MAX_CLIENTS'} eq '') {
+ $cgiparams{'MAX_CLIENTS'} = '100';
+ }
+@@ -2706,9 +2738,45 @@
+ &Header::closebox();
+ }
+ &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'});
+ print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>";
+ print<<END
+ <form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
+ <table width='100%'>
+ <tr>
+ <td style='width:18em'><b>$Lang::tr{'ovpn advanced encryption'}</b></td>
+ </tr>
+ </table>
+ <div class="ADVANCED_ENCRYPTION">
+ <table width='100%'>
+ <thead>
+ <tr>
+ <th width="15%"></th>
+ <th>$Lang::tr{'ovpn data channel'}</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td class='boldbase' width="24%">$Lang::tr{'ovpn data encryption'}</td>
+ <td class='boldbase'>
+ <select name='DATACIPHERS' multiple='multiple' size='6' style='width: 100%'>
+ <option value='ChaCha20-Poly1305' $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'}>256 bit ChaCha20-Poly1305</option>
+ <option value='AES-256-GCM' $checked{'DATACIPHERS'}{'AES-256-GCM'}>256 $Lang::tr{'bit'} AES-GCM</option>
+ <option value='AES-192-GCM' $checked{'DATACIPHERS'}{'AES-192-GCM'}>192 $Lang::tr{'bit'} AES-GCM</option>
+ <option value='AES-128-GCM' $checked{'DATACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option>
+ </select>
+ </td>
+ </tr>
+ </tbody>
+ </table>
+ </div>
+END
+;
+
print <<END;
<form method='post' enctype='multipart/form-data'>
<table width='100%' border=0>
+ <hr>
<tr>
<td colspan='4'><b>$Lang::tr{'dhcp-options'}</b></td>
</tr>
@@ -1952,14 +1952,18 @@
'override mtu' => 'Überschreibe Standard-MTU',
'ovpn' => 'OpenVPN',
'ovpn add conf' => 'Erweiterte Konfiguration',
+'ovpn advanced encryption' => 'Kryptografie Optionen',
'ovpn con stat' => 'OpenVPN Verbindungs-Statistik',
'ovpn config' => 'OVPN-Konfiguration',
'ovpn connection name' => 'Verbindungs-Name',
'ovpn crypt options' => 'Kryptografieoptionen',
+'ovpn data encryption' => 'Daten-Kanal Verschlüsselung',
+'ovpn data channel' => 'Daten-Kanal',
'ovpn device' => 'OpenVPN-Gerät',
'ovpn dl' => 'OVPN-Konfiguration downloaden',
'ovpn engines' => 'Krypto Engine',
'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt',
+'ovpn errmsg invalid data cipher input' => 'Die Daten-Kanal Verschlüsselung benötigt mindestens einen Algorithmus',
'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske',
'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.',
@@ -2013,14 +2013,18 @@
'override mtu' => 'Override default MTU',
'ovpn' => 'OpenVPN',
'ovpn add conf' => 'Additional configuration',
+'ovpn advanced encryption' => 'Cryptographic options',
'ovpn con stat' => 'OpenVPN Connection Statistics',
'ovpn config' => 'OVPN-Config',
'ovpn connection name' => 'Connection Name',
'ovpn crypt options' => 'Cryptographic options',
+'ovpn data encryption' => 'Data-Channel encryption',
+'ovpn data channel' => 'Data-Channel',
'ovpn device' => 'OpenVPN device:',
'ovpn dl' => 'OVPN-Config Download',
'ovpn engines' => 'Crypto engine',
'ovpn errmsg green already pushed' => 'Route for green network is always set',
+'ovpn errmsg invalid data cipher input' => 'The data-channel encryption needs at least one cipher',
'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
'ovpn generating the root and host certificates' => 'Generating the root and host certificate can take a long time.',