@@ -100,6 +100,8 @@ $cgiparams{'DCIPHER'} = '';
$cgiparams{'DAUTH'} = '';
$cgiparams{'TLSAUTH'} = '';
$cgiparams{'DATACIPHERS'} = '';
+$cgiparams{'CHANNELCIPHERS'} = '';
+$cgiparams{'NCHANNELCIPHERS'} = '';
$routes_push_file = "${General::swroot}/ovpn/routes_push";
# Perform crypto and configration test
&pkiconfigcheck;
@@ -351,6 +353,20 @@ sub writeserverconf {
print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n";
}
+ # Control channel encryption TLSv2 needs own line cause directive name differs
+ if ($sovpnsettings{'CHANNELCIPHERS'} ne '') {
+ # Set seperator for TLSv2 channel ciphers
+ @advcipherchar = ($sovpnsettings{'CHANNELCIPHERS'} =~ s/\|/:/g);
+ print CONF "tls-cipher $sovpnsettings{'CHANNELCIPHERS'}\n";
+ }
+
+ # Control channel encryption >= TLSv3
+ if ($sovpnsettings{'NCHANNELCIPHERS'} ne '') {
+ # Set seperator for TLSv3 channel ciphers
+ @advcipherchar = ($sovpnsettings{'NCHANNELCIPHERS'} =~ s/\|/:/g);
+ print CONF "tls-ciphersuites $sovpnsettings{'NCHANNELCIPHERS'}\n";
+ }
+
print CONF "auth $sovpnsettings{'DAUTH'}\n";
# Set TLSv2 as minimum
print CONF "tls-version-min 1.2\n";
@@ -951,6 +967,20 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
goto ADV_ENC_ERROR;
}
+ # If no value for --tls-cipher has been set, delete setting
+ if ($cgiparams{'CHANNELCIPHERS'} eq '') {
+ delete $vpnsettings{'CHANNELCIPHERS'};
+ } else {
+ $vpnsettings{'CHANNELCIPHERS'} = $cgiparams{'CHANNELCIPHERS'};
+ }
+
+ # If no value for --tls-ciphersuites has been set, delete setting
+ if ($cgiparams{'NCHANNELCIPHERS'} eq '') {
+ delete $vpnsettings{'NCHANNELCIPHERS'};
+ } else {
+ $vpnsettings{'NCHANNELCIPHERS'} = $cgiparams{'NCHANNELCIPHERS'};
+ }
+
&General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
&writeserverconf();
}
@@ -2402,6 +2432,23 @@ else
print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n";
}
+ # Set --tls-cipher TLSv2 in client.ovpn if configured
+ if ($vpnsettings{'CHANNELCIPHERS'} ne '') {
+ # Set seperator for TLSv2 channel ciphers
+ @advcipherchar = ($vpnsettings{'CHANNELCIPHERS'} =~ s/\|/:/g);
+ print CLIENTCONF "tls-cipher $vpnsettings{'CHANNELCIPHERS'}\r\n";
+ }
+
+ # Print new tls-ciphersuites TLSv3 in client.ovpn only if client is >=2.5.0
+ if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') {
+ # Set --tls-ciphersuites TLSv3 if configured
+ if ($vpnsettings{'NCHANNELCIPHERS'} ne '') {
+ # Set seperator for TLSv3 channel ciphers
+ @advcipherchar = ($vpnsettings{'NCHANNELCIPHERS'} =~ s/\|/:/g);
+ print CLIENTCONF "tls-ciphersuites $vpnsettings{'NCHANNELCIPHERS'}\r\n";
+ }
+ }
+
print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
if ($vpnsettings{'TLSAUTH'} eq 'on') {
@@ -2934,6 +2981,8 @@ END
}
$confighash{$key}[40] = $cgiparams{'DCIPHER'};
$confighash{$key}[42] = $cgiparams{'DATACIPHERS'};
+ $confighash{$key}[43] = $cgiparams{'CHANNELCIPHERS'};
+ $confighash{$key}[44] = $cgiparams{'NCHANNELCIPHERS'};
ADV_ENC_ERROR:
@@ -2967,13 +3016,37 @@ ADV_ENC_ERROR:
@temp = split('\|', $cgiparams{'DATACIPHERS'});
foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
+ # No default settings for --tls-cipher so OpenVPN makes his own choice
+ $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384'} = '';
+ $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256'} = '';
+ $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'} = '';
+ $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'} = '';
+ $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256'} = '';
+ $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256'} = '';
+ $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'} = '';
+ $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256'} = '';
+ $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256'} = '';
+ @temp = split('\|', $cgiparams{'CHANNELCIPHERS'});
+ foreach my $key (@temp) {$checked{'CHANNELCIPHERS'}{$key} = "selected='selected'"; }
+
+ # No default settings for --tls-ciphersuites so OpenVPN makes his own choice
+ $checked{'NCHANNELCIPHERS'}{'TLS_AES_256_GCM_SHA384'} = '';
+ $checked{'NCHANNELCIPHERS'}{'TLS_CHACHA20_POLY1305_SHA256'} = '';
+ $checked{'NCHANNELCIPHERS'}{'TLS_AES_128_GCM_SHA256'} = '';
+ @temp = split('\|', $cgiparams{'NCHANNELCIPHERS'});
+ foreach my $key (@temp) {$checked{'NCHANNELCIPHERS'}{$key} = "selected='selected'"; }
+
# Save settings and display default if not configured
if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
$confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'};
$confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'};
+ $confighash{$cgiparams{'KEY'}}[43] = $cgiparams{'CHANNELCIPHERS'};
+ $confighash{$cgiparams{'KEY'}}[44] = $cgiparams{'NCHANNELCIPHERS'};
} else {
$cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'};
$cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'};
+ $cgiparams{'CHANNELCIPHERS'} = $vpnsettings{'CHANNELCIPHERS'};
+ $cgiparams{'NCHANNELCIPHERS'} = $vpnsettings{'NCHANNELCIPHERS'};
}
ADV_ENC_ERROR:
@@ -3040,8 +3113,41 @@ ADV_ENC_ERROR:
</td>
</tr>
+ <tr>
+ <th width="15%"></th>
+ <th>$Lang::tr{'ovpn control channel v3'}</th>
+ <th>$Lang::tr{'ovpn control channel v2'}</th>
+ </tr>
+
+ <tr>
+ <td class='boldbase' width="27%">$Lang::tr{'ovpn channel encryption'}</td>
+ <td class='boldbase'>
+ <select name='NCHANNELCIPHERS' multiple='multiple' size='6' style='width: 100%'>
+ <option value='TLS_AES_256_GCM_SHA384' $checked{'NCHANNELCIPHERS'}{'TLS_AES_256_GCM_SHA384'}>256 $Lang::tr{'bit'} TLS-AES-GCM SHA384</option>
+ <option value='TLS_CHACHA20_POLY1305_SHA256' $checked{'NCHANNELCIPHERS'}{'TLS_CHACHA20_POLY1305_SHA256'}>256 $Lang::tr{'bit'} CHACHA20-POLY1305 SHA256</option>
+ <option value='TLS_AES_128_GCM_SHA256' $checked{'NCHANNELCIPHERS'}{'TLS_AES_128_GCM_SHA256'}>128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option>
+ </select>
+ </td>
+
+ <td class='boldbase'>
+ <select name='CHANNELCIPHERS' multiple='multiple' size='6' style='width: 100%' style="margin-right:-17px" size="11">
+ <option value='TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384'}>TLS-ECDHE-ECDSA 256 $Lang::tr{'bit'} AES-GCM SHA384</option>
+ <option value='TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256'}>TLS-ECDHE-ECDSA 256 $Lang::tr{'bit'} CHACHA20-POLY1305 SHA256</option>
+ <option value='TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'}>TLS-ECDHE-ECDSA 128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option>
+ <option value='TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'}>TLS-ECDHE-RSA 256 $Lang::tr{'bit'} TLS-AES-GCM SHA384</option>
+ <option value='TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256'}>TLS-ECDHE-RSA 256 $Lang::tr{'bit'} CHACHA20_POLY1305 SHA256</option>
+ <option value='TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256'}>TLS-ECDHE-RSA 128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option>
+ <option value='TLS-DHE-RSA-WITH-AES-256-GCM-SHA384' $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'}>TLS-DHE-RSA 256 $Lang::tr{'bit'} TLS-AES-GCM SHA384</option>
+ <option value='TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256'}>TLS-DHE-RSA 256 $Lang::tr{'bit'} CHACHA20-POLY1305 SHA256</option>
+ <option value='TLS-DHE-RSA-WITH-AES-128-GCM-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256'}>TLS-DHE-RSA 128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option>
+ </select>
+ </td>
+ </tr>
</tbody>
</table>
+
+ <br><br>
+
<hr>
END
;
@@ -1908,6 +1908,9 @@
'ovpn config' => 'OVPN-Konfiguration',
'ovpn connection name' => 'Verbindungs-Name',
'ovpn crypt options' => 'Kryptografieoptionen',
+'ovpn channel encryption' => 'Kontroll-Kanal Verschlüsselung',
+'ovpn control channel v2' => 'Kontroll-Kanal TLSv2',
+'ovpn control channel v3' => 'Kontroll-Kanal TLSv3',
'ovpn data encryption' => 'Daten-Kanal Verschlüsselung',
'ovpn data channel' => 'Daten-Kanal',
'ovpn data channel fallback' => 'Daten-Kanal Fallback',
@@ -1940,6 +1940,9 @@
'ovpn config' => 'OVPN-Config',
'ovpn connection name' => 'Connection Name',
'ovpn crypt options' => 'Cryptographic options',
+'ovpn channel encryption' => 'Control-Channel encryption',
+'ovpn control channel v2' => 'Control-Channel TLSv2',
+'ovpn control channel v3' => 'Control-Channel TLSv3',
'ovpn data encryption' => 'Data-Channel encryption',
'ovpn data channel' => 'Data-Channel',
'ovpn data channel fallback' => 'Data-Channel fallback',
@@ -1333,6 +1333,9 @@
'ovpn' => 'OpenVPN',
'ovpn con stat' => 'Estadisticas de conexión OpenVPN',
'ovpn config' => 'Configruación de OVPN',
+'ovpn channel encryption' => 'Encriptación Canal-Control',
+'ovpn control channel v2' => 'Canal-Control TLSv2',
+'ovpn control channel v3' => 'Canal-Control TLSv3',
'ovpn data encryption' => 'Encriptación Data-Channel',
'ovpn data channel' => 'Canal-Datos',
'ovpn data channel fallback' => 'Retroceso Canal-Datos',
@@ -1941,6 +1941,9 @@
'ovpn config' => 'Config OVPN',
'ovpn connection name' => 'Nom de la connexion ',
'ovpn crypt options' => 'Options cryptographiques',
+'ovpn channel encryption' => 'Chiffrage du canal de contrôle',
+'ovpn control channel v2' => 'Canal de contrôle TLSv2',
+'ovpn control channel v3' => 'Canal de contrôle TLSv3',
'ovpn data encryption' => 'Chiffrage du canal de données',
'ovpn data channel' => 'Canal de données',
'ovpn data channel fallback' => 'Canal de données de repli',
@@ -1701,6 +1701,9 @@
'ovpn con stat' => 'OpenVPN Connection Statistics',
'ovpn config' => 'OVPN-Config',
'ovpn crypt options' => 'Cryptographic options',
+'ovpn channel encryption' => 'Crittografia del canale di controllo',
+'ovpn control channel v2' => 'Canale di controllo TLSv2',
+'ovpn control channel v3' => 'Canale di controllo TLSv3',
'ovpn device' => 'OpenVPN device:',
'ovpn dh' => 'Diffie-Hellman parameters length',
'ovpn dh new key' => 'Generate new Diffie-Hellman parameters',
@@ -1660,6 +1660,9 @@
'ovpn' => 'OpenVPN',
'ovpn con stat' => 'OpenVPN connectiestatistieken',
'ovpn config' => 'OVPN-Configuratie',
+'ovpn channel encryption' => 'Control-kanaal versleuteling',
+'ovpn control channel v2' => 'Controle-Kanaal TLSv2',
+'ovpn control channel v3' => 'Controle-Kanaal TLSv3',
'ovpn data encryption' => 'Datakanaalversleuteling',
'ovpn data channel' => 'Data-kanaal',
'ovpn data channel fallback' => 'Data-Kanaal terugval',
@@ -1345,6 +1345,9 @@
'ovpn' => 'OpenVPN',
'ovpn con stat' => 'Statystyki połączeń OpenVPN',
'ovpn config' => 'OVPN-Konfig',
+'ovpn channel encryption' => 'Szyfrowanie Control-Channel',
+'ovpn control channel v2' => 'Kanał-Kontrolny TLSv2',
+'ovpn control channel v3' => 'Kanał-Kontrolny TLSv3',
'ovpn data encryption' => 'Szyfrowanie Kanału-Danych',
'ovpn data channel' => 'Kanał-Danych',
'ovpn data channel fallback' => 'Awaria Kanału-Danych',
@@ -1336,6 +1336,9 @@
'ovpn' => 'OpenVPN',
'ovpn con stat' => 'Статистика подключений OpenVPN',
'ovpn config' => 'Настройки OVPN',
+'ovpn channel encryption' => 'Шифрование каналов управления',
+'ovpn control channel v2' => 'Канал-управления TLSv2',
+'ovpn control channel v3' => 'Канал-управления TLSv3',
'ovpn data encryption' => 'шифрование-каналов данных',
'ovpn data channel' => 'Информационный-канал',
'ovpn data channel fallback' => 'Информационный-канал отступление',
@@ -1843,6 +1843,9 @@
'ovpn con stat' => 'OpenVPN Bağlantı İstatistiği',
'ovpn config' => 'OVPN-Yapılandırması',
'ovpn crypt options' => 'Şifreleme seçenekleri',
+'ovpn channel encryption' => 'Kontrol-Kanalı şifreleme',
+'ovpn control channel v2' => 'Kontrol-Kanalı TLSv2',
+'ovpn control channel v3' => 'Kontrol-Kanalı TLSv3',
'ovpn data channel' => 'Veri-Kanalı',
'ovpn data channel fallback' => 'Veri-Kanalı geri dönüşü',
'ovpn data encryption' => 'Veri-Kanalı şifreleme',