From patchwork Thu Dec 10 16:59:19 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Erik Kapfer <erik.kapfer@ipfire.org>
X-Patchwork-Id: 3712
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4CsKs117scz3wg0
	for <patchwork@web04.haj.ipfire.org>; Thu, 10 Dec 2020 16:59:33 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4CsKs01KNbz12M;
	Thu, 10 Dec 2020 16:59:32 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4CsKs00Yt2z2xny;
	Thu, 10 Dec 2020 16:59:32 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4CsKrz4Dxtz2xZk
 for <development@lists.ipfire.org>; Thu, 10 Dec 2020 16:59:31 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4CsKry5kFFz8V;
 Thu, 10 Dec 2020 16:59:30 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1607619570;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=+yZSxeYK4eIUW9hxoDos1ECDWbsPTv6Q6+Bme+MV5nw=;
 b=580ME5QaKswj/EhE7QKdDI6Zh9Zrfzlal+mo/cBUAOzYDorgGfsrE5d160QBHFd4CEyV7o
 bW2Tw5AewpW7TcBw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1607619570;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=+yZSxeYK4eIUW9hxoDos1ECDWbsPTv6Q6+Bme+MV5nw=;
 b=h28IELDMsXreDvIlNWm74fO/luTTBgCY53GwNQiJsG1ROKxd8cfuw8ddpWC3FLLdfNYHkA
 qgZM2wXBB+JJhTDqakh02cZq5VWLB/3d5LleoWCBDCKFx2fYeTuTjddWihr6BaPwEivyQb
 FsgTmBcx7VET5U6xbu86sdK6Lrs09KCcuOZdk1Wr8x6EcmKTrM4vxl6aPySAayz4Z2nSbg
 w2TUp1dNxqGD9nro6halNt659cywiTKOV1lGueEkq4rs0Gfw40paPBfcxbmqsEOMQUOXnO
 5jvDEOJ3zi2yyjdtFuWOy0zvPE49oOLGUqAn0jh6VaD1OxaqgMzku+cqmqNWdw==
From: ummeegge <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH v2 1/7] OpenVPN: Introduce advanced encryption section
Date: Thu, 10 Dec 2020 16:59:19 +0000
Message-Id: <20201210165925.25037-1-erik.kapfer@ipfire.org>
In-Reply-To: <20201203120807.20694-1-erik.kapfer@ipfire.org>
References: <20201203120807.20694-1-erik.kapfer@ipfire.org>
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

- The whole crypto section will be sorted out from the global section to
an extra page while this patchset and a set of defaults should handle
the encryption also for not experienced users. The WUI style has been
adopted from the IPSec WUI.

- The new directive '--data-ciphers algs' has been introduced for RWs with
OpenVPN version 2.5.0. This directive negotiates with the clients the
best but also available cipher. The selection for '--data-ciphers algs' is
between the GCM family and the new CHACHA20-POLY1305. All ciphers
can be combined with another.
- The new directive '--data-ciphers algs' substitutes '--ncp-disable', therefor
'--ncp-disable' has been removed which fixes the deprecation warning in
the new OpenVPN-2.5.0 server instance.
- While client generation the client version can be set via a checkbox
which enables, if client is >=2.5.0 a full cipher negotiation by printing
also the '--data-cipher algs' directive into the client.ovpn, if the client
version <=2.5.0 (checkbox off), the old deprecated '--cipher alg' will be written.
Existing clients can also subsequently be enhanced via editing the
connection.

Signed-off-by: ummeegge <erik.kapfer@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 192 +++++++++++++++++++++++++++++++++++++-
 langs/de/cgi-bin/de.pl    |   7 ++
 langs/en/cgi-bin/en.pl    |   7 ++
 langs/es/cgi-bin/es.pl    |   7 ++
 langs/fr/cgi-bin/fr.pl    |   7 ++
 langs/it/cgi-bin/it.pl    |   7 ++
 langs/nl/cgi-bin/nl.pl    |   7 ++
 langs/pl/cgi-bin/pl.pl    |   7 ++
 langs/ru/cgi-bin/ru.pl    |   7 ++
 langs/tr/cgi-bin/tr.pl    |   7 ++
 10 files changed, 251 insertions(+), 4 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 68a70d147..40ae58673 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -75,6 +75,7 @@ my $name;
 my $col="";
 my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";
 my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";
+my @advcipherchar=();
 
 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
 $cgiparams{'ENABLED'} = 'off';
@@ -98,6 +99,7 @@ $cgiparams{'number'} = '';
 $cgiparams{'DCIPHER'} = '';
 $cgiparams{'DAUTH'} = '';
 $cgiparams{'TLSAUTH'} = '';
+$cgiparams{'DATACIPHERS'} = '';
 $routes_push_file = "${General::swroot}/ovpn/routes_push";
 # Perform crypto and configration test
 &pkiconfigcheck;
@@ -325,8 +327,16 @@ sub writeserverconf {
     }	
     print CONF "status-version 1\n";
     print CONF "status /var/run/ovpnserver.log 30\n";
-    print CONF "ncp-disable\n";
     print CONF "cipher $sovpnsettings{DCIPHER}\n";
+
+	# Data channel encryption
+	# Set seperator for data ciphers
+	@advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
+	# Add also algorithm from --cipher directive
+	if ($sovpnsettings{'DATACIPHERS'} ne '') {
+		print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n";
+	}
+
 	print CONF "auth $sovpnsettings{'DAUTH'}\n";
     # Set TLSv2 as minimum
     print CONF "tls-version-min 1.2\n";
@@ -911,6 +921,27 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
     &writeserverconf();#hier ok
 }
 
+###
+### Save Advanced encryption
+###
+
+if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
+	&General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
+
+	$vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
+
+	# --data-ciphers needs at least one cipher
+	if ($cgiparams{'DATACIPHERS'} eq '') {
+		$errormessage = $Lang::tr{'ovpn errmsg invalid data cipher input'};
+		goto ADV_ENC_ERROR;
+	}
+
+	&General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
+	&writeserverconf();
+}
+
+### End Save advanced encryption
+
 ###
 # m.a.d net2net
 ###
@@ -2344,7 +2375,16 @@ else
 	$zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem")  or die "Can't add file cacert.pem\n";
 	$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";    
     }
-    print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
+
+	# Set --data-ciphers for client >=2.5.0 or --cipher for <2.5.0 in client.ovpn
+	if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') {
+		# Set seperator for --data-ciphers algorithms
+		@advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
+		print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n";
+	} else {
+		print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n";
+	}
+
 	print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
 
     if ($vpnsettings{'TLSAUTH'} eq 'on') {
@@ -2859,7 +2899,132 @@ END
     &Header::closebigbox();
     &Header::closepage();
     exit(0);
-	
+
+###
+### Advanced encryption settings
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ovpn advanced encryption'}) {
+	%cgiparams = ();
+	%confighash = ();
+	my @temp=();
+	my $disabled;
+	&General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
+
+	my $key = $cgiparams{'KEY'};
+	if (! $key) {
+		$key = &General::findhasharraykey (\%confighash);
+		foreach my $i (39.. 45) { $confighash{$key}[$i] = ""; }
+	}
+	$confighash{$key}[42] = $cgiparams{'DATACIPHERS'};
+
+ADV_ENC_ERROR:
+
+	# Set default data channel ciphers
+	if ($cgiparams{'DATACIPHERS'} eq '') {
+		$cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM'; #[42];
+	}
+	$checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = '';
+	$checked{'DATACIPHERS'}{'AES-256-GCM'} = '';
+	$checked{'DATACIPHERS'}{'AES-192-GCM'} = '';
+	$checked{'DATACIPHERS'}{'AES-128-GCM'} = '';
+	@temp = split('\|', $cgiparams{'DATACIPHERS'});
+	foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
+
+	# Save settings and display default if not configured
+	if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
+		$confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'};
+	} else {
+		$cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'};
+	}
+
+ADV_ENC_ERROR:
+
+	&Header::showhttpheaders();
+	&Header::openpage($Lang::tr{'ovpn'}, 1, '');
+	&Header::openbigbox('100%', 'left', '', $errormessage);
+	if ($errormessage) {
+		&Header::openbox('100%', 'left', $Lang::tr{'error messages'});
+		print "<class name='base'>$errormessage";
+		print "&nbsp;</class>";
+		&Header::closebox();
+	}
+
+	if ($warnmessage) {
+		&Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:");
+		print "<class name='base'>$warnmessage";
+		print "&nbsp;</class>";
+		&Header::closebox();
+	}
+
+	print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>";
+	&Header::openbox('100%', 'left', "$Lang::tr{'ovpn advanced encryption'}:");
+	print<<END
+
+	<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
+	<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
+
+	<table width='100%'>
+		<thead>
+			<tr>
+				<th width="15%"></th>
+				<th>$Lang::tr{'ovpn data channel'}</th>
+			</tr>
+		</thead>
+		<tbody>
+			<tr>
+				<td class='boldbase' width="27%">$Lang::tr{'ovpn data encryption'}</td>
+				<td class='boldbase'>
+					<select name='DATACIPHERS' multiple='multiple' size='6' style='width: 100%'>
+						<option value='ChaCha20-Poly1305' $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'}>256 bit ChaCha20-Poly1305</option>
+						<option value='AES-256-GCM' $checked{'DATACIPHERS'}{'AES-256-GCM'}>256 $Lang::tr{'bit'} AES-GCM</option>
+						<option value='AES-192-GCM' $checked{'DATACIPHERS'}{'AES-192-GCM'}>192 $Lang::tr{'bit'} AES-GCM</option>
+						<option value='AES-128-GCM' $checked{'DATACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option>
+					</select>
+				</td>
+			</tr>
+		</tbody>
+	</table>
+	<hr>
+END
+;
+
+	if ( -e "/var/run/openvpn.pid") {
+		print"  <br><b><font color='#990000'>$Lang::tr{'attention'}:</b></font><br>$Lang::tr{'server restart'}<br><br><hr>";
+		print<<END;
+			<table width='100%'>
+				<tr>
+					<td>&nbsp;</td>
+					<td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-enc-options'}' disabled='disabled' /></td>
+					<td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
+					<td>&nbsp;</td>
+				</tr>
+			</table>
+		</form>
+END
+;
+
+	} else {
+		print<<END;
+			<table width='100%'>
+				<tr>
+					<td>&nbsp;</td>
+					<td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-enc-options'}' /></td>
+					<td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
+					<td>&nbsp;</td>
+				</tr>
+			</table>
+		</form>
+END
+;
+
+	}
+
+	&Header::closebox();
+	&Header::closebigbox();
+	&Header::closepage();
+	exit(0);
+
+### END advanced encryption
 
 # A.Marx CCD   Add,delete or edit CCD net
 
@@ -3595,6 +3760,8 @@ if ($confighash{$cgiparams{'KEY'}}) {
 		$cgiparams{'DAUTH'}		= $confighash{$cgiparams{'KEY'}}[39];
 		$cgiparams{'DCIPHER'}		= $confighash{$cgiparams{'KEY'}}[40];
 		$cgiparams{'TLSAUTH'}		= $confighash{$cgiparams{'KEY'}}[41];
+		# Index from [39] to [44] has been reserved by advanced encryption
+		$cgiparams{'CLIENTVERSION'} = $confighash{$cgiparams{'KEY'}}[45];
 	} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
 	$cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
 	
@@ -4338,6 +4505,8 @@ if ($cgiparams{'TYPE'} eq 'net') {
 	if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
 		$confighash{$key}[41] = "no-pass";
 	}
+	# Index from [39] to [44] has been reserved by advanced encryption
+	$confighash{$key}[45]         = $cgiparams{'CLIENTVERSION'};
 
 	&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
 	
@@ -4749,6 +4918,7 @@ if ($cgiparams{'TYPE'} eq 'host') {
 	    print"</td></tr></table><br><br>";
 		my $name=$cgiparams{'CHECK1'};
 		$checked{'RG'}{$cgiparams{'RG'}} = 'CHECKED';
+		$checked{'CLIENTVERSION'}{$cgiparams{'CLIENTVERSION'}} = 'CHECKED';
 		
 	if (! -z "${General::swroot}/ovpn/ccd.conf"){	
 		print"<table border='0' width='100%' cellspacing='1' cellpadding='0'><tr><td width='1%'></td><td width='30%' class='boldbase' align='center'><b>$Lang::tr{'ccd name'}</td><td width='15%' class='boldbase' align='center'><b>$Lang::tr{'network'}</td><td class='boldbase' align='center' width='18%'><b>$Lang::tr{'ccd clientip'}</td></tr>";
@@ -4884,7 +5054,12 @@ if ($cgiparams{'TYPE'} eq 'host') {
 	
 	print <<END;
 	<table border='0' width='100%'>
-	<tr><td width='20%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr>
+		<tr><td width='30%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr>
+		<tr>
+			<td width='30%'>$Lang::tr{'ovpn client version 25 cipher negotiation'}:</td>
+			<td colspan='3'><input type='checkbox' name='CLIENTVERSION' $checked{'CLIENTVERSION'}{'on'} />
+			<font color='red'>&nbsp;$Lang::tr{'ovpn client version 25 warning'}</font></td>
+		</tr>
 	<tr><td colspan='4'><b><br>$Lang::tr{'ccd routes'}</b></td></tr>
 	<tr><td colspan='4'>&nbsp</td></tr>
 	<tr><td valign='top'>$Lang::tr{'ccd iroute'}</td><td align='left' width='30%'><textarea name='IR' cols='26' rows='6' wrap='off'>
@@ -5138,6 +5313,13 @@ END
     $checked{'DCOMPLZO'}{'on'} = '';
     $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
 
+	if ($cgiparams{'CLIENTVERSION'} = '' ) {
+		$cgiparams{'CLIENTVERSION'} = 'off';
+	}
+	$checked{'CLIENTVERSION'}{'off'} = '';
+	$checked{'CLIENTVERSION'}{'on'} = '';
+	$checked{'CLIENTVERSION'}{$cgiparams{'CLIENTVERSION'}} = 'CHECKED';
+
 # m.a.d
     $checked{'MSSFIX'}{'off'} = '';
     $checked{'MSSFIX'}{'on'} = '';
@@ -5281,11 +5463,13 @@ END
 	print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' disabled='disabled' />";
 	print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
 	print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";	
+	print "<input type='submit' name='ACTION' value='$Lang::tr{'ovpn advanced encryption'}' />";
 	print "<input type='submit' name='ACTION' value='$Lang::tr{'stop ovpn server'}' /></td></tr>";
     } else{
 	print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
 	print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
 	print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
+	print "<input type='submit' name='ACTION' value='$Lang::tr{'ovpn advanced encryption'}' />";
 	if (( -e "${General::swroot}/ovpn/ca/cacert.pem" &&
 	     -e "${General::swroot}/ovpn/ca/dh1024.pem" &&
 	     -e "${General::swroot}/ovpn/certs/servercert.pem" &&
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 2fb46e741..0d0705845 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1901,10 +1901,15 @@
 'override mtu' => 'Überschreibe Standard-MTU',
 'ovpn' => 'OpenVPN',
 'ovpn add conf' => 'Erweiterte Konfiguration',
+'ovpn advanced encryption' => 'Erweiterte Kryptografie Einstellung',
+'ovpn client version 25 cipher negotiation' => 'Verschlüsselung aushandeln',
+'ovpn client version 25 warning' => 'Erst ab Client Version 2.5.0 verfügbar',
 'ovpn con stat' => 'OpenVPN Verbindungs-Statistik',
 'ovpn config' => 'OVPN-Konfiguration',
 'ovpn connection name' => 'Verbindungs-Name',
 'ovpn crypt options' => 'Kryptografieoptionen',
+'ovpn data encryption' => 'Daten-Kanal Verschlüsselung',
+'ovpn data channel' => 'Daten-Kanal',
 'ovpn device' => 'OpenVPN-Gerät',
 'ovpn dh' => 'Diffie-Hellman-Parameter-Länge',
 'ovpn dh new key' => 'Neuen Diffie-Hellman Parameter erstellen',
@@ -1913,6 +1918,7 @@
 'ovpn dl' => 'OVPN-Konfiguration downloaden',
 'ovpn engines' => 'Krypto Engine',
 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt',
+'ovpn errmsg invalid data cipher input' => 'Der Daten-Kanal benötigt mindestens einen Algorithmus',
 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske',
 'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein! <br>Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.</br>',
 'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
@@ -2163,6 +2169,7 @@
 'save error' => 'Konfigurationsarchiv-Datei konnte nicht gespeichert werden',
 'save settings' => 'Einstellungen speichern',
 'save-adv-options' => 'Erweiterte Optionen speichern',
+'save-enc-options' => 'Kryptografie Optionen speichern',
 'script name' => 'Skriptname:',
 'search' => 'Suchen',
 'secondary dns' => 'Sekundärer DNS-Server:',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index b5284effa..affa43cd3 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1933,10 +1933,15 @@
 'override mtu' => 'Override default MTU',
 'ovpn' => 'OpenVPN',
 'ovpn add conf' => 'Additional configuration',
+'ovpn advanced encryption' => 'Advanced encryption settings',
+'ovpn client version 25 cipher negotiation' => 'Negotiate encryption',
+'ovpn client version 25 warning' => 'Available with client version 2.5.0 and higher',
 'ovpn con stat' => 'OpenVPN Connection Statistics',
 'ovpn config' => 'OVPN-Config',
 'ovpn connection name' => 'Connection Name',
 'ovpn crypt options' => 'Cryptographic options',
+'ovpn data encryption' => 'Data-Channel encryption',
+'ovpn data channel' => 'Data-Channel',
 'ovpn device' => 'OpenVPN device:',
 'ovpn dh' => 'Diffie-Hellman parameters length',
 'ovpn dh new key' => 'Generate new Diffie-Hellman parameters',
@@ -1945,6 +1950,7 @@
 'ovpn dl' => 'OVPN-Config Download',
 'ovpn engines' => 'Crypto engine',
 'ovpn errmsg green already pushed' => 'Route for green network is always set',
+'ovpn errmsg invalid data cipher input' => 'The data cipher needs at least one cipher',
 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
 'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>',
 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
@@ -2196,6 +2202,7 @@
 'save error' => 'Unable to save configuration archive file',
 'save settings' => 'Save settings',
 'save-adv-options' => 'Save advanced options',
+'save-enc-options' => 'Save encryption options',
 'script name' => 'Script name:',
 'search' => 'Search',
 'secondary dns' => 'Secondary DNS:',
diff --git a/langs/es/cgi-bin/es.pl b/langs/es/cgi-bin/es.pl
index 93a15bba0..3d6efc21a 100644
--- a/langs/es/cgi-bin/es.pl
+++ b/langs/es/cgi-bin/es.pl
@@ -36,6 +36,9 @@
 'Number of IPs for the pie chart' => 'Número de IPS para la gráfica circular',
 'Number of Ports for the pie chart' => 'Número de puerto para la gráfica circular',
 'OVPN' => 'OpenVPN',
+'ovpn advanced encryption' => 'Configuración avanzada de encriptación',
+'ovpn client version 25 cipher negotiation' => 'Negociar encriptación',
+'ovpn client version 25 warning' => 'Disponible con la versión de Cliente 2.5.0 y superior',
 'OpenVPN' => 'OpenVPN',
 'Pages' => 'Páginas',
 'Ping' => 'Ping:',
@@ -1328,7 +1331,10 @@
 'ovpn' => 'OpenVPN',
 'ovpn con stat' => 'Estadisticas de conexión OpenVPN',
 'ovpn config' => 'Configruación de OVPN',
+'ovpn data encryption' => 'Encriptación Data-Channel',
+'ovpn data channel' => 'Canal-Datos',
 'ovpn device' => 'Dispositivo OpenVPN',
+'ovpn errmsg invalid data cipher input' => 'El cifrado de datos necesita al menos de un cifrado',
 'ovpn dl' => 'Configuración de descargas OVPN',
 'ovpn log' => 'Registro de log de OVPN',
 'ovpn on blue' => 'OpenVPN en BLUE',
@@ -1531,6 +1537,7 @@
 'save error' => 'Imposible grabar archivo de configuración',
 'save settings' => 'Guardar configuraciones',
 'save-adv-options' => 'Guardar configuraciones avanzadas',
+'save-enc-options' => 'Guardar opciones de encriptado',
 'script name' => 'Nombre de Script:',
 'secondary dns' => 'DNS Secundario:',
 'secondary ntp server' => 'Servidor NTP Secundario',
diff --git a/langs/fr/cgi-bin/fr.pl b/langs/fr/cgi-bin/fr.pl
index a2d27939c..df19ef316 100644
--- a/langs/fr/cgi-bin/fr.pl
+++ b/langs/fr/cgi-bin/fr.pl
@@ -1934,10 +1934,15 @@
 'override mtu' => 'Remplacer le MTU par défaut',
 'ovpn' => 'OpenVPN',
 'ovpn add conf' => 'Configuration additionnelle',
+'ovpn advanced encryption' => 'Paramètres de cryptage avancés',
+'ovpn client version 25 cipher negotiation' => 'Négocier le cryptage',
+'ovpn client version 25 warning' => 'Disponible avec le client version 2.5.0 et supérieur',
 'ovpn con stat' => 'Statistiques de connexions OpenVPN',
 'ovpn config' => 'Config OVPN',
 'ovpn connection name' => 'Nom de la connexion ',
 'ovpn crypt options' => 'Options cryptographiques',
+'ovpn data encryption' => 'Chiffrage du canal de données',
+'ovpn data channel' => 'Canal de données',
 'ovpn device' => 'Périphérique OpenVPN :',
 'ovpn dh' => 'Longueur de paramètres Diffie-Hellman ',
 'ovpn dh new key' => 'Générer de nouveaux paramètres Diffie-Hellman ',
@@ -1946,6 +1951,7 @@
 'ovpn dl' => 'Télécharger Config OVPN',
 'ovpn engines' => 'Moteur Crypto',
 'ovpn errmsg green already pushed' => 'La route pour le réseau VERT est toujours activée',
+'ovpn errmsg invalid data cipher input' => 'Le chiffrage de données nécessite au moins un cryptogramme',
 'ovpn errmsg invalid ip or mask' => 'Adresse ou masque de sous-réseau invalide',
 'ovpn error dh' => 'Le paramètre Diffie-Hellman doit être au minimum à 2048 bits ! <br>Veuillez générer ou télécharger un nouveau paramètre Diffie-Hellman, cela peut être fait ci-dessous dans la section "Options de paramètres Diffie-Hellman".</br>',
 'ovpn error md5' => 'Votre certificat hôte utilise MD5 pour la signature qui n\'est plus acceptée. <br>Veuillez mettre à jour la dernière version d\'IPFire et générez un nouveau certificat racine et hôte..</br><br>Tous les clients OpenVPN doivent ensuite être renouvelés!</br>',
@@ -2200,6 +2206,7 @@
 'save error' => 'Impossible de sauvegarder le fichier archive de configuration',
 'save settings' => 'Sauvegarder les paramètres',
 'save-adv-options' => 'Sauvegarder les options avancées',
+'save-enc-options' => 'Enregistrer les options de chiffrage',
 'script name' => 'Nom du script :',
 'search' => 'Recherche',
 'secondary dns' => 'DNS secondaire :',
diff --git a/langs/it/cgi-bin/it.pl b/langs/it/cgi-bin/it.pl
index 14436de4b..1c190eff2 100644
--- a/langs/it/cgi-bin/it.pl
+++ b/langs/it/cgi-bin/it.pl
@@ -43,6 +43,11 @@
 'Number of IPs for the pie chart' => 'Numero di IP per il grafico a torta',
 'Number of Ports for the pie chart' => 'Numero di porte per il grafico a torta',
 'OVPN' => 'OpenVPN',
+'ovpn data encryption' => 'Crittografia del canale dati',
+'ovpn data channel' => 'Canale-Dati',
+'ovpn advanced encryption' => 'Impostazioni avanzate di crittografia',
+'ovpn client version 25 cipher negotiation' => 'Negozazione cirttografia',
+'ovpn client version 25 warning' => 'Disponibile con client 2.5.0 o più recente',
 'OpenVPN' => 'OpenVPN',
 'Pages' => 'Pagine',
 'Ping' => 'Ping :',
@@ -1701,6 +1706,7 @@
 'ovpn dl' => 'OVPN-Config Download',
 'ovpn engines' => 'Crypto engine',
 'ovpn errmsg green already pushed' => 'Route for Verde network is always set',
+'ovpn errmsg invalid data cipher input' => 'La crittografia dati necessita almeno un cifrario',
 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
 'ovpn generating the root and host certificates' => 'Generating the root and host certifictae can take a long time.',
 'ovpn ha' => 'Hash algorithm',
@@ -1928,6 +1934,7 @@
 'save error' => 'Unable to save configuration archive file',
 'save settings' => 'Save settings',
 'save-adv-options' => 'Save advanced options',
+'save-enc-options' => 'Salva impostazioni di crittografia',
 'script name' => 'Script name:',
 'secondary dns' => 'DNS Secondario:',
 'secondary ntp server' => 'NTP server secondario',
diff --git a/langs/nl/cgi-bin/nl.pl b/langs/nl/cgi-bin/nl.pl
index 53341a6f8..8207399e2 100644
--- a/langs/nl/cgi-bin/nl.pl
+++ b/langs/nl/cgi-bin/nl.pl
@@ -43,6 +43,9 @@
 'Number of IPs for the pie chart' => 'Aantal IPs voor de taartdiagram',
 'Number of Ports for the pie chart' => 'Aantal poorten voor de taartdiagram',
 'OVPN' => 'OpenVPN',
+'ovpn advanced encryption' => 'Geavanceerde versleuteling instellingen',
+'ovpn client version 25 cipher negotiation' => 'Onderhandel over versleuteling',
+'ovpn client version 25 warning' => 'Beschikbaar met clientversie 2.5.0 en hoger',
 'OpenVPN' => 'OpenVPN',
 'Pages' => 'Pagina\'s',
 'Ping' => 'Ping :',
@@ -1655,9 +1658,12 @@
 'ovpn' => 'OpenVPN',
 'ovpn con stat' => 'OpenVPN connectiestatistieken',
 'ovpn config' => 'OVPN-Configuratie',
+'ovpn data encryption' => 'Datakanaalversleuteling',
+'ovpn data channel' => 'Data-kanaal',
 'ovpn device' => 'OpenVPN apparaat:',
 'ovpn dl' => 'OVPN-Configuratie download',
 'ovpn errmsg green already pushed' => 'Route voor het groene netwerk is altijd aangezet',
+'ovpn errmsg invalid data cipher input' => 'De gegevens codering heeft ten minste één codering nodig',
 'ovpn errmsg invalid ip or mask' => 'Ongeldig netwerkadres of subnetmasker',
 'ovpn log' => 'OVPN-Log',
 'ovpn mgmt in root range' => 'Een poortnummer hoger dan 1024 is vereist.',
@@ -1881,6 +1887,7 @@
 'save error' => 'Kan configuratie-archief niet opslaan',
 'save settings' => 'Opslaan instellingen',
 'save-adv-options' => 'Opslaan geavanceerde opties',
+'save-enc-options' => 'Bewaar encryptie opties',
 'script name' => 'Scriptnaam:',
 'secondary dns' => 'Secondaire DNS:',
 'secondary ntp server' => 'Secondaire NTP server',
diff --git a/langs/pl/cgi-bin/pl.pl b/langs/pl/cgi-bin/pl.pl
index 63c8a1793..f9fbe57df 100644
--- a/langs/pl/cgi-bin/pl.pl
+++ b/langs/pl/cgi-bin/pl.pl
@@ -37,6 +37,9 @@
 'Number of IPs for the pie chart' => 'Liczba numerów IP na wykresie kołowym',
 'Number of Ports for the pie chart' => 'Liczba portów na wykresie kołowym',
 'OVPN' => 'OpenVPN',
+'ovpn advanced encryption' => 'Zaawansowane ustawienia szyfrowania',
+'ovpn client version 25 cipher negotiation' => 'Negocjowanie szyfrowania',
+'ovpn client version 25 warning' => 'Dostępny z klientem w wersji 2.5.0 i wyższej',
 'OpenVPN' => 'OpenVPN',
 'Pages' => 'Stron',
 'Ping' => 'Ping :',
@@ -1340,8 +1343,11 @@
 'ovpn' => 'OpenVPN',
 'ovpn con stat' => 'Statystyki połączeń OpenVPN',
 'ovpn config' => 'OVPN-Konfig',
+'ovpn data encryption' => 'Szyfrowanie Kanału-Danych',
+'ovpn data channel' => 'Kanał-Danych',
 'ovpn device' => 'Urządzenie OpenVPN:',
 'ovpn dl' => 'Pobierz konfig OVPN',
+'ovpn errmsg invalid data cipher input' => 'Szyfr danych wymaga co najmniej jednego szyfru',
 'ovpn log' => 'Log OVPN',
 'ovpn on blue' => 'OpenVPN na int. BLUE',
 'ovpn on orange' => 'OpenVPN na int. ORANGE',
@@ -1543,6 +1549,7 @@
 'save error' => 'Nie można zapisać konfiguracji do pliku archiwum',
 'save settings' => 'Zapisz ustawienia',
 'save-adv-options' => 'Zapisz zaawansowane ustawienia',
+'save-enc-options' => 'Zapisywanie opcji szyfrowania',
 'script name' => 'Nazwa skryptu:',
 'secondary dns' => 'Zapasowy DNS:',
 'secondary ntp server' => 'Zapasowy serwer NTP',
diff --git a/langs/ru/cgi-bin/ru.pl b/langs/ru/cgi-bin/ru.pl
index 4f69dc47a..700a8d838 100644
--- a/langs/ru/cgi-bin/ru.pl
+++ b/langs/ru/cgi-bin/ru.pl
@@ -35,6 +35,9 @@
 'Number of IPs for the pie chart' => 'Число IP для круглых графиков',
 'Number of Ports for the pie chart' => 'Число портов для круглых графиков',
 'OVPN' => 'OpenVPN',
+'ovpn advanced encryption' => 'Расширенные настройки шифрования',
+'ovpn client version 25 cipher negotiation' => 'Обсудить шифрование',
+'ovpn client version 25 warning' => 'Доступно с клиентской версией 2.5.0 и выше',
 'OpenVPN' => 'OpenVPN',
 'Pages' => 'Страницы',
 'Ping' => 'Пинг :',
@@ -1331,9 +1334,12 @@
 'ovpn' => 'OpenVPN',
 'ovpn con stat' => 'Статистика подключений OpenVPN',
 'ovpn config' => 'Настройки OVPN',
+'ovpn data encryption' => 'шифрование-каналов данных',
+'ovpn data channel' => 'Информационный-канал',
 'ovpn device' => 'Устройство OpenVPN:',
 'ovpn dl' => 'Загрузка настроек OVPN',
 'ovpn errmsg green already pushed' => 'Маршрут для зелёной сети всегда включён',
+'ovpn errmsg invalid data cipher input' => 'Для шифра данных нужен хотя бы один шифр',
 'ovpn errmsg invalid ip or mask' => 'Неправильный адрес или маска подсти',
 'ovpn log' => 'Журнал OVPN',
 'ovpn on blue' => 'OpenVPN на BLUE',
@@ -1538,6 +1544,7 @@
 'save error' => 'Не получилось сохранить архив настроек',
 'save settings' => 'Сохранить настройки',
 'save-adv-options' => 'Сохранить дополнительные настройки',
+'save-enc-options' => 'Сохранить параметры шифрования',
 'script name' => 'Имя скрипта:',
 'secondary dns' => 'Второй DNS:',
 'secondary ntp server' => 'Второй NTP сервер',
diff --git a/langs/tr/cgi-bin/tr.pl b/langs/tr/cgi-bin/tr.pl
index 34e8bdcf7..0c64063c7 100644
--- a/langs/tr/cgi-bin/tr.pl
+++ b/langs/tr/cgi-bin/tr.pl
@@ -1835,9 +1835,14 @@
 'override mtu' => 'Varsayılan MTU seçeneğini geçersiz kıl',
 'ovpn' => 'OpenVPN',
 'ovpn add conf' => 'Ek yapılandırma',
+'ovpn advanced encryption' => 'Gelişmiş şifreleme ayarları',
+'ovpn client version 25 cipher negotiation' => 'Şifrelemeyi görüşün',
+'ovpn client version 25 warning' => 'İstemci sürümü 2.5.0 ve üstü ile mevcuttur',
 'ovpn con stat' => 'OpenVPN Bağlantı İstatistiği',
 'ovpn config' => 'OVPN-Yapılandırması',
 'ovpn crypt options' => 'Şifreleme seçenekleri',
+'ovpn data channel' => 'Veri-Kanalı',
+'ovpn data encryption' => 'Veri-Kanalı şifreleme',
 'ovpn device' => 'OpenVPN aygıtı:',
 'ovpn dh' => 'Diffie-Hellman parametre uzunluğu',
 'ovpn dh new key' => 'Yeni Diffie-Hellman parametrelerini oluşturun',
@@ -1846,6 +1851,7 @@
 'ovpn dl' => 'OVPN-Yapılandırması İndir',
 'ovpn engines' => 'Şifreleme motoru',
 'ovpn errmsg green already pushed' => 'Yeşil ağ için her zaman bir yol ayarla',
+'ovpn errmsg invalid data cipher input' => 'Veri şifresinin en az bir şifreye ihtiyacı var',
 'ovpn errmsg invalid ip or mask' => 'Geçersiz ağ adresi veya alt ağ maskesi',
 'ovpn generating the root and host certificates' => 'Root ve ana bilgisayar sertifika üretimi uzun zaman alabilir.',
 'ovpn ha' => 'Hash algorithması',
@@ -2080,6 +2086,7 @@
 'save error' => 'Yapılandırma arşiv dosyası kaydedilemiyor.',
 'save settings' => 'Ayarları kaydet',
 'save-adv-options' => 'Gelişmiş Seçenekleri Kaydet',
+'save-enc-options' => 'Şifreleme Seçeneklerini Kaydedin',
 'script name' => 'Komut adı:',
 'search' => 'Ara',
 'secondary dns' => 'İkincil DNS:',