Message ID | 20240321122511.3287692-4-erik.kapfer@ipfire.org |
---|---|
State | New |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4V0l6S3C76z3ww6 for <patchwork@web04.haj.ipfire.org>; Thu, 21 Mar 2024 12:25:36 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4V0l6N0K59zFKs; Thu, 21 Mar 2024 12:25:32 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4V0l6M4vFfz32ty; Thu, 21 Mar 2024 12:25:31 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4V0l6J4Ts7z30Qs for <development@lists.ipfire.org>; Thu, 21 Mar 2024 12:25:28 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4V0l6H3z7dzFK8; Thu, 21 Mar 2024 12:25:27 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1711023927; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fYZOlbFw2RQFshvzy5FrdNxL4Xyjx2X9o95kNovpGAs=; b=EHBrdekGNajW8ClORTraqr3xE0aNvHhCzuEQMWZLjVsBHZ4YCxjKoE07XG814dSoZlQ55Q HXFHdueuJZhr2bAQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1711023927; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fYZOlbFw2RQFshvzy5FrdNxL4Xyjx2X9o95kNovpGAs=; b=YIl/L4ZLv9wmfc1VE9aLPE2Wvaki1IxbTZ5B9B0kwtE/pP5n695ojyCsl9QhcAEZiMixCa EyGcRV+DvGQxIK6lYISif7hgA5r8Rz1IdEmZ2LRKJbkDIpzoBSUF8hWTVomeyaNvUqwryh UjFfDZLTMBCl0w67ymEUcVks/xh4f9KZqCdDS8sajalFl/1GqtmuP8SZEUxP1TdSG12D+u kKubSli7/HExnGqzo0ZH3MG/J/fBgw8Lg23FrW0NoWhOfzFw4+km7RikODgn2DWD6VNvXG XLmIZebaqmwJroYrQry4WqyTfXcCkwiZmJaxnRrvgVrODS6DM/O2DsOhswaxfw== From: Erik Kapfer <erik.kapfer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH 4/4] update.sh: Add and change new directives for OpenVPN 2.6.x . Date: Thu, 21 Mar 2024 13:24:51 +0100 Message-ID: <20240321122511.3287692-4-erik.kapfer@ipfire.org> In-Reply-To: <20240321122511.3287692-1-erik.kapfer@ipfire.org> References: <20240321122511.3287692-1-erik.kapfer@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: UBA4CFA5KM5Z5H6GAJOXVO2AALNPCWFP X-Message-ID-Hash: UBA4CFA5KM5Z5H6GAJOXVO2AALNPCWFP X-MailFrom: erik.kapfer@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> Archived-At: <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/UBA4CFA5KM5Z5H6GAJOXVO2AALNPCWFP/> List-Archive: <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Owner: <mailto:development-owner@lists.ipfire.org> List-Post: <mailto:development@lists.ipfire.org> List-Subscribe: <mailto:development-join@lists.ipfire.org> List-Unsubscribe: <mailto:development-leave@lists.ipfire.org> |
Series |
[1/4] OpenVPN: Update to version 2.6.9 .
|
|
Commit Message
Erik Kapfer
March 21, 2024, 12:24 p.m. UTC
This process may should be continued with some of the following updates to make sure the directives are
included even the update with this changes has over jumped ?! otherwise, the "Advanced server options" page
needs to be saved via WUI to bring OpenVPN to life.
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
---
config/rootfiles/core/185/update.sh | 11 +++++++++++
1 file changed, 11 insertions(+)
Comments
Hi all, this is a minimal solution of an update to OpenVPN 2.6.x IMO . This patch series should be a help for mainly Adolf (might be great if you go for a checkout) but please give it all a try and test it if it reaches the goal. Best, Erik Am Donnerstag, dem 21.03.2024 um 13:24 +0100 schrieb Erik Kapfer: > This process may should be continued with some of the following > updates to make sure the directives are > included even the update with this changes has over jumped ?! > otherwise, the "Advanced server options" page > needs to be saved via WUI to bring OpenVPN to life. > > Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> > --- > config/rootfiles/core/185/update.sh | 11 +++++++++++ > 1 file changed, 11 insertions(+) > > diff --git a/config/rootfiles/core/185/update.sh > b/config/rootfiles/core/185/update.sh > index 2c95c4102..247661481 100644 > --- a/config/rootfiles/core/185/update.sh > +++ b/config/rootfiles/core/185/update.sh > @@ -35,6 +35,17 @@ done > /etc/init.d/ntp stop > /etc/init.d/squid stop > > +# OpenVPN add and change new 2.6.x directives for NCP. > +if pgrep openvpn > /dev/null; then > + /usr/local/bin/openvpnctrl -k > /dev/null > + sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES- > 256-GCM/' /var/ipfire/ovpn/server.conf > + sed -i 's/^cipher/data-ciphers-fallback/' > /var/ipfire/ovpn/server.conf > + /usr/local/bin/openvpnctrl -s > /dev/null > +else > + sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES- > 256-GCM/' /var/ipfire/ovpn/server.conf > + sed -i 's/^cipher/data-ciphers-fallback/' > /var/ipfire/ovpn/server.conf > +fi > + > # Extract files > extract_files >
Hello Erik, Thank you for the patchiest, but I have been working this week on implementing this. You can find more details about this here: https://www.ipfire.org/docs/roadmap/openvpn-26 I asked Adolf to post the patches that he had and which include parts of your previous work to finally get this over the line. Various people have been working on the OpenVPN code over the years creating an absolute mess. The CGI file is by far the longest we have and very difficult to edit without breaking anything else. So I have started a large refactor (not rewrite) to get it into some state where we can work on things better. That will be needed to implement the things outlined on the roadmap page. NCP is only one of them. On that page, you can find my current development branch linked which includes many changes so far, but it is not done, yet. -Michael > On 21 Mar 2024, at 12:29, ummeegge <ummeegge@ipfire.org> wrote: > > Hi all, > this is a minimal solution of an update to OpenVPN 2.6.x IMO . This > patch series should be a help for mainly Adolf (might be great if you > go for a checkout) but please give it all a try and test it if it > reaches the goal. > > Best, > > Erik > > Am Donnerstag, dem 21.03.2024 um 13:24 +0100 schrieb Erik Kapfer: >> This process may should be continued with some of the following >> updates to make sure the directives are >> included even the update with this changes has over jumped ?! >> otherwise, the "Advanced server options" page >> needs to be saved via WUI to bring OpenVPN to life. >> >> Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> >> --- >> config/rootfiles/core/185/update.sh | 11 +++++++++++ >> 1 file changed, 11 insertions(+) >> >> diff --git a/config/rootfiles/core/185/update.sh >> b/config/rootfiles/core/185/update.sh >> index 2c95c4102..247661481 100644 >> --- a/config/rootfiles/core/185/update.sh >> +++ b/config/rootfiles/core/185/update.sh >> @@ -35,6 +35,17 @@ done >> /etc/init.d/ntp stop >> /etc/init.d/squid stop >> >> +# OpenVPN add and change new 2.6.x directives for NCP. >> +if pgrep openvpn > /dev/null; then >> + /usr/local/bin/openvpnctrl -k > /dev/null >> + sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES- >> 256-GCM/' /var/ipfire/ovpn/server.conf >> + sed -i 's/^cipher/data-ciphers-fallback/' >> /var/ipfire/ovpn/server.conf >> + /usr/local/bin/openvpnctrl -s > /dev/null >> +else >> + sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES- >> 256-GCM/' /var/ipfire/ovpn/server.conf >> + sed -i 's/^cipher/data-ciphers-fallback/' >> /var/ipfire/ovpn/server.conf >> +fi >> + >> # Extract files >> extract_files >> >
Great idea Michael. Am Donnerstag, dem 21.03.2024 um 15:14 +0000 schrieb Michael Tremer: > Hello Erik, > > Thank you for the patchiest, but I have been working this week on > implementing this. > > You can find more details about this here: > > https://www.ipfire.org/docs/roadmap/openvpn-26 > > I asked Adolf to post the patches that he had and which include parts > of your previous work to finally get this over the line. Various > people have been working on the OpenVPN code over the years creating > an absolute mess. The CGI file is by far the longest we have and very > difficult to edit without breaking anything else. So I have started a > large refactor (not rewrite) to get it into some state where we can > work on things better. > > That will be needed to implement the things outlined on the roadmap > page. NCP is only one of them. > > On that page, you can find my current development branch linked which > includes many changes so far, but it is not done, yet. > > -Michael > > > On 21 Mar 2024, at 12:29, ummeegge <ummeegge@ipfire.org> wrote: > > > > Hi all, > > this is a minimal solution of an update to OpenVPN 2.6.x IMO . This > > patch series should be a help for mainly Adolf (might be great if > > you > > go for a checkout) but please give it all a try and test it if it > > reaches the goal. > > > > Best, > > > > Erik > > > > Am Donnerstag, dem 21.03.2024 um 13:24 +0100 schrieb Erik Kapfer: > > > This process may should be continued with some of the following > > > updates to make sure the directives are > > > included even the update with this changes has over jumped ?! > > > otherwise, the "Advanced server options" page > > > needs to be saved via WUI to bring OpenVPN to life. > > > > > > Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> > > > --- > > > config/rootfiles/core/185/update.sh | 11 +++++++++++ > > > 1 file changed, 11 insertions(+) > > > > > > diff --git a/config/rootfiles/core/185/update.sh > > > b/config/rootfiles/core/185/update.sh > > > index 2c95c4102..247661481 100644 > > > --- a/config/rootfiles/core/185/update.sh > > > +++ b/config/rootfiles/core/185/update.sh > > > @@ -35,6 +35,17 @@ done > > > /etc/init.d/ntp stop > > > /etc/init.d/squid stop > > > > > > +# OpenVPN add and change new 2.6.x directives for NCP. > > > +if pgrep openvpn > /dev/null; then > > > + /usr/local/bin/openvpnctrl -k > /dev/null > > > + sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES- > > > 256-GCM/' /var/ipfire/ovpn/server.conf > > > + sed -i 's/^cipher/data-ciphers-fallback/' > > > /var/ipfire/ovpn/server.conf > > > + /usr/local/bin/openvpnctrl -s > /dev/null > > > +else > > > + sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES- > > > 256-GCM/' /var/ipfire/ovpn/server.conf > > > + sed -i 's/^cipher/data-ciphers-fallback/' > > > /var/ipfire/ovpn/server.conf > > > +fi > > > + > > > # Extract files > > > extract_files > > > > > >
diff --git a/config/rootfiles/core/185/update.sh b/config/rootfiles/core/185/update.sh index 2c95c4102..247661481 100644 --- a/config/rootfiles/core/185/update.sh +++ b/config/rootfiles/core/185/update.sh @@ -35,6 +35,17 @@ done /etc/init.d/ntp stop /etc/init.d/squid stop +# OpenVPN add and change new 2.6.x directives for NCP. +if pgrep openvpn > /dev/null; then + /usr/local/bin/openvpnctrl -k > /dev/null + sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES-256-GCM/' /var/ipfire/ovpn/server.conf + sed -i 's/^cipher/data-ciphers-fallback/' /var/ipfire/ovpn/server.conf + /usr/local/bin/openvpnctrl -s > /dev/null +else + sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES-256-GCM/' /var/ipfire/ovpn/server.conf + sed -i 's/^cipher/data-ciphers-fallback/' /var/ipfire/ovpn/server.conf +fi + # Extract files extract_files