From patchwork Thu Dec  3 12:08:05 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Erik Kapfer <erik.kapfer@ipfire.org>
X-Patchwork-Id: 3698
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4CmvkD34D5z3wpp
	for <patchwork@web04.haj.ipfire.org>; Thu,  3 Dec 2020 12:08:20 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4Cmvk856Nwz1pb;
	Thu,  3 Dec 2020 12:08:16 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Cmvk71MGkz2xmW;
	Thu,  3 Dec 2020 12:08:15 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Cmvk610vwz2xWR
 for <development@lists.ipfire.org>; Thu,  3 Dec 2020 12:08:14 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4Cmvk52Wvrz5s;
 Thu,  3 Dec 2020 12:08:13 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1606997293;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=a1zIWE4uXfxmbmBwcglRIGzOJ6DgzyzXGwgh+V22Zek=;
 b=FPQqPuKkTfysNHFcCKlWWsupqY6A1X/lHvlPjekE9DZSyCk4VcPXhy2l+Fz1NVhFCXS7gk
 a0sU9HotEm7JWADA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1606997293;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=a1zIWE4uXfxmbmBwcglRIGzOJ6DgzyzXGwgh+V22Zek=;
 b=SIb17ZT3A3yHODONURY6Y5dbR9FlrGt87B4Xwnj7eARqLwGIzazh8Elux0oNyO6MlbRj1w
 ETlz9EADGryfEDd6AjBpz7pi9R/L+1aUW8lu8anrA/P2bPTQcECB6AJu6NEuWyX4bGGznx
 +Hk4ueOCMEj7yxvKZqZy08Ay8jEsQjJk5H86BbBrI7FqgyHbvZmzcifGlsM5j4+6LLH54D
 vOXTIJko2QmovQ4oI9DSmARAW2LI8+toy3c8gv08QMCjV2dxqCczj2oZ7Z3MXxGLneYE/q
 GIQgf+4OC02986zv5Q2Ozpxs1OqW4CzUeKojRwuYh1J8j+bBP9rHqhEwRazJYg==
From: ummeegge <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 1/3] OpenVPN: Introduce advanced encryption section
Date: Thu,  3 Dec 2020 12:08:05 +0000
Message-Id: <20201203120807.20694-1-erik.kapfer@ipfire.org>
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

- The whole crypto section has been outsorted from the global section to
an extra page.
- Since --cipher is deprecated and will be handled via
--data-cipher-fallback, the VAR name and the index has been kept but
renamed from --cipher to --data-cipher-fallback. Old default AES-256-CBC
has also been kept.
- The new directive --data-ciphers has been introduced for RWs which negotiates
now between the GCM family and the new CHACHA20-POLY1305. All ciphers
can be combined.
- The new directive --data-ciphers substitutes --ncp-disable, there
--ncp-disable has been removed which fixes the deprecation warning in
the updated OpenVPN-2.5.0.
- While client generation the client version can be set which enables, if
client is >=2.5.0 a full cipher negotiation. Existing clients can also
subsequently be enhanced via edit.
- The new ciphers and HMACs as been completely integrated into N2N
environment without further modification.

Code for update process via update.sh needs to be integrated:
/usr/local/bin/openvpnctrl -k > /dev/null
if grep -q 'cipher' /var/ipfire/ovpn/server.conf; then
sed -i 's/cipher/data-ciphers-fallback/' /var/ipfire/ovpn/server.conf
fi
/usr/local/bin/openvpnctrl -s > /dev/null

Signed-off-by: ummeegge <erik.kapfer@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 330 ++++++++++++++++++++++++++++----------
 langs/de/cgi-bin/de.pl    |  11 +-
 langs/en/cgi-bin/en.pl    |  11 +-
 3 files changed, 269 insertions(+), 83 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 68a70d147..fc4c6193a 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -75,6 +75,7 @@ my $name;
 my $col="";
 my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";
 my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";
+my @advcipherchar=();
 
 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
 $cgiparams{'ENABLED'} = 'off';
@@ -98,6 +99,7 @@ $cgiparams{'number'} = '';
 $cgiparams{'DCIPHER'} = '';
 $cgiparams{'DAUTH'} = '';
 $cgiparams{'TLSAUTH'} = '';
+$cgiparams{'DATACIPHERS'} = '';
 $routes_push_file = "${General::swroot}/ovpn/routes_push";
 # Perform crypto and configration test
 &pkiconfigcheck;
@@ -325,8 +327,16 @@ sub writeserverconf {
     }	
     print CONF "status-version 1\n";
     print CONF "status /var/run/ovpnserver.log 30\n";
-    print CONF "ncp-disable\n";
-    print CONF "cipher $sovpnsettings{DCIPHER}\n";
+	print CONF "data-ciphers-fallback $sovpnsettings{DCIPHER}\n";
+
+	# Data channel encryption
+	# Set seperator for data ciphers
+	@advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
+	# Add also algorithm from --cipher directive
+	if ($sovpnsettings{'DATACIPHERS'} ne '') {
+		print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n";
+	}
+
 	print CONF "auth $sovpnsettings{'DAUTH'}\n";
     # Set TLSv2 as minimum
     print CONF "tls-version-min 1.2\n";
@@ -911,6 +921,28 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
     &writeserverconf();#hier ok
 }
 
+###
+### Save Advanced encryption
+###
+
+if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
+	&General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
+
+	$vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
+	$vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
+
+	# --data-ciphers needs at least one cipher
+	if ($cgiparams{'DATACIPHERS'} eq '') {
+		$errormessage = $Lang::tr{'ovpn errmsg invalid data cipher input'};
+		goto ADV_ENC_ERROR;
+	}
+
+	&General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
+	&writeserverconf();
+}
+
+### End Save advanced encryption
+
 ###
 # m.a.d net2net
 ###
@@ -982,10 +1014,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
   print SERVERCONF "# Cipher\n"; 
   print SERVERCONF "cipher $cgiparams{'DCIPHER'}\n";
 
-  # If GCM cipher is used, do not use --auth
+  # If AEAD cipher is used, do not use --auth
   if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
       ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
-      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM') ||
+      ($cgiparams{'DCIPHER'} eq 'ChaCha20-Poly1305')) {
     print SERVERCONF unless "# HMAC algorithm\n";
     print SERVERCONF unless "auth $cgiparams{'DAUTH'}\n";
   } else {
@@ -1087,10 +1120,11 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
   print CLIENTCONF "cipher $cgiparams{'DCIPHER'}\n";
   print CLIENTCONF "pkcs12 ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}.p12\r\n";
 
-  # If GCM cipher is used, do not use --auth
+  # If AEAD cipher is used, do not use --auth
   if (($cgiparams{'DCIPHER'} eq 'AES-256-GCM') ||
       ($cgiparams{'DCIPHER'} eq 'AES-192-GCM') ||
-      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM')) {
+      ($cgiparams{'DCIPHER'} eq 'AES-128-GCM') ||
+      ($cgiparams{'DCIPHER'} eq 'ChaCha20-Poly1305')) {
     print CLIENTCONF unless "# HMAC algorithm\n";
     print CLIENTCONF unless "auth $cgiparams{'DAUTH'}\n";
   } else {
@@ -1214,7 +1248,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
     $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
     $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
     $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
-    $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
     $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
     $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
 #wrtie enable
@@ -2344,7 +2377,15 @@ else
 	$zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem")  or die "Can't add file cacert.pem\n";
 	$zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n";    
     }
-    print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n";
+
+	# Set --data-ciphers for client >=2.5.0 or --cipher for <2.5.0
+	if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') {
+		@advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
+		print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n";
+	} else {
+		print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n";
+	}
+
 	print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
 
     if ($vpnsettings{'TLSAUTH'} eq 'on') {
@@ -2859,7 +2900,169 @@ END
     &Header::closebigbox();
     &Header::closepage();
     exit(0);
-	
+
+###
+### Advanced encryption settings
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'ovpn advanced encryption'}) {
+	%cgiparams = ();
+	%confighash = ();
+	my @temp=();
+	my $disabled;
+	&General::readhash("${General::swroot}/ovpn/settings", \%cgiparams);
+
+	my $key = $cgiparams{'KEY'};
+	if (! $key) {
+		$key = &General::findhasharraykey (\%confighash);
+		foreach my $i (39.. 45) { $confighash{$key}[$i] = ""; }
+	}
+	$confighash{$key}[40] = $cgiparams{'DCIPHER'};
+	$confighash{$key}[42] = $cgiparams{'DATACIPHERS'};
+
+ADV_ENC_ERROR:
+
+	# Set default for data-cipher-fallback (the old --cipher directive)
+	if ($cgiparams{'DCIPHER'} eq '') {
+		$cgiparams{'DCIPHER'} =  'AES-256-CBC'; #[40]
+	}
+	$checked{'DCIPHER'}{'AES-256-CBC'} = '';
+	$checked{'DCIPHER'}{'AES-192-CBC'} = '';
+	$checked{'DCIPHER'}{'AES-128-CBC'} = '';
+	$checked{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
+	$checked{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
+	$checked{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
+	$checked{'DCIPHER'}{'SEED-CBC'} = '';
+	$checked{'DCIPHER'}{'DES-EDE3-CBC'} = '';
+	$checked{'DCIPHER'}{'DESX-CBC'} = '';
+	$checked{'DCIPHER'}{'DES-EDE-CBC'} = '';
+	$checked{'DCIPHER'}{'BF-CBC'} = '';
+	$checked{'DCIPHER'}{'CAST5-CBC'} = '';
+	@temp = split('\|', $cgiparams{'DCIPHER'});
+	foreach my $key (@temp) {$checked{'DCIPHER'}{$key} = "selected='selected'"; }
+
+	# Set default data channel ciphers
+	if ($cgiparams{'DATACIPHERS'} eq '') {
+		$cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM'; #[42];
+	}
+	$checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = '';
+	$checked{'DATACIPHERS'}{'AES-256-GCM'} = '';
+	$checked{'DATACIPHERS'}{'AES-192-GCM'} = '';
+	$checked{'DATACIPHERS'}{'AES-128-GCM'} = '';
+	@temp = split('\|', $cgiparams{'DATACIPHERS'});
+	foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
+
+	# Save settings and display default if not configured
+	if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
+		$confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'};
+		$confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'};
+	} else {
+		$cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'};
+		$cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'};
+	}
+
+ADV_ENC_ERROR:
+
+	&Header::showhttpheaders();
+	&Header::openpage($Lang::tr{'ovpn'}, 1, '');
+	&Header::openbigbox('100%', 'left', '', $errormessage);
+	if ($errormessage) {
+		&Header::openbox('100%', 'left', $Lang::tr{'error messages'});
+		print "<class name='base'>$errormessage";
+		print "&nbsp;</class>";
+		&Header::closebox();
+	}
+	if ($warnmessage) {
+		&Header::openbox('100%', 'left', "$Lang::tr{'warning messages'}:");
+		print "<class name='base'>$warnmessage";
+		print "&nbsp;</class>";
+		&Header::closebox();
+	}
+	print "<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>";
+	&Header::openbox('100%', 'left', "$Lang::tr{'ovpn advanced encryption'}:");
+	print<<END
+
+	<form method='post' enctype='multipart/form-data' action='$ENV{'SCRIPT_NAME'}'>
+	<input type='hidden' name='KEY' value='$cgiparams{'KEY'}' />
+
+	<table width='100%'>
+		<thead>
+			<tr>
+				<th width="15%"></th>
+				<th>$Lang::tr{'ovpn data channel'}</th>
+				<th>$Lang::tr{'ovpn data channel fallback'}</th>
+			</tr>
+		</thead>
+		<tbody>
+			<tr>
+				<td class='boldbase' width="27%">$Lang::tr{'ovpn data encryption'}</td>
+				<td class='boldbase'>
+					<select name='DATACIPHERS' multiple='multiple' size='6' style='width: 100%'>
+						<option value='ChaCha20-Poly1305' $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'}>256 bit ChaCha20-Poly1305</option>
+						<option value='AES-256-GCM' $checked{'DATACIPHERS'}{'AES-256-GCM'}>256 $Lang::tr{'bit'} AES-GCM</option>
+						<option value='AES-192-GCM' $checked{'DATACIPHERS'}{'AES-192-GCM'}>192 $Lang::tr{'bit'} AES-GCM</option>
+						<option value='AES-128-GCM' $checked{'DATACIPHERS'}{'AES-128-GCM'}>128 $Lang::tr{'bit'} AES-GCM</option>
+					</select>
+				</td>
+
+				<td class='boldbase'>
+					<select name='DCIPHER' size='6' style='width: 100%'>
+						<option value='AES-256-CBC' $checked{'DCIPHER'}{'AES-256-CBC'}>256 $Lang::tr{'bit'} AES-CBC</option>
+						<option value='AES-192-CBC' $checked{'DCIPHER'}{'AES-192-CBC'}>192 $Lang::tr{'bit'} AES-CBC</option>
+						<option value='AES-128-CBC' $checked{'DCIPHER'}{'AES-128-CBC'}>128 bit AES-CBC</option>
+						<option value='CAMELLIA-256-CBC' $checked{'DCIPHER'}{'CAMELLIA-256-CBC'}>256 $Lang::tr{'bit'} Camellia-CBC</option>
+						<option value='CAMELLIA-192-CBC' $checked{'DCIPHER'}{'CAMELLIA-192-CBC'}>192 $Lang::tr{'bit'} CAMELLIA-CBC</option>
+						<option value='CAMELLIA-128-CBC' $checked{'DCIPHER'}{'CAMELLIA-128-CBC'}>128 $Lang::tr{'bit'} Camellia-CBC</option>
+						<option value='SEED-CBC' $checked{'DCIPHER'}{'SEED-CBC'}>128 $Lang::tr{'bit'} SEED-CBC</option>
+						<option value='DES-EDE3-CBC' $checked{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+						<option value='DESX-CBC' $checked{'DCIPHER'}{'DESX-CBC'}>DESX-CBC 192 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+						<option value='DES-EDE-CBC' $checked{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+						<option value='BF-CBC' $checked{'DCIPHER'}{'BF-CBC'}>BF-CBC 128 $Lang::tr{'bit'} - $Lang::tr{'vpn weak'}</option>
+						<option value='CAST5-CBC' $checked{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC 128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option>
+					</select>
+				</td>
+			</tr>
+		</tbody>
+	</table>
+	<hr>
+END
+;
+	if ( -e "/var/run/openvpn.pid") {
+		print"  <br><b><font color='#990000'>$Lang::tr{'attention'}:</b></font><br>$Lang::tr{'server restart'}<br><br><hr>";
+		print<<END;
+			<table width='100%'>
+				<tr>
+					<td>&nbsp;</td>
+					<td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-enc-options'}' disabled='disabled' /></td>
+					<td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
+					<td>&nbsp;</td>
+				</tr>
+			</table>
+		</form>
+END
+;
+
+	} else {
+		print<<END;
+			<table width='100%'>
+				<tr>
+					<td>&nbsp;</td>
+					<td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'save-enc-options'}' /></td>
+					<td allign='center'><input type='submit' name='ACTION' value='$Lang::tr{'cancel-adv-options'}' /></td>
+					<td>&nbsp;</td>
+				</tr>
+			</table>
+		</form>
+END
+;
+
+	}
+
+	&Header::closebox();
+	&Header::closebigbox();
+	&Header::closepage();
+	exit(0);
+
+### END advanced encryption
 
 # A.Marx CCD   Add,delete or edit CCD net
 
@@ -3595,6 +3798,8 @@ if ($confighash{$cgiparams{'KEY'}}) {
 		$cgiparams{'DAUTH'}		= $confighash{$cgiparams{'KEY'}}[39];
 		$cgiparams{'DCIPHER'}		= $confighash{$cgiparams{'KEY'}}[40];
 		$cgiparams{'TLSAUTH'}		= $confighash{$cgiparams{'KEY'}}[41];
+		# Index from [39] to [44] has been reserved by advanced encryption
+		$cgiparams{'CLIENTVERSION'} = $confighash{$cgiparams{'KEY'}}[45];
 	} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
 	$cgiparams{'REMARK'} = &Header::cleanhtml($cgiparams{'REMARK'});
 	
@@ -4338,6 +4543,8 @@ if ($cgiparams{'TYPE'} eq 'net') {
 	if (($cgiparams{'TYPE'} eq 'host') && ($cgiparams{'CERT_PASS1'} eq "")) {
 		$confighash{$key}[41] = "no-pass";
 	}
+	# Index from [39] to [44] has been reserved by advanced encryption
+	$confighash{$key}[45]         = $cgiparams{'CLIENTVERSION'};
 
 	&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
 	
@@ -4508,28 +4715,6 @@ if ($cgiparams{'TYPE'} eq 'net') {
     $checked{'MSSFIX'}{'on'} = '';
     $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
 
-    $selected{'DCIPHER'}{'AES-256-GCM'} = '';
-    $selected{'DCIPHER'}{'AES-192-GCM'} = '';
-    $selected{'DCIPHER'}{'AES-128-GCM'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-256-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-192-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-128-CBC'} = '';
-    $selected{'DCIPHER'}{'DESX-CBC'} = '';
-    $selected{'DCIPHER'}{'SEED-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
-    $selected{'DCIPHER'}{'CAST5-CBC'} = '';
-    $selected{'DCIPHER'}{'BF-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-CBC'} = '';
-    # If no cipher has been chossen yet, select
-    # the old default (AES-256-CBC) for compatiblity reasons.
-    if ($cgiparams{'DCIPHER'} eq '') {
-	$cgiparams{'DCIPHER'} = 'AES-256-CBC';
-    }
-    $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
     $selected{'DAUTH'}{'whirlpool'} = '';
     $selected{'DAUTH'}{'SHA512'} = '';
     $selected{'DAUTH'}{'SHA384'} = '';
@@ -4595,11 +4780,12 @@ if ($cgiparams{'TYPE'} eq 'net') {
 		print "<td width='25%'><input type='text' name='NAME' value='$cgiparams{'NAME'}' maxlength='20' /></td>";
 	    }
 
-		# If GCM ciphers are in usage, HMAC menu is disabled
+		# If AEAD ciphers are in usage, HMAC menu is disabled
 		my $hmacdisabled;
 		if (($confighash{$cgiparams{'KEY'}}[40] eq 'AES-256-GCM') ||
 			($confighash{$cgiparams{'KEY'}}[40] eq 'AES-192-GCM') ||
-			($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM')) {
+			($confighash{$cgiparams{'KEY'}}[40] eq 'AES-128-GCM') ||
+			($confighash{$cgiparams{'KEY'}}[40] eq 'ChaCha20-Poly1305')) {
 				$hmacdisabled = "disabled='disabled'";
 		};
 
@@ -4673,9 +4859,10 @@ if ($cgiparams{'TYPE'} eq 'net') {
 
 	<tr><td class='boldbase'>$Lang::tr{'cipher'}</td>
 		<td><select name='DCIPHER'  id="n2ncipher" required>
-				<option value='AES-256-GCM'		$selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
-				<option value='AES-192-GCM'		$selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
-				<option value='AES-128-GCM'		$selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
+				<option value='ChaCha20-Poly1305'	$selected{'DCIPHER'}{'ChaCha20-Poly1305'}>CHACHA20-POLY1305 (256 $Lang::tr{'bit'})</option>
+				<option value='AES-256-GCM'			$selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
+				<option value='AES-192-GCM'			$selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
+				<option value='AES-128-GCM'			$selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
 				<option value='CAMELLIA-256-CBC'	$selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
 				<option value='CAMELLIA-192-CBC'	$selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
 				<option value='CAMELLIA-128-CBC'	$selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
@@ -4693,10 +4880,15 @@ if ($cgiparams{'TYPE'} eq 'net') {
 
 		<td class='boldbase'>$Lang::tr{'ovpn ha'}:</td>
 		<td><select name='DAUTH' id="n2nhmac" $hmacdisabled>
-				<option value='whirlpool'		$selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
+				<option value='BLAKE2b512'		$selected{'DAUTH'}{'BLAKE2b512'}>Blake2 512 $Lang::tr{'bit'} - 64-bit optimized</option>
+				<option value='BLAKE2s256'		$selected{'DAUTH'}{'BLAKE2s256'}>Blake2 256 $Lang::tr{'bit'} - 8- to 32-bit optimized</option>
+				<option value='SHA3-512'		$selected{'DAUTH'}{'SHA3-512'}>SHA3 512 $Lang::tr{'bit'}</option>
+				<option value='SHA3-384'		$selected{'DAUTH'}{'SHA3-384'}>SHA3 384 $Lang::tr{'bit'}</option>
+				<option value='SHA3-256'		$selected{'DAUTH'}{'SHA-256'}>SHA3 256 $Lang::tr{'bit'}</option>
 				<option value='SHA512'			$selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
 				<option value='SHA384'			$selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
 				<option value='SHA256'			$selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
+				<option value='whirlpool'		$selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
 				<option value='SHA1'			$selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
 			</select>
 		</td>
@@ -4713,7 +4905,7 @@ print<<END;
 	<script>
 		var disable_options = false;
 		document.getElementById('n2ncipher').onchange = function () {
-			if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM")) {
+			if((this.value == "AES-256-GCM"||this.value == "AES-192-GCM"||this.value == "AES-128-GCM"||this.value == "CHACHA20-POLY1305")) {
 				document.getElementById('n2nhmac').setAttribute('disabled', true);
 			} else {
 				document.getElementById('n2nhmac').removeAttribute('disabled');
@@ -4749,6 +4941,7 @@ if ($cgiparams{'TYPE'} eq 'host') {
 	    print"</td></tr></table><br><br>";
 		my $name=$cgiparams{'CHECK1'};
 		$checked{'RG'}{$cgiparams{'RG'}} = 'CHECKED';
+		$checked{'CLIENTVERSION'}{$cgiparams{'CLIENTVERSION'}} = 'CHECKED';
 		
 	if (! -z "${General::swroot}/ovpn/ccd.conf"){	
 		print"<table border='0' width='100%' cellspacing='1' cellpadding='0'><tr><td width='1%'></td><td width='30%' class='boldbase' align='center'><b>$Lang::tr{'ccd name'}</td><td width='15%' class='boldbase' align='center'><b>$Lang::tr{'network'}</td><td class='boldbase' align='center' width='18%'><b>$Lang::tr{'ccd clientip'}</td></tr>";
@@ -4884,7 +5077,13 @@ if ($cgiparams{'TYPE'} eq 'host') {
 	
 	print <<END;
 	<table border='0' width='100%'>
-	<tr><td width='20%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr>
+
+	<tr><td width='30%'>Redirect Gateway:</td><td colspan='3'><input type='checkbox' name='RG' $checked{'RG'}{'on'} /></td></tr>
+	<tr>
+		<td width='30%'>$Lang::tr{'ovpn client version 25 cipher negotiation'}:</td>
+		<td colspan='3'><input type='checkbox' name='CLIENTVERSION' $checked{'CLIENTVERSION'}{'on'} />
+		<font color='red'>&nbsp;$Lang::tr{'ovpn client version 25 warning'}</font></td>
+	</tr>
 	<tr><td colspan='4'><b><br>$Lang::tr{'ccd routes'}</b></td></tr>
 	<tr><td colspan='4'>&nbsp</td></tr>
 	<tr><td valign='top'>$Lang::tr{'ccd iroute'}</td><td align='left' width='30%'><textarea name='IR' cols='26' rows='6' wrap='off'>
@@ -5061,9 +5260,6 @@ END
     }
     
 #default setzen
-    if ($cgiparams{'DCIPHER'} eq '') {
-		$cgiparams{'DCIPHER'} =  'AES-256-CBC';
-    }
     if ($cgiparams{'DDEST_PORT'} eq '') {
 		$cgiparams{'DDEST_PORT'} =  '1194';
     }
@@ -5105,24 +5301,6 @@ END
     $selected{'DPROTOCOL'}{'tcp'} = '';
     $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
 
-    $selected{'DCIPHER'}{'AES-256-GCM'} = '';
-    $selected{'DCIPHER'}{'AES-192-GCM'} = '';
-    $selected{'DCIPHER'}{'AES-128-GCM'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = '';
-    $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-256-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-192-CBC'} = '';
-    $selected{'DCIPHER'}{'AES-128-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-EDE3-CBC'} = '';
-    $selected{'DCIPHER'}{'DESX-CBC'} = '';
-    $selected{'DCIPHER'}{'SEED-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-EDE-CBC'} = '';
-    $selected{'DCIPHER'}{'CAST5-CBC'} = '';
-    $selected{'DCIPHER'}{'BF-CBC'} = '';
-    $selected{'DCIPHER'}{'DES-CBC'} = '';
-    $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED';
-
     $selected{'DAUTH'}{'whirlpool'} = '';
     $selected{'DAUTH'}{'SHA512'} = '';
     $selected{'DAUTH'}{'SHA384'} = '';
@@ -5138,6 +5316,13 @@ END
     $checked{'DCOMPLZO'}{'on'} = '';
     $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
 
+	if ($cgiparams{'CLIENTVERSION'} = '' ) {
+		$cgiparams{'CLIENTVERSION'} = 'off';
+	}
+	$checked{'CLIENTVERSION'}{'off'} = '';
+	$checked{'CLIENTVERSION'}{'on'} = '';
+	$checked{'CLIENTVERSION'}{$cgiparams{'CLIENTVERSION'}} = 'CHECKED';
+
 # m.a.d
     $checked{'MSSFIX'}{'off'} = '';
     $checked{'MSSFIX'}{'on'} = '';
@@ -5245,26 +5430,6 @@ END
 				<option value='SHA1'			$selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
 			</select>
 		</td>
-
-		<td class='boldbase' nowrap='nowrap'>$Lang::tr{'cipher'}</td>
-		<td><select name='DCIPHER'>
-				<option value='AES-256-GCM' $selected{'DCIPHER'}{'AES-256-GCM'}>AES-GCM (256 $Lang::tr{'bit'})</option>
-				<option value='AES-192-GCM' $selected{'DCIPHER'}{'AES-192-GCM'}>AES-GCM (192 $Lang::tr{'bit'})</option>
-				<option value='AES-128-GCM' $selected{'DCIPHER'}{'AES-128-GCM'}>AES-GCM (128 $Lang::tr{'bit'})</option>
-				<option value='CAMELLIA-256-CBC' $selected{'DCIPHER'}{'CAMELLIA-256-CBC'}>CAMELLIA-CBC (256 $Lang::tr{'bit'})</option>
-				<option value='CAMELLIA-192-CBC' $selected{'DCIPHER'}{'CAMELLIA-192-CBC'}>CAMELLIA-CBC (192 $Lang::tr{'bit'})</option>
-				<option value='CAMELLIA-128-CBC' $selected{'DCIPHER'}{'CAMELLIA-128-CBC'}>CAMELLIA-CBC (128 $Lang::tr{'bit'})</option>
-				<option value='AES-256-CBC' $selected{'DCIPHER'}{'AES-256-CBC'}>AES-CBC (256 $Lang::tr{'bit'})</option>
-				<option value='AES-192-CBC' $selected{'DCIPHER'}{'AES-192-CBC'}>AES-CBC (192 $Lang::tr{'bit'})</option>
-				<option value='AES-128-CBC' $selected{'DCIPHER'}{'AES-128-CBC'}>AES-CBC (128 $Lang::tr{'bit'})</option>
-				<option value='SEED-CBC' $selected{'DCIPHER'}{'SEED-CBC'}>SEED-CBC (128 $Lang::tr{'bit'})</option>
-				<option value='DES-EDE3-CBC' $selected{'DCIPHER'}{'DES-EDE3-CBC'}>DES-EDE3-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='DESX-CBC' $selected{'DCIPHER'}{'DESX-CBC'}>DESX-CBC (192 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='DES-EDE-CBC' $selected{'DCIPHER'}{'DES-EDE-CBC'}>DES-EDE-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='BF-CBC' $selected{'DCIPHER'}{'BF-CBC'}>BF-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-				<option value='CAST5-CBC' $selected{'DCIPHER'}{'CAST5-CBC'}>CAST5-CBC (128 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-			</select>
-		</td>
 	</tr>
 
     <tr><td colspan='4'><br></td></tr>
@@ -5280,12 +5445,14 @@ END
     if ( $srunning eq "yes" ) {
 	print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' disabled='disabled' />";
 	print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
-	print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";	
+	print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
+	print "<input type='submit' name='ACTION' value='$Lang::tr{'ovpn advanced encryption'}' />";
 	print "<input type='submit' name='ACTION' value='$Lang::tr{'stop ovpn server'}' /></td></tr>";
     } else{
 	print "<tr><td align='right' colspan='4'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' />";
 	print "<input type='submit' name='ACTION' value='$Lang::tr{'ccd net'}' />";
 	print "<input type='submit' name='ACTION' value='$Lang::tr{'advanced server'}' />";
+	print "<input type='submit' name='ACTION' value='$Lang::tr{'ovpn advanced encryption'}' />";
 	if (( -e "${General::swroot}/ovpn/ca/cacert.pem" &&
 	     -e "${General::swroot}/ovpn/ca/dh1024.pem" &&
 	     -e "${General::swroot}/ovpn/certs/servercert.pem" &&
@@ -5818,3 +5985,4 @@ END
 
 &Header::closepage();
 
+
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 2fb46e741..614f8a16c 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1901,10 +1901,17 @@
 'override mtu' => 'Überschreibe Standard-MTU',
 'ovpn' => 'OpenVPN',
 'ovpn add conf' => 'Erweiterte Konfiguration',
+'ovpn advanced encryption' => 'Erweiterte Kryptografie Einstellung',
+'ovpn client version 25 cipher negotiation' => 'Verschlüsselung aushandeln',
+'ovpn client version 25 warning' => 'Erst ab Client Version 2.5.0 verfügbar',
 'ovpn con stat' => 'OpenVPN Verbindungs-Statistik',
 'ovpn config' => 'OVPN-Konfiguration',
 'ovpn connection name' => 'Verbindungs-Name',
 'ovpn crypt options' => 'Kryptografieoptionen',
+'ovpn data encryption' => 'Daten-Kanal Verschlüsselung',
+'ovpn data channel authentication' => 'Daten-Kontrol Kanal Authentifikation',
+'ovpn data channel' => 'Daten-Kanal',
+'ovpn data channel fallback' => 'Daten-Kanal Fallback',
 'ovpn device' => 'OpenVPN-Gerät',
 'ovpn dh' => 'Diffie-Hellman-Parameter-Länge',
 'ovpn dh new key' => 'Neuen Diffie-Hellman Parameter erstellen',
@@ -1913,6 +1920,7 @@
 'ovpn dl' => 'OVPN-Konfiguration downloaden',
 'ovpn engines' => 'Krypto Engine',
 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt',
+'ovpn errmsg invalid data cipher input' => 'Der Daten-Kanal benötigt mindestens einen Algorithmus',
 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske',
 'ovpn error dh' => 'Der Diffie-Hellman Parameter muss mindestens 2048 bit lang sein! <br>Bitte einen neuen Diffie-Hellman Parameter erzeugen oder hochladen, dies kann unten über den Bereich "Diffie-Hellman-Parameter Optionen" gemacht werden.</br>',
 'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird. <br>Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
@@ -2163,6 +2171,7 @@
 'save error' => 'Konfigurationsarchiv-Datei konnte nicht gespeichert werden',
 'save settings' => 'Einstellungen speichern',
 'save-adv-options' => 'Erweiterte Optionen speichern',
+'save-enc-options' => 'Kryptografie Optionen speichern',
 'script name' => 'Skriptname:',
 'search' => 'Suchen',
 'secondary dns' => 'Sekundärer DNS-Server:',
@@ -2853,7 +2862,7 @@
 'vpn subjectaltname missing' => 'SubjectAlternativeName darf nicht leer bleiben.',
 'vpn wait' => 'WARTE',
 'vpn watch' => 'Netz-zu-Netz VPN neu starten, wenn sich Remote-IP ändert (DynDNS).',
-'vpn weak' => 'schwach',
+'vpn weak' => 'Unsicher',
 'vulnerability' => 'Verwundbarkeit',
 'vulnerable' => 'Verwundbar',
 'waiting to synchronize clock' => 'Bitte warten, die Uhr wird synchronisiert',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index b5284effa..714d7c81e 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1933,10 +1933,17 @@
 'override mtu' => 'Override default MTU',
 'ovpn' => 'OpenVPN',
 'ovpn add conf' => 'Additional configuration',
+'ovpn advanced encryption' => 'Advanced encryption settings',
+'ovpn client version 25 cipher negotiation' => 'Negotiate encryption',
+'ovpn client version 25 warning' => 'Available with client version 2.5.0 and higher',
 'ovpn con stat' => 'OpenVPN Connection Statistics',
 'ovpn config' => 'OVPN-Config',
 'ovpn connection name' => 'Connection Name',
 'ovpn crypt options' => 'Cryptographic options',
+'ovpn data encryption' => 'Data-Channel encryption',
+'ovpn data channel authentication' => 'Data and channel authentication',
+'ovpn data channel' => 'Data-Channel',
+'ovpn data channel fallback' => 'Data-Channel fallback',
 'ovpn device' => 'OpenVPN device:',
 'ovpn dh' => 'Diffie-Hellman parameters length',
 'ovpn dh new key' => 'Generate new Diffie-Hellman parameters',
@@ -1945,6 +1952,7 @@
 'ovpn dl' => 'OVPN-Config Download',
 'ovpn engines' => 'Crypto engine',
 'ovpn errmsg green already pushed' => 'Route for green network is always set',
+'ovpn errmsg invalid data cipher input' => 'The data cipher needs at least one cipher',
 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
 'ovpn error dh' => 'The Diffie-Hellman parameter needs to be in minimum 2048 bit! <br>Please generate or upload a new Diffie-Hellman parameter, this can be made below in the section "Diffie-Hellman parameters options".</br>',
 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
@@ -2196,6 +2204,7 @@
 'save error' => 'Unable to save configuration archive file',
 'save settings' => 'Save settings',
 'save-adv-options' => 'Save advanced options',
+'save-enc-options' => 'Save encryption options',
 'script name' => 'Script name:',
 'search' => 'Search',
 'secondary dns' => 'Secondary DNS:',
@@ -2897,7 +2906,7 @@
 'vpn subjectaltname missing' => 'SubjectAlternativeName cannot be emtpy.',
 'vpn wait' => 'WAITING',
 'vpn watch' => 'Restart net-to-net vpn when remote peer IP changes (dyndns).',
-'vpn weak' => 'Weak',
+'vpn weak' => 'Insecure',
 'vulnerability' => 'Vulnerability',
 'vulnerable' => 'Vulnerable',
 'waiting to synchronize clock' => 'Waiting to synchronize clock',

From patchwork Thu Dec  3 12:08:06 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Erik Kapfer <erik.kapfer@ipfire.org>
X-Patchwork-Id: 3699
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4CmvkD36TPz3wrV
	for <patchwork@web04.haj.ipfire.org>; Thu,  3 Dec 2020 12:08:20 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4Cmvk92t7Mz1vQ;
	Thu,  3 Dec 2020 12:08:17 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Cmvk92Pt4z2xZt;
	Thu,  3 Dec 2020 12:08:17 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Cmvk734hnz2xZJ
 for <development@lists.ipfire.org>; Thu,  3 Dec 2020 12:08:15 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4Cmvk71t35z5s;
 Thu,  3 Dec 2020 12:08:15 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1606997295;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=NWtSspWTdZu1YqmKPehXJyyYe349vVXk8MvrtMC/72E=;
 b=R0dqH8FfOgSVHooATj78qxOMcyV3y7Da2XAt6FcppcDBrbNpGYwYNehridXpDypTSipH2i
 IZTJFVnQK199JSBw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1606997295;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=NWtSspWTdZu1YqmKPehXJyyYe349vVXk8MvrtMC/72E=;
 b=nsyBQ3trBSEGgHDooRpsljD7CBpbEt8QFiN/TWFiVSNzH9i/R20YZgeDH0IKL3I0rV+xud
 dI5lNpPZ37cbqxStKdl+hozRUOkU7+PIuJOMCwmF08vDBHzCb1HkjTiclqlx4Fe+NjWYne
 c9bZKmhl6snMwISpkJr4Tm0cb1R13cDJb+4cV8f/5F/mSiDGzSGffGyDX3mmIC1CzXjqnV
 dUFGRCkQA+DhUNm5BEYDeCBFM4vfGU0vuKD9xSPbFk+KCn21Y0Z9HgwBwwK2Mz5aKzUtgT
 beo667bA2dL1CbtHXLfkfCRWrUO2IOFg+OfsAEkftoYpuK4mwA+vJbop/X1YxA==
From: ummeegge <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 2/3] OpenVPN: Control-Channel encryption settings
Date: Thu,  3 Dec 2020 12:08:06 +0000
Message-Id: <20201203120807.20694-2-erik.kapfer@ipfire.org>
In-Reply-To: <20201203120807.20694-1-erik.kapfer@ipfire.org>
References: <20201203120807.20694-1-erik.kapfer@ipfire.org>
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

- The --tls-ciphers for the control channel TLSv2 crypto can now be
combined for negotiation.
- The --tls-ciphersuite crypto does the same but with TLSv3 and can also be
combined for negotiation. There are no defaults for both, so this
features are deactivated unless the user decides to use them.
- The --tls-ciphersuite directive will only be printed into client.ovpn
if the client is >=2.5.0 ready.

Signed-off-by: ummeegge <erik.kapfer@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 109 ++++++++++++++++++++++++++++++++++++++
 langs/de/cgi-bin/de.pl    |   3 ++
 langs/en/cgi-bin/en.pl    |   3 ++
 3 files changed, 115 insertions(+)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index fc4c6193a..f2b8b79da 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -100,6 +100,8 @@ $cgiparams{'DCIPHER'} = '';
 $cgiparams{'DAUTH'} = '';
 $cgiparams{'TLSAUTH'} = '';
 $cgiparams{'DATACIPHERS'} = '';
+$cgiparams{'CHANNELCIPHERS'} = '';
+$cgiparams{'NCHANNELCIPHERS'} = '';
 $routes_push_file = "${General::swroot}/ovpn/routes_push";
 # Perform crypto and configration test
 &pkiconfigcheck;
@@ -337,6 +339,20 @@ sub writeserverconf {
 		print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n";
 	}
 
+	# Control channel encryption TLSv2 needs own line cause directive differs
+	if ($sovpnsettings{'CHANNELCIPHERS'} ne '') {
+		# Set seperator for TLSv2 channel ciphers
+		@advcipherchar = ($sovpnsettings{'CHANNELCIPHERS'} =~ s/\|/:/g);
+		print CONF "tls-cipher $sovpnsettings{'CHANNELCIPHERS'}\n";
+	}
+
+	# Controll channel encryption >= TLSv3
+	if ($sovpnsettings{'NCHANNELCIPHERS'} ne '') {
+		# Set seperator for TLSv3 channel ciphers
+		@advcipherchar = ($sovpnsettings{'NCHANNELCIPHERS'} =~ s/\|/:/g);
+		print CONF "tls-ciphersuites $sovpnsettings{'NCHANNELCIPHERS'}\n";
+	}
+
 	print CONF "auth $sovpnsettings{'DAUTH'}\n";
     # Set TLSv2 as minimum
     print CONF "tls-version-min 1.2\n";
@@ -937,6 +953,20 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
 		goto ADV_ENC_ERROR;
 	}
 
+	# If no value for --tls-cipher has been set, delete setting
+	if ($cgiparams{'CHANNELCIPHERS'} eq '') {
+		delete $vpnsettings{'CHANNELCIPHERS'};
+	} else {
+		$vpnsettings{'CHANNELCIPHERS'} = $cgiparams{'CHANNELCIPHERS'};
+	}
+
+	# If no value for --tls-ciphersuites has been set, delete setting
+	if ($cgiparams{'NCHANNELCIPHERS'} eq '') {
+		delete $vpnsettings{'NCHANNELCIPHERS'};
+	} else {
+		$vpnsettings{'NCHANNELCIPHERS'} = $cgiparams{'NCHANNELCIPHERS'};
+	}
+
 	&General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
 	&writeserverconf();
 }
@@ -2380,12 +2410,30 @@ else
 
 	# Set --data-ciphers for client >=2.5.0 or --cipher for <2.5.0
 	if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') {
+		# Set seperator for --data-ciphers algorithms
 		@advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/\|/:/g);
 		print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n";
 	} else {
 		print CLIENTCONF "cipher $vpnsettings{'DCIPHER'}\r\n";
 	}
 
+	# Set --tls-cipher TLSv2 if configured
+	if ($vpnsettings{'CHANNELCIPHERS'} ne '') {
+		# Set seperator for TLSv2 channel ciphers
+		@advcipherchar = ($vpnsettings{'CHANNELCIPHERS'} =~ s/\|/:/g);
+		print CLIENTCONF "tls-cipher $vpnsettings{'CHANNELCIPHERS'}\r\n";
+	}
+
+	# Print new tls-ciphersuites TLSv3 only if client is >=2.5.0
+	if ($confighash{$cgiparams{'KEY'}}[45] eq 'on') {
+		# Set --tls-ciphersuites TLSv3 if configured
+		if ($vpnsettings{'NCHANNELCIPHERS'} ne '') {
+			# Set seperator for TLSv3 channel ciphers
+			@advcipherchar = ($vpnsettings{'NCHANNELCIPHERS'} =~ s/\|/:/g);
+			print CLIENTCONF "tls-ciphersuites $vpnsettings{'NCHANNELCIPHERS'}\r\n";
+		}
+	}
+
 	print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n";
 
     if ($vpnsettings{'TLSAUTH'} eq 'on') {
@@ -2918,6 +2966,8 @@ END
 	}
 	$confighash{$key}[40] = $cgiparams{'DCIPHER'};
 	$confighash{$key}[42] = $cgiparams{'DATACIPHERS'};
+	$confighash{$key}[43] = $cgiparams{'CHANNELCIPHERS'};
+	$confighash{$key}[44] = $cgiparams{'NCHANNELCIPHERS'};
 
 ADV_ENC_ERROR:
 
@@ -2951,13 +3001,37 @@ ADV_ENC_ERROR:
 	@temp = split('\|', $cgiparams{'DATACIPHERS'});
 	foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; }
 
+	# No default settings for --tls-cipher so OpenVPN makes his own choice
+	$checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256'} = '';
+	$checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256'} = '';
+	@temp = split('\|', $cgiparams{'CHANNELCIPHERS'});
+	foreach my $key (@temp) {$checked{'CHANNELCIPHERS'}{$key} = "selected='selected'"; }
+
+	# No default settings for --tls-ciphersuites so OpenVPN makes his own choice
+	$checked{'NCHANNELCIPHERS'}{'TLS_AES_256_GCM_SHA384'} = '';
+	$checked{'NCHANNELCIPHERS'}{'TLS_CHACHA20_POLY1305_SHA256'} = '';
+	$checked{'NCHANNELCIPHERS'}{'TLS_AES_128_GCM_SHA256'} = '';
+	@temp = split('\|', $cgiparams{'NCHANNELCIPHERS'});
+	foreach my $key (@temp) {$checked{'NCHANNELCIPHERS'}{$key} = "selected='selected'"; }
+
 	# Save settings and display default if not configured
 	if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
 		$confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'};
 		$confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'};
+		$confighash{$cgiparams{'KEY'}}[43] = $cgiparams{'CHANNELCIPHERS'};
+		$confighash{$cgiparams{'KEY'}}[44] = $cgiparams{'NCHANNELCIPHERS'};
 	} else {
 		$cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'};
 		$cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'};
+		$cgiparams{'CHANNELCIPHERS'} = $vpnsettings{'CHANNELCIPHERS'};
+		$cgiparams{'NCHANNELCIPHERS'} = $vpnsettings{'NCHANNELCIPHERS'};
 	}
 
 ADV_ENC_ERROR:
@@ -3021,8 +3095,43 @@ ADV_ENC_ERROR:
 					</select>
 				</td>
 			</tr>
+
+			<tr>
+				<th width="15%"></th>
+				<th>$Lang::tr{'ovpn control channel v3'}</th>
+				<th>$Lang::tr{'ovpn control channel v2'}</th>
+			</tr>
+
+			<tr>
+				</td>
+				<td class='boldbase' width="27%">$Lang::tr{'ovpn channel encryption'}</td>
+				<td class='boldbase'>
+					<select name='NCHANNELCIPHERS' multiple='multiple' size='6' style='width: 100%'>
+						<option value='TLS_AES_256_GCM_SHA384' $checked{'NCHANNELCIPHERS'}{'TLS_AES_256_GCM_SHA384'}>256 $Lang::tr{'bit'} TLS-AES-GCM SHA384</option>
+						<option value='TLS_CHACHA20_POLY1305_SHA256' $checked{'NCHANNELCIPHERS'}{'TLS_CHACHA20_POLY1305_SHA256'}>256 $Lang::tr{'bit'} CHACHA20-POLY1305 SHA256</option>
+						<option value='TLS_AES_128_GCM_SHA256' $checked{'NCHANNELCIPHERS'}{'TLS_AES_128_GCM_SHA256'}>128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option>
+					</select>
+				</td>
+
+				<td class='boldbase'>
+					<select name='CHANNELCIPHERS' multiple='multiple' size='6' style='width: 100%' style="margin-right:-17px" size="11">
+						<option value='TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384'}>TLS-ECDHE-ECDSA 256 $Lang::tr{'bit'} AES-GCM SHA384</option>
+						<option value='TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256'}>TLS-ECDHE-ECDSA 256 $Lang::tr{'bit'} CHACHA20-POLY1305 SHA256</option>
+						<option value='TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'}>TLS-ECDHE-ECDSA 128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option>
+						<option value='TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384'}>TLS-ECDHE-RSA 256 $Lang::tr{'bit'} TLS-AES-GCM SHA384</option>
+						<option value='TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256'}>TLS-ECDHE-RSA 256 $Lang::tr{'bit'} CHACHA20_POLY1305 SHA256</option>
+						<option value='TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256'}>TLS-ECDHE-RSA 128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option>
+						<option value='TLS-DHE-RSA-WITH-AES-256-GCM-SHA384' $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384'}>TLS-DHE-RSA 256 $Lang::tr{'bit'} TLS-AES-GCM SHA384</option>
+						<option value='TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256'}>TLS-DHE-RSA 256 $Lang::tr{'bit'} CHACHA20-POLY1305 SHA256</option>
+						<option value='TLS-DHE-RSA-WITH-AES-128-GCM-SHA256' $checked{'CHANNELCIPHERS'}{'TLS-DHE-RSA-WITH-AES-128-GCM-SHA256'}>TLS-DHE-RSA 128 $Lang::tr{'bit'} TLS-AES-GCM SHA256</option>
+					</select>
+				</td>
+			</tr>
 		</tbody>
 	</table>
+
+	<br><br>
+
 	<hr>
 END
 ;
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 614f8a16c..cc7755018 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1908,6 +1908,9 @@
 'ovpn config' => 'OVPN-Konfiguration',
 'ovpn connection name' => 'Verbindungs-Name',
 'ovpn crypt options' => 'Kryptografieoptionen',
+'ovpn channel encryption' => 'Kontroll-Kanal Verschlüsselung',
+'ovpn control channel v2' => 'Kontroll-Kanal TLSv2',
+'ovpn control channel v3' => 'Kontroll-Kanal TLSv3',
 'ovpn data encryption' => 'Daten-Kanal Verschlüsselung',
 'ovpn data channel authentication' => 'Daten-Kontrol Kanal Authentifikation',
 'ovpn data channel' => 'Daten-Kanal',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 714d7c81e..3dcb8d46e 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1940,6 +1940,9 @@
 'ovpn config' => 'OVPN-Config',
 'ovpn connection name' => 'Connection Name',
 'ovpn crypt options' => 'Cryptographic options',
+'ovpn channel encryption' => 'Control-Channel encryption',
+'ovpn control channel v2' => 'Control-Channel TLSv2',
+'ovpn control channel v3' => 'Control-Channel TLSv3',
 'ovpn data encryption' => 'Data-Channel encryption',
 'ovpn data channel authentication' => 'Data and channel authentication',
 'ovpn data channel' => 'Data-Channel',

From patchwork Thu Dec  3 12:08:07 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Erik Kapfer <erik.kapfer@ipfire.org>
X-Patchwork-Id: 3700
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4CmvkD3R3Bz3wsW
	for <patchwork@web04.haj.ipfire.org>; Thu,  3 Dec 2020 12:08:20 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4Cmvk946f9z1wj;
	Thu,  3 Dec 2020 12:08:17 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Cmvk9321Pz2ySl;
	Thu,  3 Dec 2020 12:08:17 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Cmvk824vqz2xZJ
 for <development@lists.ipfire.org>; Thu,  3 Dec 2020 12:08:16 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (No client certificate requested)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 4Cmvk80hFXz5s;
 Thu,  3 Dec 2020 12:08:16 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1606997296;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=2ef0iJ/6+MLOk9i+1UKqk7vJJJcQqiYiCxX4Nhrj2w0=;
 b=GVAi9cPmWEUuvYXterNnBXgzIUlJHTUvGqZsvrI3SZx4m2bE2XNWYPWKWMSGF5+lMwb7GS
 ydR21WFe6ENMACCg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1606997296;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=2ef0iJ/6+MLOk9i+1UKqk7vJJJcQqiYiCxX4Nhrj2w0=;
 b=V5mKD+KEX2IOU/ympHjpjvHHxuoTG/52M50MLjINuecW7LGgAzSELIyelX6P0eG8VGwatw
 9rnpSL8py/Z5gvSFNAe+6v3u5xXenVC68AgEwjLT0OYIRyJsKz6p0Kdn5yIPDRsRinHGbL
 JLgPoDYbXdtFtd2EVr9oKlrTs1qq5e2GANOHndIAUWWk2fRQ1zQ5VFDNCh08AsRs960n+g
 DQ8cPIA4Bw96kwIu2/1ZXRtCkRvRd2OYZNtXdlbuFs7hcI6X40/5ZFDYEQJnR3zqHbYSV6
 1wjSAwjehlow0rwTrSrdwL473NPJJCh8eASGxSRjbHLlG+/+Itia86hr/ONlNA==
From: ummeegge <erik.kapfer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 3/3] OpenVPN: Integrate TLS-Authentication and HMAC selection
Date: Thu,  3 Dec 2020 12:08:07 +0000
Message-Id: <20201203120807.20694-3-erik.kapfer@ipfire.org>
In-Reply-To: <20201203120807.20694-1-erik.kapfer@ipfire.org>
References: <20201203120807.20694-1-erik.kapfer@ipfire.org>
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

- The --auth directive has been enhanced with the Keccak (SHA3) family
but also BLAKE2 has been integrated.
- The TLS authentication has been enhanced with --tls-crypt and with
OpenVPN version 2.5.0 new introduced --tls-crypt-v2 .
- New keys will be shown and can partly be downloaded over the
"Certificate Authorities and -Keys" table.
- The global section has been completely cleaned up from encryption
settings which follows the IPSec WUI style.

Signed-off-by: ummeegge <erik.kapfer@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 367 +++++++++++++++++++++++++++++---------
 langs/de/cgi-bin/de.pl    |  10 +-
 langs/en/cgi-bin/en.pl    |  12 +-
 3 files changed, 298 insertions(+), 91 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index f2b8b79da..455b0a8a4 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -357,9 +357,19 @@ sub writeserverconf {
     # Set TLSv2 as minimum
     print CONF "tls-version-min 1.2\n";
 
-    if ($sovpnsettings{'TLSAUTH'} eq 'on') {
-	print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
-    }
+	# TLS control channel authentication
+	if ($sovpnsettings{'TLSAUTH'} ne 'off') {
+		if ($sovpnsettings{'TLSAUTH'} eq 'on') {
+			print CONF "tls-auth ${General::swroot}/ovpn/certs/ta.key\n";
+		}
+		if ($sovpnsettings{'TLSAUTH'} eq 'tls-crypt') {
+			print CONF "tls-crypt ${General::swroot}/ovpn/certs/tc.key\n";
+		}
+		if ($sovpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') {
+			print CONF "tls-crypt-v2 ${General::swroot}/ovpn/certs/tc-v2-server.key\n";
+		}
+	}
+
     if ($sovpnsettings{DCOMPLZO} eq 'on') {
         print CONF "comp-lzo\n";
     }
@@ -944,6 +954,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
 if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
 	&General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
 
+	$vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
+	$vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
 	$vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
 	$vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'};
 
@@ -967,6 +979,39 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
 		$vpnsettings{'NCHANNELCIPHERS'} = $cgiparams{'NCHANNELCIPHERS'};
 	}
 
+	# Create ta.key for tls-auth if not presant
+	if ($cgiparams{'TLSAUTH'} eq 'on') {
+		if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
+			system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
+			if ($?) {
+				$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+				goto ADV_ENC_ERROR;
+			}
+		}
+	}
+
+	# Create tc.key for tls-crypt if not presant
+	if ($cgiparams{'TLSAUTH'} eq 'tls-crypt') {
+		if ( ! -e "${General::swroot}/ovpn/certs/tc.key") {
+			system('/usr/sbin/openvpn', '--genkey', 'tls-crypt', "${General::swroot}/ovpn/certs/tc.key");
+			if ($?) {
+				$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+				goto ADV_ENC_ERROR;
+			}
+		}
+	}
+
+	# Create tc-v2-server.key for tls-crypt-v2 server if not presant
+	if ($cgiparams{'TLSAUTH'} eq 'tls-crypt-v2') {
+		if ( ! -e "${General::swroot}/ovpn/certs/tc-v2-server.key") {
+			system('/usr/sbin/openvpn', '--genkey', 'tls-crypt-v2-server', "${General::swroot}/ovpn/certs/tc-v2-server.key");
+			if ($?) {
+				$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
+				goto ADV_ENC_ERROR;
+			}
+		}
+	}
+
 	&General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings);
 	&writeserverconf();
 }
@@ -1257,17 +1302,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
 	goto SETTINGS_ERROR;
     }
 
-	# Create ta.key for tls-auth if not presant
-	if ($cgiparams{'TLSAUTH'} eq 'on') {
-		if ( ! -e "${General::swroot}/ovpn/certs/ta.key") {
-			system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key");
-			if ($?) {
-				$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
-				goto SETTINGS_ERROR;
-			}
-		}
-	}
-
     $vpnsettings{'ENABLED_BLUE'} = $cgiparams{'ENABLED_BLUE'};
     $vpnsettings{'ENABLED_ORANGE'} =$cgiparams{'ENABLED_ORANGE'};
     $vpnsettings{'ENABLED'} = $cgiparams{'ENABLED'};
@@ -1278,8 +1312,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
     $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
     $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
     $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'};
-    $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
-    $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
 #wrtie enable
 
   if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");}
@@ -1708,14 +1740,36 @@ END
 ###
 ### Download tls-auth key
 ###
-}elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) {
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-auth key'}) {
     if ( -f "${General::swroot}/ovpn/certs/ta.key" ) {
-	print "Content-Type: application/octet-stream\r\n";
-	print "Content-Disposition: filename=ta.key\r\n\r\n";
-	print `/bin/cat ${General::swroot}/ovpn/certs/ta.key`;
-	exit(0);
+		print "Content-Type: application/octet-stream\r\n";
+		print "Content-Disposition: filename=ta.key\r\n\r\n";
+		print `/bin/cat ${General::swroot}/ovpn/certs/ta.key`;
+		exit(0);
     }
 
+###
+### Download tls-crypt key
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-crypt key'}) {
+	if ( -f "${General::swroot}/ovpn/certs/tc.key" ) {
+		print "Content-Type: application/octet-stream\r\n";
+		print "Content-Disposition: filename=tc.key\r\n\r\n";
+		print `/bin/cat ${General::swroot}/ovpn/certs/tc.key`;
+		exit(0);
+	}
+
+###
+### Download tls-crypt-v2 key
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'download tls-crypt-v2 key'}) {
+	if ( -f "${General::swroot}/ovpn/certs/tc-v2-server.key" ) {
+		print "Content-Type: application/octet-stream\r\n";
+		print "Content-Disposition: filename=tc-v2-server.key\r\n\r\n";
+		print `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`;
+		exit(0);
+	}
+
 ###
 ### Form for generating a root certificate
 ###
@@ -2443,6 +2497,29 @@ else
 	print CLIENTCONF "tls-auth ta.key\r\n";
 	$zip->addFile( "${General::swroot}/ovpn/certs/ta.key", "ta.key")  or die "Can't add file ta.key\n";
     }
+
+	# Add tls-crypt to client ovpn
+	if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt') {
+		if ($cgiparams{'MODE'} eq 'insecure') {
+			print CLIENTCONF ";";
+		}
+		print CLIENTCONF "tls-crypt tc.key\r\n";
+		$zip->addFile( "${General::swroot}/ovpn/certs/tc.key", "tc.key")  or die "Can't add file tc.key\n";
+	}
+
+	# Add client specific tls-crypt-v2 key to client.ovpn
+	if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') {
+		if ($cgiparams{'MODE'} eq 'insecure') {
+			print CLIENTCONF ";";
+		}
+		print CLIENTCONF "tls-crypt-v2 tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key\r\n";
+		# Generate individual tls-crypt-v2 client key
+		my $cryptfile = "$tempdir/tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key";
+		system('/usr/sbin/openvpn', '--tls-crypt-v2', "${General::swroot}/ovpn/certs/tc-v2-server.key", '--genkey', 'tls-crypt-v2-client', "$cryptfile");
+		# Add individual tls-crypt-v2 client key to client package
+		$zip->addFile( "$cryptfile", "tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key")  or die "Can't add file tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key\n";
+	}
+
     if ($vpnsettings{DCOMPLZO} eq 'on') {
         print CLIENTCONF "comp-lzo\r\n";
     }
@@ -2499,6 +2576,20 @@ else
 	print CLIENTCONF "</key>\r\n\r\n";
 	close(FILE);
 
+	# Create individual tls-crypt-v2 client key and print it to client.conf
+	if ($vpnsettings{'TLSAUTH'} eq 'tls-crypt-v2') {
+		my $cryptfile = "$tempdir/tc-v2-client-$confighash{$cgiparams{'KEY'}}[1].key";
+		system('/usr/sbin/openvpn', '--tls-crypt-v2', "${General::swroot}/ovpn/certs/tc-v2-server.key", '--genkey', 'tls-crypt-v2-client', "$cryptfile");
+		open(FILE, "<$cryptfile");
+		print CLIENTCONF "<tls-crypt-v2>\r\n";
+		while (<FILE>) {
+			chomp($_);
+			print CLIENTCONF "$_\r\n";
+		}
+		print CLIENTCONF "</tls-crypt-v2>\r\n\r\n";
+		close(FILE);
+	}
+
 	# TLS auth
 	if ($vpnsettings{'TLSAUTH'} eq 'on') {
 		open(FILE, "<${General::swroot}/ovpn/certs/ta.key");
@@ -2680,7 +2771,7 @@ else
 		&Header::showhttpheaders();
 		&Header::openpage($Lang::tr{'ovpn'}, 1, '');
 		&Header::openbigbox('100%', 'LEFT', '', '');
-		&Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}:");
+		&Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}");
 		my $output = `/bin/cat ${General::swroot}/ovpn/certs/ta.key`;
 		$output = &Header::cleanhtml($output,"y");
 		print "<pre>$output</pre>\n";
@@ -2691,6 +2782,50 @@ else
 		exit(0);
     }
 
+###
+### Display tls-crypt key
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-crypt key'}) {
+
+	if (! -e "${General::swroot}/ovpn/certs/tc.key") {
+		$errormessage = $Lang::tr{'not present'};
+	} else {
+		&Header::showhttpheaders();
+		&Header::openpage($Lang::tr{'ovpn'}, 1, '');
+		&Header::openbigbox('100%', 'LEFT', '', '');
+		&Header::openbox('100%', 'LEFT', "$Lang::tr{'tc key'}");
+		my $output = `/bin/cat ${General::swroot}/ovpn/certs/tc.key`;
+		$output = &Header::cleanhtml($output,"y");
+		print "<pre>$output</pre>\n";
+		&Header::closebox();
+		print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
+		&Header::closebigbox();
+		&Header::closepage();
+		exit(0);
+	}
+
+###
+### Display tls-crypt-v2 server key
+###
+} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show tls-crypt-v2 key'}) {
+
+	if (! -e "${General::swroot}/ovpn/certs/tc-v2-server.key") {
+		$errormessage = $Lang::tr{'not present'};
+	} else {
+		&Header::showhttpheaders();
+		&Header::openpage($Lang::tr{'ovpn'}, 1, '');
+		&Header::openbigbox('100%', 'LEFT', '', '');
+		&Header::openbox('100%', 'LEFT', "$Lang::tr{'tc v2 key'}");
+		my $output = `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`;
+		$output = &Header::cleanhtml($output,"y");
+		print "<pre>$output</pre>\n";
+		&Header::closebox();
+		print "<div align='center'><a href='/cgi-bin/ovpnmain.cgi'>$Lang::tr{'back'}</a></div>";
+		&Header::closebigbox();
+		&Header::closepage();
+		exit(0);
+	}
+
 ###
 ### Display Certificate Revoke List
 ###
@@ -2743,9 +2878,6 @@ ADV_ERROR:
     if ($cgiparams{'LOG_VERB'} eq '') {
 		$cgiparams{'LOG_VERB'} =  '3';
     }
-    if ($cgiparams{'TLSAUTH'} eq '') {
-		$cgiparams{'TLSAUTH'} = 'off';
-    }
     $checked{'CLIENT2CLIENT'}{'off'} = '';
     $checked{'CLIENT2CLIENT'}{'on'} = '';
     $checked{'CLIENT2CLIENT'}{$cgiparams{'CLIENT2CLIENT'}} = 'CHECKED';
@@ -2964,13 +3096,43 @@ END
 		$key = &General::findhasharraykey (\%confighash);
 		foreach my $i (39.. 45) { $confighash{$key}[$i] = ""; }
 	}
+	$confighash{$key}[39] = $cgiparams{'DAUTH'};
 	$confighash{$key}[40] = $cgiparams{'DCIPHER'};
+	$confighash{$key}[41] = $cgiparams{'TLSAUTH'};
 	$confighash{$key}[42] = $cgiparams{'DATACIPHERS'};
 	$confighash{$key}[43] = $cgiparams{'CHANNELCIPHERS'};
 	$confighash{$key}[44] = $cgiparams{'NCHANNELCIPHERS'};
 
 ADV_ENC_ERROR:
 
+	# Set default for hash message authentication code
+	if ($cgiparams{'DAUTH'} eq '') {
+		$cgiparams{'DAUTH'} =  'SHA512'; #[39];
+	}
+	$checked{'DAUTH'}{'BLAKE2b512'} = '';
+	$checked{'DAUTH'}{'BLAKE2s256'} = '';
+	$checked{'DAUTH'}{'SHA3-512'} = '';
+	$checked{'DAUTH'}{'SHA3-384'} = '';
+	$checked{'DAUTH'}{'SHA3-256'} = '';
+	$checked{'DAUTH'}{'SHA512'} = '';
+	$checked{'DAUTH'}{'SHA384'} = '';
+	$checked{'DAUTH'}{'SHA256'} = '';
+	$checked{'DAUTH'}{'whirlpool'} = '';
+	$checked{'DAUTH'}{'SHA1'} = '';
+	@temp = split('\|', $cgiparams{'DAUTH'});
+	foreach my $key (@temp) {$checked{'DAUTH'}{$key} = "selected='selected'"; }
+
+	# Set default for TLS control authentication
+	if ($cgiparams{'TLSAUTH'} eq '') {
+		$cgiparams{'TLSAUTH'} = 'tls-crypt'; #[41]
+	}
+	$checked{'TLSAUTH'}{'on'} = '';
+	$checked{'TLSAUTH'}{'off'} = '';
+	$checked{'TLSAUTH'}{'tls-crypt'} = '';
+	$checked{'TLSAUTH'}{'tls-crypt-v2'} = '';
+	@temp = split('\|', $cgiparams{'TLSAUTH'});
+	foreach my $key (@temp) {$checked{'TLSAUTH'}{$key} = "selected='selected'"; }
+
 	# Set default for data-cipher-fallback (the old --cipher directive)
 	if ($cgiparams{'DCIPHER'} eq '') {
 		$cgiparams{'DCIPHER'} =  'AES-256-CBC'; #[40]
@@ -3023,12 +3185,16 @@ ADV_ENC_ERROR:
 
 	# Save settings and display default if not configured
 	if ($cgiparams{'ACTION'} eq $Lang::tr{'save-enc-options'}) {
+		$confighash{$cgiparams{'KEY'}}[39] = $cgiparams{'DAUTH'};
 		$confighash{$cgiparams{'KEY'}}[40] = $cgiparams{'DCIPHER'};
+		$confighash{$cgiparams{'KEY'}}[41] = $cgiparams{'TLSAUTH'};
 		$confighash{$cgiparams{'KEY'}}[42] = $cgiparams{'DATACIPHERS'};
 		$confighash{$cgiparams{'KEY'}}[43] = $cgiparams{'CHANNELCIPHERS'};
 		$confighash{$cgiparams{'KEY'}}[44] = $cgiparams{'NCHANNELCIPHERS'};
 	} else {
+		$cgiparams{'DAUTH'} = $vpnsettings{'DAUTH'};
 		$cgiparams{'DCIPHER'} = $vpnsettings{'DCIPHER'};
+		$cgiparams{'TLSAUTH'} = $vpnsettings{'TLSAUTH'};
 		$cgiparams{'DATACIPHERS'} = $vpnsettings{'DATACIPHERS'};
 		$cgiparams{'CHANNELCIPHERS'} = $vpnsettings{'CHANNELCIPHERS'};
 		$cgiparams{'NCHANNELCIPHERS'} = $vpnsettings{'NCHANNELCIPHERS'};
@@ -3132,6 +3298,44 @@ ADV_ENC_ERROR:
 
 	<br><br>
 
+	<h2>$Lang::tr{'ovpn crypt options'}:</h2>
+
+	<table width="100%">
+		<thead>
+			<tr>
+				<th width="15%"></th>
+				<th>$Lang::tr{'ovpn ha'}</th>
+				<th>$Lang::tr{'ovpn tls auth'}</th>
+			</tr>
+		</thead>
+		<tbody>
+			<tr>
+				<td width="27%">$Lang::tr{'ovpn data channel authentication'}</td>
+				<td class='boldbase'>
+					<select name='DAUTH' size='6' style='width: 100%'>
+						<option value='BLAKE2b512' $checked{'DAUTH'}{'BLAKE2b512'}>Blake2 512 $Lang::tr{'bit'} - 64-bit optimized</option>
+						<option value='BLAKE2s256' $checked{'DAUTH'}{'BLAKE2s256'}>Blake2 256 $Lang::tr{'bit'} - 8- to 32-bit optimized</option>
+						<option value='SHA3-512' $checked{'DAUTH'}{'SHA3-512'}>SHA3 512 $Lang::tr{'bit'}</option>
+						<option value='SHA3-384' $checked{'DAUTH'}{'SHA3-384'}>SHA3 384 $Lang::tr{'bit'}</option>
+						<option value='SHA3-256' $checked{'DAUTH'}{'SHA-256'}>SHA3 256 $Lang::tr{'bit'}</option>
+						<option value='SHA512' $checked{'DAUTH'}{'SHA512'}>SHA2 512 $Lang::tr{'bit'}</option>
+						<option value='SHA384' $checked{'DAUTH'}{'SHA384'}>SHA2 384 $Lang::tr{'bit'}</option>
+						<option value='SHA256' $checked{'DAUTH'}{'SHA256'}>SHA2 256 $Lang::tr{'bit'}</option>
+						<option value='whirlpool' $checked{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
+						<option value='SHA1' $checked{'DAUTH'}{'SHA1'}>SHA1 160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'}</option>
+					</select>
+
+				<td class='boldbase'>
+					<select name='TLSAUTH' size='6' style='width: 100%' style="margin-right:-17px" size="11">
+						<option value='tls-crypt-v2' $checked{'TLSAUTH'}{'tls-crypt-v2'}>TLS-Crypt-v2</option>
+						<option value='tls-crypt' $checked{'TLSAUTH'}{'tls-crypt'}>TLS-Crypt</option>
+						<option value='on' $checked{'TLSAUTH'}{'on'}>TLS-Auth</option>
+						<option value='off' $checked{'TLSAUTH'}{'off'}>Off</option>
+					</select>
+				</td>
+			</tr>
+		</tbody>
+	</table>
 	<hr>
 END
 ;
@@ -3906,7 +4110,6 @@ if ($confighash{$cgiparams{'KEY'}}) {
 		$cgiparams{'CCD_WINS'}		= $confighash{$cgiparams{'KEY'}}[37];
 		$cgiparams{'DAUTH'}		= $confighash{$cgiparams{'KEY'}}[39];
 		$cgiparams{'DCIPHER'}		= $confighash{$cgiparams{'KEY'}}[40];
-		$cgiparams{'TLSAUTH'}		= $confighash{$cgiparams{'KEY'}}[41];
 		# Index from [39] to [44] has been reserved by advanced encryption
 		$cgiparams{'CLIENTVERSION'} = $confighash{$cgiparams{'KEY'}}[45];
 	} elsif ($cgiparams{'ACTION'} eq $Lang::tr{'save'}) {
@@ -4824,16 +5027,6 @@ if ($cgiparams{'TYPE'} eq 'net') {
     $checked{'MSSFIX'}{'on'} = '';
     $checked{'MSSFIX'}{$cgiparams{'MSSFIX'}} = 'CHECKED';
 
-    $selected{'DAUTH'}{'whirlpool'} = '';
-    $selected{'DAUTH'}{'SHA512'} = '';
-    $selected{'DAUTH'}{'SHA384'} = '';
-    $selected{'DAUTH'}{'SHA256'} = '';
-    $selected{'DAUTH'}{'SHA1'} = '';
-    $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
-    $checked{'TLSAUTH'}{'off'} = '';
-    $checked{'TLSAUTH'}{'on'} = '';
-    $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
-
     if (1) {
 	&Header::showhttpheaders();
 	&Header::openpage($Lang::tr{'ovpn'}, 1, '');
@@ -5378,21 +5571,6 @@ END
     if ($cgiparams{'MSSFIX'} eq '') {
 		$cgiparams{'MSSFIX'} = 'off';
     }
-	if ($cgiparams{'DAUTH'} eq '') {
-		if (-z "${General::swroot}/ovpn/ovpnconfig") {
-			$cgiparams{'DAUTH'} = 'SHA512';
-		}
-		foreach my $key (keys %confighash) {
-			if ($confighash{$key}[3] ne 'host') {
-				$cgiparams{'DAUTH'} = 'SHA512';
-			} else {
-				$cgiparams{'DAUTH'} = 'SHA1';
-			}
-		}
-	}
-	if ($cgiparams{'TLSAUTH'} eq '') {
-		$cgiparams{'TLSAUTH'} = 'off';
-	}
     if ($cgiparams{'DOVPN_SUBNET'} eq '') {
 		$cgiparams{'DOVPN_SUBNET'} = '10.' . int(rand(256)) . '.' . int(rand(256)) . '.0/255.255.255.0';
     }
@@ -5410,17 +5588,6 @@ END
     $selected{'DPROTOCOL'}{'tcp'} = '';
     $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED';
 
-    $selected{'DAUTH'}{'whirlpool'} = '';
-    $selected{'DAUTH'}{'SHA512'} = '';
-    $selected{'DAUTH'}{'SHA384'} = '';
-    $selected{'DAUTH'}{'SHA256'} = '';
-    $selected{'DAUTH'}{'SHA1'} = '';
-    $selected{'DAUTH'}{$cgiparams{'DAUTH'}} = 'SELECTED';
-
-    $checked{'TLSAUTH'}{'off'} = '';
-    $checked{'TLSAUTH'}{'on'} = '';
-    $checked{'TLSAUTH'}{$cgiparams{'TLSAUTH'}} = 'CHECKED';
-
     $checked{'DCOMPLZO'}{'off'} = '';
     $checked{'DCOMPLZO'}{'on'} = '';
     $checked{'DCOMPLZO'}{$cgiparams{'DCOMPLZO'}} = 'CHECKED';
@@ -5523,30 +5690,6 @@ END
         <td> <input type='TEXT' name='DMTU' VALUE='$cgiparams{'DMTU'}' size='5' /></td>
     </tr>
 
-	<tr><td colspan='4'><br></td></tr>
-	<tr>
-		<td class'base'><b>$Lang::tr{'ovpn crypt options'}:</b></td>
-	</tr>
-	<tr><td colspan='1'><br></td></tr>
-
-	<tr>
-		<td class='base'>$Lang::tr{'ovpn ha'}</td>
-		<td><select name='DAUTH'>
-				<option value='whirlpool'		$selected{'DAUTH'}{'whirlpool'}>Whirlpool (512 $Lang::tr{'bit'})</option>
-				<option value='SHA512'			$selected{'DAUTH'}{'SHA512'}>SHA2 (512 $Lang::tr{'bit'})</option>
-				<option value='SHA384'			$selected{'DAUTH'}{'SHA384'}>SHA2 (384 $Lang::tr{'bit'})</option>
-				<option value='SHA256'			$selected{'DAUTH'}{'SHA256'}>SHA2 (256 $Lang::tr{'bit'})</option>
-				<option value='SHA1'			$selected{'DAUTH'}{'SHA1'}>SHA1 (160 $Lang::tr{'bit'}, $Lang::tr{'vpn weak'})</option>
-			</select>
-		</td>
-	</tr>
-
-    <tr><td colspan='4'><br></td></tr>
-	<tr>
-		<td class='base'>$Lang::tr{'ovpn tls auth'}</td>
-		<td><input type='checkbox' name='TLSAUTH' $checked{'TLSAUTH'}{'on'} /></td>
-	</tr>
-
     <tr><td colspan='4'><br><br></td></tr>
 END
 ;				   
@@ -5845,6 +5988,10 @@ END
     my $col3="bgcolor='$color{'color22'}'";
     # ta.key line
     my $col4="bgcolor='$color{'color20'}'";
+	# tc-v2.key line
+	my $col5="bgcolor='$color{'color22'}'";
+	# tc.key
+	my $col6="bgcolor='$color{'color20'}'";
 
     if (-f "${General::swroot}/ovpn/ca/cacert.pem") {
 		my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`;
@@ -5974,7 +6121,7 @@ END
 		# Nothing
 		print <<END;
 		<tr>
-			<td width='25%' class='base' $col4>$Lang::tr{'ta key'}:</td>
+			<td width='25%' class='base' $col4>$Lang::tr{'ta key'}</td>
 			<td class='base' $col4>$Lang::tr{'not present'}</td>
 			<td colspan='3' $col4>&nbsp;</td>
 		</tr>
@@ -5982,6 +6129,52 @@ END
 		;
     }
 
+	# Adding tc-v2.key to chart
+	if (-f "${General::swroot}/ovpn/certs/tc-v2-server.key") {
+		my $tcvsubject = `/bin/cat ${General::swroot}/ovpn/certs/tc-v2-server.key`;
+		$tcvsubject    =~ /-----BEGIN (.*)-----[\n]/;
+		$tcvsubject    = $1;
+		print <<END;
+
+		<tr>
+			<td class='base' $col5>$Lang::tr{'tc v2 key'}</td>
+			<td class='base' $col5>$tcvsubject</td>
+				<form method='post' name='frmtcv2key'><td width='3%' align='center' $col5>
+					<input type='hidden' name='ACTION' value='$Lang::tr{'show tls-crypt-v2 key'}' />
+					<input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show tls-crypt-v2 key'}' title='$Lang::tr{'show tls-crypt-v2 key key'}' width='20' height='20' border='0' />
+				</form>
+				<form method='post' name='frmtckey'><td width='3%' align='center' $col5>
+			<td width='4%' $col5>&nbsp;</td>
+		</tr>
+END
+;
+	}
+
+	# Adding tc.key to chart
+	if (-f "${General::swroot}/ovpn/certs/tc.key") {
+		my $tcsubject = `/bin/cat ${General::swroot}/ovpn/certs/tc.key`;
+		$tcsubject    =~ /# (.*)[\n]/;
+		$tcsubject    = $1;
+		print <<END;
+
+		<tr>
+			<td class='base' $col6>$Lang::tr{'tc key'}</td>
+			<td class='base' $col6>$tcsubject</td>
+				<form method='post' name='frmtckey'><td width='3%' align='center' $col6>
+					<input type='hidden' name='ACTION' value='$Lang::tr{'show tls-crypt key'}' />
+					<input type='image' name='$Lang::tr{'edit'}' src='/images/info.gif' alt='$Lang::tr{'show tls-crypt key'}' title='$Lang::tr{'show tls-crypt key'}' width='20' height='20' border='0' />
+				</form>
+				<form method='post' name='frmtckey'><td width='3%' align='center' $col6>
+					<input type='image' name='$Lang::tr{'download tls-crypt key'}' src='/images/media-floppy.png' alt='$Lang::tr{'download tls-crypt key'}' title='$Lang::tr{'download tls-crypt key'}' border='0' />
+					<input type='hidden' name='ACTION' value='$Lang::tr{'download tls-crypt key'}' />
+				</form>
+			<td width='4%' $col6>&nbsp;</td>
+		</tr>
+END
+;
+	}
+
+
     if (! -f "${General::swroot}/ovpn/ca/cacert.pem") {
         print "<tr><td colspan='5' align='center'><form method='post'>";
 		print "<input type='submit' name='ACTION' value='$Lang::tr{'generate root/host certificates'}' />";
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index cc7755018..9ffbbf432 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -894,6 +894,9 @@
 'download new ruleset' => 'Neuen Regelsatz herunterladen',
 'download pkcs12 file' => 'PKCS12-Datei herunterladen',
 'download root certificate' => 'Root-Zertifikat herunterladen',
+'download tls-auth key' => 'TLS-Auth Schlüssel herunterladen',
+'download tls-crypt key' => 'TLS-Crypt Schlüssel herunterladen',
+'download tls-crypt-v2 key' => 'TLS-Crypt-v2 Schlüssel herunterladen',
 'download tls-auth key' => 'tls-auth Key herunterladen',
 'dpd action' => 'Aktion für Erkennung toter Gegenstellen (Dead Peer Detection)',
 'dpd delay' => 'Verzögerung',
@@ -1951,7 +1954,7 @@
 'ovpn subnet' => 'OpenVPN-Subnetz:',
 'ovpn subnet is invalid' => 'Das OpenVPN-Subnetz ist ungültig.',
 'ovpn subnet overlap' => 'OpenVPNSubnetz überschneidet sich mit  ',
-'ovpn tls auth' => 'TLS-Kanalabsicherung:',
+'ovpn tls auth' => 'TLS-Kanalabsicherung',
 'ovpn warning rfc3280' => 'Das Host Zertifikat ist nicht RFC3280 Regelkonform. <br>Bitte IPFire auf die letzte Version updaten und generieren sie ein neues Root und Host Zertifikat so bald wie möglich.</br><br>Es müssen dann alle OpenVPN clients erneuert werden!</br>',
 'ovpn_fastio' => 'Fast-IO',
 'ovpn_fragment' => 'Fragmentgrösse',
@@ -2224,6 +2227,9 @@
 'show last x lines' => 'die letzten x Zeilen anzeigen',
 'show root certificate' => 'Root-Zertifikat anzeigen',
 'show share options' => 'Anzeige der Freigabeeinstellungen',
+'show tls-auth key' => 'TLS-Auth Schlüssel anzeigen',
+'show tls-crypt key' => 'TLS-Crypt Schlüssel anzeigen',
+'show tls-crypt-v2 key' => 'TLS-Crypt-v2 Schlüssel anzeigen',
 'shuffle' => 'Zufall',
 'shutdown' => 'Herunterfahren',
 'shutdown ask' => 'Herunterfahren?',
@@ -2350,6 +2356,8 @@
 'system logs' => 'Systemprotokolldateien',
 'system status information' => 'System-Statusinformationen',
 'ta key' => 'TLS-Authentifizierungsschlüssel',
+'tc key' => 'TLS-Kryptografie-Schlüssel',
+'tc v2 key' => 'TLS-Kryptografie-Schlüssel-Version2',
 'taa zombieload2' => 'TSX Async Abort / ZombieLoad v2',
 'tcp more reliable' => 'TCP (zuverlässiger)',
 'telephone not set' => 'Telefonnummer nicht angegeben.',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 3dcb8d46e..6707a3a71 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -918,7 +918,9 @@
 'download new ruleset' => 'Download new ruleset',
 'download pkcs12 file' => 'Download PKCS12 file',
 'download root certificate' => 'Download root certificate',
-'download tls-auth key' => 'Download tls-auth key',
+'download tls-auth key' => 'Download TLS-Auth key',
+'download tls-crypt key' => 'Download TLS-Crypt key',
+'download tls-crypt-v2 key' => 'Download TLS-Crypt-v2 server key',
 'dpd action' => 'Action',
 'dpd delay' => 'Delay',
 'dpd timeout' => 'Timeout',
@@ -1983,7 +1985,7 @@
 'ovpn subnet' => 'OpenVPN subnet:',
 'ovpn subnet is invalid' => 'OpenVPN subnet is invalid.',
 'ovpn subnet overlap' => 'OpenVPN Subnet overlaps with : ',
-'ovpn tls auth' => 'TLS Channel Protection:',
+'ovpn tls auth' => 'TLS Channel Protection',
 'ovpn warning rfc3280' => 'Your host certificate is not RFC3280 compliant. <br>Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
 'ovpn_fastio' => 'Fast-IO',
 'ovpn_mssfix' => 'MSSFIX Size',
@@ -2260,7 +2262,9 @@
 'show lines' => 'Show lines',
 'show root certificate' => 'Show root certificate',
 'show share options' => 'Show shares options',
-'show tls-auth key' => 'Show tls-auth key',
+'show tls-auth key' => 'Show TLS-Auth key',
+'show tls-crypt key' => 'Show TLS-Crypt key',
+'show tls-crypt-v2 key' => 'Show TLS-Crypt-v2 key',
 'shuffle' => 'Shuffle',
 'shutdown' => 'Shutdown',
 'shutdown ask' => 'Shutdown?',
@@ -2388,6 +2392,8 @@
 'system logs' => 'System Logs',
 'system status information' => 'System Status Information',
 'ta key' => 'TLS-Authentification-Key',
+'tc key' => 'TLS-Cryptografic-Key',
+'tc v2 key' => 'TLS-Cryptografic-Key-version2',
 'taa zombieload2' => 'TSX Async Abort / ZombieLoad v2',
 'tcp more reliable' => 'TCP (more reliable)',
 'telephone not set' => 'Telephone not set.',