From patchwork Thu Mar 21 12:24:48 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Erik Kapfer X-Patchwork-Id: 7651 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4V0l6T4mzzz3wvx for ; Thu, 21 Mar 2024 12:25:37 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4V0l6N6z9Pz4Rt; Thu, 21 Mar 2024 12:25:32 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4V0l6N6PjLz32nW; Thu, 21 Mar 2024 12:25:32 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4V0l6J4cjHz307F for ; Thu, 21 Mar 2024 12:25:28 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4V0l6G4JTvzcp; Thu, 21 Mar 2024 12:25:26 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1711023926; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=0SZhLrZ2AaAb/yhnsqS6i41QDe0IxsNSJWOgGbmVrKM=; b=zXqwgymFvG6J5Wgpy937rIKcp165n0nVQSlhs0Nqf75mLL/jdsJhzhr1j7LcjaxpQOSUWI 0D98GfMtTuvyHCAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1711023926; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=0SZhLrZ2AaAb/yhnsqS6i41QDe0IxsNSJWOgGbmVrKM=; b=l3i57WhadRQWDtRfkahr82w11qZbRXqH1RiFlIQ69WNj8AnGh3Dc/eIoZkr3JKZE+EAvGJ F9nT42tC27nFQIMpDUN2RPGlhA1QvBCfoaRoAbXRyOiSiYayf0zBd+UmLmpEyse0OAMdq0 ygXb7safSlu8RgaVnEB4TxEcYGW4QGcsqGRzM0B2lRJGXAMiPp61SuSXwA9UuvUrYv7f2O 6v7AY6Q0sQzix3hhW124nCwpkr/IgZLMU2VFHwNENI2PM4PpV4gJlKnKDrKSwx9KJXFmpX qKOPoo/4cWB0QAdLH8fBm8cv3AkRuF3n5SsK4IEifR5+CQpqLD306I5xQ2C2gA== From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH 1/4] OpenVPN: Update to version 2.6.9 . Date: Thu, 21 Mar 2024 13:24:48 +0100 Message-ID: <20240321122511.3287692-1-erik.kapfer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: AIF7G2UREGUCMDTA62FXSFKUMARYGIM5 X-Message-ID-Hash: AIF7G2UREGUCMDTA62FXSFKUMARYGIM5 X-MailFrom: erik.kapfer@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This update enters the 2.6.x series and needs configuration changes since NCP is now a requirement. Signed-off-by: Erik Kapfer --- config/rootfiles/common/openvpn | 1 - lfs/openvpn | 9 +++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index d9848a579..91c702bd5 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -15,7 +15,6 @@ usr/sbin/openvpn-authenticator #usr/share/doc/openvpn/COPYRIGHT.GPL #usr/share/doc/openvpn/Changes.rst #usr/share/doc/openvpn/README -#usr/share/doc/openvpn/README.IPv6 #usr/share/doc/openvpn/README.auth-pam #usr/share/doc/openvpn/README.down-root #usr/share/doc/openvpn/README.mbedtls diff --git a/lfs/openvpn b/lfs/openvpn index b71b4ccc9..7899894be 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2023 IPFire Team # +# Copyright (C) 2007-2024 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@ include Config -VER = 2.5.9 +VER = 2.6.9 THISAPP = openvpn-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = e5110ebb9149121c11de45f085f66d30a89fb674ad96c5792d83b16dc29c95215a91e682adb3c800b91ed4d88d6d24b5bcae0799cdb855a284832f0668ffcb82 +$(DL_FILE)_BLAKE2 = 22289b32f2b9afc2aed59f6fc66dc25b3043b8c82858b7857e4f904a25c6cf0f21a41551ed4f8d8869c0e7248e4e060779f760dd606e99cdc02203fbff886536 install : $(TARGET) @@ -76,7 +76,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --enable-iproute2 \ --enable-plugins \ --enable-plugin-auth-pam \ - --enable-plugin-down-root + --enable-plugin-down-root \ + --disable-dco cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install From patchwork Thu Mar 21 12:24:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Erik Kapfer X-Patchwork-Id: 7649 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4V0l6S2pQ1z3wvx for ; Thu, 21 Mar 2024 12:25:36 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4V0l6M5yLvzs8; Thu, 21 Mar 2024 12:25:31 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4V0l6M2YmXz32tn; Thu, 21 Mar 2024 12:25:31 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4V0l6J4CvWz307F for ; Thu, 21 Mar 2024 12:25:28 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4V0l6H1YKWzs8; Thu, 21 Mar 2024 12:25:27 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1711023927; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qUd4sgsveouuoPEtU7Sq4SKZo6vJ3eymTKTmh2B9WQE=; b=y+0TrQVvjbwjfTodO0wE2xOHutzlHEDHt163x1/1GYlKSb+YgL/wJ/09tcUv9t/34zfm0G kXqnEjId/WnXrVAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1711023927; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qUd4sgsveouuoPEtU7Sq4SKZo6vJ3eymTKTmh2B9WQE=; b=AIr0MmQYvWIcL1W7Z2eOIBxphvCJJzmuiCM6/sAPvVcQAm1y0mMNJP1k5XxPI9Lg6xo6AU P3ChqsZ1VV63K4aO0lfk2ry8QcBLvoGCR0wA81PuA66h754ZVtGQxG0nBv0xb668xM4lz1 M4pHGg/KWtzYESoDsSGNegysVFcSdGkaVVvhUF4S0Fe9qQ+mJKld+7eKNuyliYS9mxCs/s DWbeaPSvnb/oR78Kg3cKK/oBxPS7eBuQ99KFDpfJh7YUKncDIHQRlbzZIomXPfqMPNp1z9 z9/0cENyEmogahRN244TDoutlJjsqm3caYhuNlEboDiw837XPtVWpJHebP0ZoA== From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH 2/4] OpenVPN: Integration of the Negotiation Cipher Protocol (NCP) . Date: Thu, 21 Mar 2024 13:24:49 +0100 Message-ID: <20240321122511.3287692-2-erik.kapfer@ipfire.org> In-Reply-To: <20240321122511.3287692-1-erik.kapfer@ipfire.org> References: <20240321122511.3287692-1-erik.kapfer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: 2ZGXP3O5RXTOXQT36RXWEMCIUQDGJFU6 X-Message-ID-Hash: 2ZGXP3O5RXTOXQT36RXWEMCIUQDGJFU6 X-MailFrom: erik.kapfer@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - The new directive '--data-ciphers algs' has been introduced for RWs with OpenVPN version 2.5.0. This directive negotiates with the clients the best but also available cipher. The selection for '--data-ciphers algs' is between the GCM family and the new CHACHA20-POLY1305 (all AEAD ciphers). All ciphers can be combined with another or can also be selected separately. - The new directive '--data-ciphers algs' substitutes '--ncp-disable', therefor '--ncp-disable' has been removed which fixes the deprecation warning in the OpenVPN-2.5.0 server instance. - A new section in ovpnmain.cgi has been added under the "Advanced server options" where this changes takes affect. Since all crytographic options should step-by-step belong to the "Advanced server options" (like in IPSec) the name of this section "Cryptographic options" is the same as in the "Global Settings". - New CHACHA-POLY1305 cipher is integrated. Signed-off-by: Erik Kapfer --- html/cgi-bin/ovpnmain.cgi | 91 ++++++++++++++++++++++++++++++++++++++- langs/de/cgi-bin/de.pl | 4 ++ langs/en/cgi-bin/en.pl | 4 ++ 3 files changed, 97 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index c92d0237d..833ce8247 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -80,6 +80,7 @@ my $col=""; my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local"; my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local"; my $dhparameter = "/etc/ssl/ffdhe4096.pem"; +my @advcipherchar=(); &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} = 'off'; @@ -101,6 +102,7 @@ $cgiparams{'number'} = ''; $cgiparams{'DCIPHER'} = ''; $cgiparams{'DAUTH'} = ''; $cgiparams{'TLSAUTH'} = ''; +$cgiparams{'DATACIPHERS'} = ''; $routes_push_file = "${General::swroot}/ovpn/routes_push"; # Perform crypto and configration test &pkiconfigcheck; @@ -329,7 +331,12 @@ sub writeserverconf { } print CONF "status-version 1\n"; print CONF "status /var/run/ovpnserver.log 30\n"; - print CONF "ncp-disable\n"; + + # Data channel encryption + # Set seperator ':' for data ciphers + @advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/\|/:/g); + print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n"; + print CONF "cipher $sovpnsettings{DCIPHER}\n"; print CONF "auth $sovpnsettings{'DAUTH'}\n"; # Set TLSv2 as minimum @@ -811,8 +818,15 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_DNS'} = $cgiparams{'DHCP_DNS'}; $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; + $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'}; my @temp=(); + # data-ciphers needs at least one cipher + if ($cgiparams{'DATACIPHERS'} eq '') { + $errormessage = $Lang::tr{'ovpn errmsg invalid data cipher input'}; + goto ADV_ERROR; + } + if ($cgiparams{'FRAGMENT'} eq '') { delete $vpnsettings{'FRAGMENT'}; } else { @@ -2291,7 +2305,12 @@ else $zip->addFile( "${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } - print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; + + # Data cipher negotiation + # Set seperator ':' for --data-ciphers algorithms + @advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/\|/:/g); + print CLIENTCONF "data-ciphers $vpnsettings{'DATACIPHERS'}\r\n"; + print CLIENTCONF "auth $vpnsettings{'DAUTH'}\r\n"; if ($vpnsettings{'TLSAUTH'} eq 'on') { @@ -2644,6 +2663,7 @@ END %cahash = (); %confighash = (); my $disabled; + my @temp=(); &General::readhash("${General::swroot}/ovpn/settings", \%cgiparams); read_routepushfile; @@ -2652,6 +2672,18 @@ END # $cgiparams{'CLIENT2CLIENT'} = 'on'; # } ADV_ERROR: + + # Set default data channel ciphers + if ($cgiparams{'DATACIPHERS'} eq '') { + $cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM'; + } + $checked{'DATACIPHERS'}{'AES-256-GCM'} = ''; + $checked{'DATACIPHERS'}{'AES-192-GCM'} = ''; + $checked{'DATACIPHERS'}{'AES-128-GCM'} = ''; + $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = ''; + @temp = split('\|', $cgiparams{'DATACIPHERS'}); + foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; } + if ($cgiparams{'MAX_CLIENTS'} eq '') { $cgiparams{'MAX_CLIENTS'} = '100'; } @@ -2706,9 +2738,64 @@ ADV_ERROR: &Header::closebox(); } &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'}); + + # Set default data channel ciphers + if ($cgiparams{'DATACIPHERS'} eq '') { + $cgiparams{'DATACIPHERS'} = 'ChaCha20-Poly1305|AES-256-GCM'; + } + $checked{'DATACIPHERS'}{'AES-256-GCM'} = ''; + $checked{'DATACIPHERS'}{'AES-192-GCM'} = ''; + $checked{'DATACIPHERS'}{'AES-128-GCM'} = ''; + $checked{'DATACIPHERS'}{'ChaCha20-Poly1305'} = ''; + @temp = split('\|', $cgiparams{'DATACIPHERS'}); + foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; } + + if ($cgiparams{'MAX_CLIENTS'} eq '') { + $cgiparams{'MAX_CLIENTS'} = '100'; + } +@@ -2706,9 +2738,45 @@ + &Header::closebox(); + } + &Header::openbox('100%', 'LEFT', $Lang::tr{'advanced server'}); + print "
"; + print< + + + + + +
$Lang::tr{'ovpn advanced encryption'}
+
+ + + + + + + + + + + + + +
$Lang::tr{'ovpn data channel'}
$Lang::tr{'ovpn data encryption'} + +
+
+END +; + print < +
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index f13bddf4b..7c8287510 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1952,14 +1952,18 @@ 'override mtu' => 'Überschreibe Standard-MTU', 'ovpn' => 'OpenVPN', 'ovpn add conf' => 'Erweiterte Konfiguration', +'ovpn advanced encryption' => 'Kryptografie Optionen', 'ovpn con stat' => 'OpenVPN Verbindungs-Statistik', 'ovpn config' => 'OVPN-Konfiguration', 'ovpn connection name' => 'Verbindungs-Name', 'ovpn crypt options' => 'Kryptografieoptionen', +'ovpn data encryption' => 'Daten-Kanal Verschlüsselung', +'ovpn data channel' => 'Daten-Kanal', 'ovpn device' => 'OpenVPN-Gerät', 'ovpn dl' => 'OVPN-Konfiguration downloaden', 'ovpn engines' => 'Krypto Engine', 'ovpn errmsg green already pushed' => 'Route für grünes Netzwerk wird immer gesetzt', +'ovpn errmsg invalid data cipher input' => 'Die Daten-Kanal Verschlüsselung benötigt mindestens einen Algorithmus', 'ovpn errmsg invalid ip or mask' => 'Ungültige Netzwerk-Adresse oder Subnetzmaske', 'ovpn error md5' => 'Das Host Zertifikat nutzt einen MD5 Algorithmus welcher nicht mehr akzeptiert wird.
Bitte IPFire auf die neueste Version updaten und generieren sie ein neues Root und Host Zertifikate.

Es müssen dann alle OpenVPN clients erneuert werden!
', 'ovpn generating the root and host certificates' => 'Die Erzeugung der Root- und Host-Zertifikate kann lange Zeit dauern.', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 0113f8811..cfa826245 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2013,14 +2013,18 @@ 'override mtu' => 'Override default MTU', 'ovpn' => 'OpenVPN', 'ovpn add conf' => 'Additional configuration', +'ovpn advanced encryption' => 'Cryptographic options', 'ovpn con stat' => 'OpenVPN Connection Statistics', 'ovpn config' => 'OVPN-Config', 'ovpn connection name' => 'Connection Name', 'ovpn crypt options' => 'Cryptographic options', +'ovpn data encryption' => 'Data-Channel encryption', +'ovpn data channel' => 'Data-Channel', 'ovpn device' => 'OpenVPN device:', 'ovpn dl' => 'OVPN-Config Download', 'ovpn engines' => 'Crypto engine', 'ovpn errmsg green already pushed' => 'Route for green network is always set', +'ovpn errmsg invalid data cipher input' => 'The data-channel encryption needs at least one cipher', 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask', 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore.
Please update to the latest IPFire version and generate a new root and host certificate.

All OpenVPN clients needs then to be renewed!
', 'ovpn generating the root and host certificates' => 'Generating the root and host certificate can take a long time.', From patchwork Thu Mar 21 12:24:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Erik Kapfer X-Patchwork-Id: 7652 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4V0l6V5hlHz3ww6 for ; Thu, 21 Mar 2024 12:25:38 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4V0l6R16XwzpH; Thu, 21 Mar 2024 12:25:35 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4V0l6R0dsfz32qt; Thu, 21 Mar 2024 12:25:35 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4V0l6J4x7Dz307F for ; Thu, 21 Mar 2024 12:25:28 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4V0l6H2lbFz1Rw; Thu, 21 Mar 2024 12:25:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1711023927; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iPbBitsR8mvqlWU3GC4hkh72HXu7BnO5M+22+xERlJM=; b=eTf1wNkrYgfpfRfeqgwTRV5Jd7IDRSzV+65aDdM0s2ZP/lHvRqECGy/N5QwiUy1R/++fp9 KqnRzXFU0eUS3pDA31gGn44xpygsaUOZY+P0v+OX/BGcG2KYoHq7/ViyUrZYNN9eo5vozX lRMFGmQ+rJIOds1lAK50p+7BLCTygTdQ86+HUCsYB/3qLffqgQcX4UDweq/xQUkt4IYxph jsxQ1RLIZ1wViWqkeSBHx5Ew6JNFENaLaqYc0JX+h5EZFccNa+wy5nerhz3nzc8b65eWLP uj2Fd9hpvQWnMZBu1u5TjNxW7iAjRp/wj51+EbjeWL0EYYa2uU5/3Bq9OYPHxg== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1711023927; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=iPbBitsR8mvqlWU3GC4hkh72HXu7BnO5M+22+xERlJM=; b=uESEt7KYU6qpdKSLEiE2B4FnO1dtHskeF24a1+01WfUe4Ou0p8c0c5gk74xQ2lh+ulMq4y S3nBSjRs4d95ziCw== From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH 3/4] OpenVPN: Introduce --data-cipher-fallback to substitude the deprecated --cipher directive . Date: Thu, 21 Mar 2024 13:24:50 +0100 Message-ID: <20240321122511.3287692-3-erik.kapfer@ipfire.org> In-Reply-To: <20240321122511.3287692-1-erik.kapfer@ipfire.org> References: <20240321122511.3287692-1-erik.kapfer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: IWVW52AJAZG4PXC7WU3ZQTGPD5PRTEHH X-Message-ID-Hash: IWVW52AJAZG4PXC7WU3ZQTGPD5PRTEHH X-MailFrom: erik.kapfer@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Since the '--cipher' directive is with OpenVPN version 2.5.0 deprecated and will be handled now via '--data-cipher-fallback' to keep the compatibility with already existing clients until version 2.3.x. The old 'DCIPHER' variable name has been kept and uses also the old setting file but the directive has now be renamed from '--cipher' to '--data-cipher-fallback'. All new clients needs to be at least at OpenVPN version 2.5.0 since the '--cipher' directive will no longer be printed into client.ovpn but uses instead only NCP. - All old CBC ciphers except the GCM familiy and CHACHA20-POLY1305 (AEAD ciphers), are now included in the '--data-ciphers-fallback' table which is located beneath the data-channel ciphers in a separate table. - With this patch all ciphers are now located under the "Advanced server options" and no longer under the "Global settings" therefor, tls-auth needed to be rearranged in the "Global settings". Signed-off-by: Erik Kapfer --- html/cgi-bin/ovpnmain.cgi | 92 +++++++++++++++++++++------------------ langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 3 files changed, 51 insertions(+), 43 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 833ce8247..49ddae4ce 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -337,7 +337,10 @@ sub writeserverconf { @advcipherchar = ($sovpnsettings{'DATACIPHERS'} =~ s/\|/:/g); print CONF "data-ciphers $sovpnsettings{'DATACIPHERS'}\n"; - print CONF "cipher $sovpnsettings{DCIPHER}\n"; + # The "--cipher" directive has been renamed to "--data-cipher-fallback" + # but uses the old setting files. This should deliver compatibility + # for already existing old clients back to OpenVPN version 2.3.x + print CONF "data-ciphers-fallback $sovpnsettings{DCIPHER}\n"; print CONF "auth $sovpnsettings{'DAUTH'}\n"; # Set TLSv2 as minimum print CONF "tls-version-min 1.2\n"; @@ -819,6 +822,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) { $vpnsettings{'DHCP_WINS'} = $cgiparams{'DHCP_WINS'}; $vpnsettings{'ROUTES_PUSH'} = $cgiparams{'ROUTES_PUSH'}; $vpnsettings{'DATACIPHERS'} = $cgiparams{'DATACIPHERS'}; + $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; my @temp=(); # data-ciphers needs at least one cipher @@ -1243,7 +1247,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'}; $vpnsettings{'DMTU'} = $cgiparams{'DMTU'}; $vpnsettings{'DCOMPLZO'} = $cgiparams{'DCOMPLZO'}; - $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'}; $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'}; $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; #wrtie enable @@ -2306,6 +2309,12 @@ else $zip->addFile( "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "$confighash{$cgiparams{'KEY'}}[1]cert.pem") or die "Can't add file $confighash{$cgiparams{'KEY'}}[1]cert.pem\n"; } + # !!! With the update to version 2.6.x all new configured clients + # needs to be at least at OpenVPN version >= 2.5.0 cause the cipher + # directive is deprecated and reach his EOL with 2.7.x so only the + # following NCP will be used !!! + #print CLIENTCONF "cipher $vpnsettings{DCIPHER}\r\n"; + # Data cipher negotiation # Set seperator ':' for --data-ciphers algorithms @advcipherchar = ($vpnsettings{'DATACIPHERS'} =~ s/\|/:/g); @@ -2684,6 +2693,26 @@ ADV_ERROR: @temp = split('\|', $cgiparams{'DATACIPHERS'}); foreach my $key (@temp) {$checked{'DATACIPHERS'}{$key} = "selected='selected'"; } + # Set default for data-cipher-fallback (the old --cipher directive) + if ($cgiparams{'DCIPHER'} eq '') { + $cgiparams{'DCIPHER'} = 'AES-256-CBC'; + } + # All CBC ciphers are now in data-cipher-fallback section + $selected{'DCIPHER'}{'AES-256-CBC'} = ''; + $selected{'DCIPHER'}{'AES-192-CBC'} = ''; + $selected{'DCIPHER'}{'AES-128-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; + $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; + $selected{'DCIPHER'}{'SEED-CBC'} = ''; + $selected{'DCIPHER'}{'DES-CBC'} = ''; + $selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; + $selected{'DCIPHER'}{'DESX-CBC'} = ''; + $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; + $selected{'DCIPHER'}{'BF-CBC'} = ''; + $selected{'DCIPHER'}{'CAST5-CBC'} = ''; + $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; + if ($cgiparams{'MAX_CLIENTS'} eq '') { $cgiparams{'MAX_CLIENTS'} = '100'; } @@ -2772,6 +2801,7 @@ ADV_ERROR: + @@ -2785,6 +2815,23 @@ ADV_ERROR: + +
$Lang::tr{'dhcp-options'}
$Lang::tr{'ovpn data channel'}$Lang::tr{'ovpn data channel fallback'}
+ +
@@ -5250,24 +5297,6 @@ END $selected{'DPROTOCOL'}{'tcp'} = ''; $selected{'DPROTOCOL'}{$cgiparams{'DPROTOCOL'}} = 'SELECTED'; - $selected{'DCIPHER'}{'AES-256-GCM'} = ''; - $selected{'DCIPHER'}{'AES-192-GCM'} = ''; - $selected{'DCIPHER'}{'AES-128-GCM'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-256-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-192-CBC'} = ''; - $selected{'DCIPHER'}{'CAMELLIA-128-CBC'} = ''; - $selected{'DCIPHER'}{'AES-256-CBC'} = ''; - $selected{'DCIPHER'}{'AES-192-CBC'} = ''; - $selected{'DCIPHER'}{'AES-128-CBC'} = ''; - $selected{'DCIPHER'}{'DES-EDE3-CBC'} = ''; - $selected{'DCIPHER'}{'DESX-CBC'} = ''; - $selected{'DCIPHER'}{'SEED-CBC'} = ''; - $selected{'DCIPHER'}{'DES-EDE-CBC'} = ''; - $selected{'DCIPHER'}{'CAST5-CBC'} = ''; - $selected{'DCIPHER'}{'BF-CBC'} = ''; - $selected{'DCIPHER'}{'DES-CBC'} = ''; - $selected{'DCIPHER'}{$cgiparams{'DCIPHER'}} = 'SELECTED'; - $selected{'DAUTH'}{'whirlpool'} = ''; $selected{'DAUTH'}{'SHA512'} = ''; $selected{'DAUTH'}{'SHA384'} = ''; @@ -5391,29 +5420,6 @@ END - $Lang::tr{'cipher'} - - - - -
- $Lang::tr{'ovpn tls auth'} diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 7c8287510..92bacc0ef 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1959,6 +1959,7 @@ 'ovpn crypt options' => 'Kryptografieoptionen', 'ovpn data encryption' => 'Daten-Kanal Verschlüsselung', 'ovpn data channel' => 'Daten-Kanal', +'ovpn data channel fallback' => 'Daten-Kanal Fallback', 'ovpn device' => 'OpenVPN-Gerät', 'ovpn dl' => 'OVPN-Konfiguration downloaden', 'ovpn engines' => 'Krypto Engine', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index cfa826245..2f517e79c 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -2020,6 +2020,7 @@ 'ovpn crypt options' => 'Cryptographic options', 'ovpn data encryption' => 'Data-Channel encryption', 'ovpn data channel' => 'Data-Channel', +'ovpn data channel fallback' => 'Data-Channel fallback', 'ovpn device' => 'OpenVPN device:', 'ovpn dl' => 'OVPN-Config Download', 'ovpn engines' => 'Crypto engine', From patchwork Thu Mar 21 12:24:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Erik Kapfer X-Patchwork-Id: 7650 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4V0l6S3C76z3ww6 for ; Thu, 21 Mar 2024 12:25:36 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4V0l6N0K59zFKs; Thu, 21 Mar 2024 12:25:32 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4V0l6M4vFfz32ty; Thu, 21 Mar 2024 12:25:31 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4V0l6J4Ts7z30Qs for ; Thu, 21 Mar 2024 12:25:28 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4V0l6H3z7dzFK8; Thu, 21 Mar 2024 12:25:27 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1711023927; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fYZOlbFw2RQFshvzy5FrdNxL4Xyjx2X9o95kNovpGAs=; b=EHBrdekGNajW8ClORTraqr3xE0aNvHhCzuEQMWZLjVsBHZ4YCxjKoE07XG814dSoZlQ55Q HXFHdueuJZhr2bAQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1711023927; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fYZOlbFw2RQFshvzy5FrdNxL4Xyjx2X9o95kNovpGAs=; b=YIl/L4ZLv9wmfc1VE9aLPE2Wvaki1IxbTZ5B9B0kwtE/pP5n695ojyCsl9QhcAEZiMixCa EyGcRV+DvGQxIK6lYISif7hgA5r8Rz1IdEmZ2LRKJbkDIpzoBSUF8hWTVomeyaNvUqwryh UjFfDZLTMBCl0w67ymEUcVks/xh4f9KZqCdDS8sajalFl/1GqtmuP8SZEUxP1TdSG12D+u kKubSli7/HExnGqzo0ZH3MG/J/fBgw8Lg23FrW0NoWhOfzFw4+km7RikODgn2DWD6VNvXG XLmIZebaqmwJroYrQry4WqyTfXcCkwiZmJaxnRrvgVrODS6DM/O2DsOhswaxfw== From: Erik Kapfer To: development@lists.ipfire.org Subject: [PATCH 4/4] update.sh: Add and change new directives for OpenVPN 2.6.x . Date: Thu, 21 Mar 2024 13:24:51 +0100 Message-ID: <20240321122511.3287692-4-erik.kapfer@ipfire.org> In-Reply-To: <20240321122511.3287692-1-erik.kapfer@ipfire.org> References: <20240321122511.3287692-1-erik.kapfer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: UBA4CFA5KM5Z5H6GAJOXVO2AALNPCWFP X-Message-ID-Hash: UBA4CFA5KM5Z5H6GAJOXVO2AALNPCWFP X-MailFrom: erik.kapfer@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: This process may should be continued with some of the following updates to make sure the directives are included even the update with this changes has over jumped ?! otherwise, the "Advanced server options" page needs to be saved via WUI to bring OpenVPN to life. Signed-off-by: Erik Kapfer --- config/rootfiles/core/185/update.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/config/rootfiles/core/185/update.sh b/config/rootfiles/core/185/update.sh index 2c95c4102..247661481 100644 --- a/config/rootfiles/core/185/update.sh +++ b/config/rootfiles/core/185/update.sh @@ -35,6 +35,17 @@ done /etc/init.d/ntp stop /etc/init.d/squid stop +# OpenVPN add and change new 2.6.x directives for NCP. +if pgrep openvpn > /dev/null; then + /usr/local/bin/openvpnctrl -k > /dev/null + sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES-256-GCM/' /var/ipfire/ovpn/server.conf + sed -i 's/^cipher/data-ciphers-fallback/' /var/ipfire/ovpn/server.conf + /usr/local/bin/openvpnctrl -s > /dev/null +else + sed -i 's/^ncp-disable/data-ciphers ChaCha20-Poly1305:AES-256-GCM/' /var/ipfire/ovpn/server.conf + sed -i 's/^cipher/data-ciphers-fallback/' /var/ipfire/ovpn/server.conf +fi + # Extract files extract_files