From patchwork Mon Aug 25 09:19:13 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8989 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4c9QGh73lvz3wbG for ; Mon, 25 Aug 2025 09:19:24 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4c9QGg4JW2z5RP for ; Mon, 25 Aug 2025 09:19:23 +0000 (UTC) Authentication-Results: mail01.ipfire.org; dkim=pass header.d=ipfire.org header.s=202003ed25519 header.b=4zInSWEF; dkim=pass header.d=ipfire.org header.s=202003rsa header.b=oGalBq1x; dmarc=pass (policy=reject) header.from=ipfire.org; spf=softfail (mail01.ipfire.org: 2001:678:b28::201 is neither permitted nor denied by domain of "development+bounces-839-patchwork=ipfire.org@lists.ipfire.org") smtp.mailfrom="development+bounces-839-patchwork=ipfire.org@lists.ipfire.org" ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1756113563; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=VyD296ivw9ICuU+MeZho8tMTSooKp9gxumDqEYejjFQ=; b=Pzu39GDQWzX2SbKZC2bDR7TdiiMhNHNUFpdpSABiHPMm9I39H/c5Wfw8t1PNJbgD4s423r u8M6VtQCZA9O0nvst/Umal1TLKaHl2f/akP9NEsMWpozfl/39ZrJolo4+PAZE1T/cHGWFv z1mDPOTu6p1gxANqL3sQ4eR5Ug7me/SmHEAaZ75+XQUi1kW/BrIw04SZlh5VFM+S4hhpKD vaT7oubx0BQRxjMR3c3GndPsbweIj/ZhgAf+wA1VO/UI+xNh8qIcB+oI2g3R88SWnasVF7 r5MZcX9or7XIZAb8/3CUoDp5SqZJPwuDqKlSLW6cTsMG6ZD9Y7xu+O6wT7GpIw== ARC-Authentication-Results: i=1; mail01.ipfire.org; dkim=pass header.d=ipfire.org header.s=202003ed25519 header.b=4zInSWEF; dkim=pass header.d=ipfire.org header.s=202003rsa header.b=oGalBq1x; dmarc=pass (policy=reject) header.from=ipfire.org; spf=softfail (mail01.ipfire.org: 2001:678:b28::201 is neither permitted nor denied by domain of "development+bounces-839-patchwork=ipfire.org@lists.ipfire.org") smtp.mailfrom="development+bounces-839-patchwork=ipfire.org@lists.ipfire.org" ARC-Seal: i=1; s=202003rsa; d=ipfire.org; t=1756113563; a=rsa-sha256; cv=none; b=CGh4qUUiPUdYF0xe4nxqc1UB80t0Hl9PSetZldwTHAe2gdxQLNgH061Ou2Eqs8qVFykhvo +tBSG2/GUibHdUrLuEoMsQSBpkEeCfpy28PFNmuJNU5N4iEXKEJT7BDl9yZjC3nJYp5lHJ Jm38hCS6KmQMH/1LGYrZFiJTgiOV8Ssqqds5h3Gt4XVyMTOQGsbwoGRY/W3Z9mtSbnzfLw 0w6vWo39itXMt+v6dYWJ95Ogb+p6jBp3YZ1kIq1na3EDJ9gcco7+mTixLHfd15xIaADvux JTc6OrNkU1+8XLgIWnaSiQzSEm8Y2hgusqUSwSyz2jXAl+RwkOG9IHqjgvJ11Q== Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4c9QGg3ZRtz2xWb for ; Mon, 25 Aug 2025 09:19:23 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4c9QGc50tZz2xQ9 for ; Mon, 25 Aug 2025 09:19:20 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4c9QGb54t1z2Q; Mon, 25 Aug 2025 09:19:19 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1756113559; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=VyD296ivw9ICuU+MeZho8tMTSooKp9gxumDqEYejjFQ=; b=4zInSWEFxpTHcxqzHIYyZYE2KRSbJ7JSFsJOGQ+2xIWSyYFXZ8eyd312pMJTxA/MyXT13A w8GxGzZ3xcxyocDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1756113559; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=VyD296ivw9ICuU+MeZho8tMTSooKp9gxumDqEYejjFQ=; b=oGalBq1xHwzdwiwEHZ6bhY4RXM38jQvSOk7sV+kJ9hA4yl3vdBvYgJGeLDafEFOWNeRwme foSqwtpyxgnXGLE1lx4hLugloPgTYw3l4SsgAVcenCAjKxKeGKgRtpOUwiL3K59dgVuPkm n8H/xENu+jXYA0ox0ekEykb6/pmHCLDZDLGJPWCmpjA9KSVYWwN96LZ8BhE04dc6BihatT ZBy08VFUZKt2SniDtB5ZNB11YrPwxhop9nHwijS1VFXjfB5kocodo3905Xn640ifdeXuU5 eyKv4U1w+YdUu/tD3+rohD1CK+G2X9phWdtXIh1qyxDo9FWU80bn4x282uH+DA== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 1/2] backup.pl: Ensure ncp-disable is removed from old backups and DATACIPHERS added Date: Mon, 25 Aug 2025 11:19:13 +0200 Message-ID: <20250825091914.5761-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 X-Rspamd-Server: mail01.haj.ipfire.org X-Rspamd-Queue-Id: 4c9QGg4JW2z5RP X-Rspamd-Action: no action X-Spamd-Result: default: False [-10.83 / 11.00]; BAYES_HAM(-3.00)[99.99%]; DWL_DNSWL_MED(-2.00)[ipfire.org:dkim]; FROM_INTERNAL_BULK_SENDERS(-2.00)[2001:678:b28::201]; R_DKIM_ALLOW(-1.64)[ipfire.org:s=202003ed25519,ipfire.org:s=202003rsa]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM(-1.00)[-1.000]; DKIM_REPUTATION(-0.91)[-0.90888401011489]; DMARC_POLICY_ALLOW_WITH_FAILURES(-0.50)[]; R_MISSING_CHARSET(0.50)[]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; IP_REPUTATION_HAM(-0.29)[asn: 204867(-0.08), country: DE(0.00), ip: 2001:678:b28::(-0.20)]; RCVD_IN_DNSWL_MED(-0.20)[2001:678:b28::25:received]; MAILLIST(-0.18)[generic]; MIME_GOOD(-0.10)[text/plain]; HAS_LIST_UNSUB(-0.01)[]; MX_GOOD(-0.01)[]; RECEIVED_HELO_LOCALHOST(0.00)[]; ARC_SIGNED(0.00)[ipfire.org:s=202003rsa:i=1]; FROM_HAS_DN(0.00)[]; FUZZY_RATELIMITED(0.00)[rspamd.com]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; TAGGED_FROM(0.00)[bounces-839-patchwork=ipfire.org]; RCVD_COUNT_THREE(0.00)[3]; ASN(0.00)[asn:204867, ipnet:2001:678:b28::/48, country:DE]; RCVD_VIA_SMTP_AUTH(0.00)[]; FORGED_SENDER_MAILLIST(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MISSING_XM_UA(0.00)[]; DMARC_POLICY_ALLOW(0.00)[ipfire.org,reject]; DKIM_TRACE(0.00)[ipfire.org:+]; RCVD_TLS_LAST(0.00)[]; FROM_NEQ_ENVFROM(0.00)[adolf.belka@ipfire.org,development@lists.ipfire.org]; R_SPF_SOFTFAIL(0.00)[~all:c] - With commit https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=e04f5376ba18767a6a9eccf104c472295a75340b then the settings file which is hashed into %vpnsettings already exists and so none of the defaults are set. Running the ovpnmain.cgi code resolves this for most of the settings but not for ncp-disable being present in server.conf and no DATACIPHERS entry in the settings file. ncp-disable then causes the openvpn server to fail to start as it is no longer recognised in OpenVPN-2.6 - This patch checks if ncp-disable is in the server.conf file from the restored backup and if it is it is then removed and the default values for DATACIPHERS is added into the settings file. - Tested out in my vm testbed and successfully worked. The previously found issue after the above patch was added in has been resolved. - Associated patch in this set is to do a similar thing for the update.sh file for CU197 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- config/backup/backup.pl | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/config/backup/backup.pl b/config/backup/backup.pl index e79f510c6..42d24aa3c 100644 --- a/config/backup/backup.pl +++ b/config/backup/backup.pl @@ -350,6 +350,11 @@ restore_backup() { fi # Update the OpenVPN configuration and restart the openvpn daemons + if grep -q "ncp-disable" /var/ipfire/ovpn/server.conf; then + sed -r -e "/ncp-disable/d" -i /var/ipfire/ovpn/server.conf + echo "DATACIPHERS=AES-256-GCM|AES-128-GCM|CHACHA20-POLY1305" >> \ + /var/ipfire/ovpn/settings + fi sudo -u nobody /srv/web/ipfire/cgi-bin/ovpnmain.cgi /etc/init.d/openvpn-n2n restart /etc/init.d/openvpn-rw restart From patchwork Mon Aug 25 09:19:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8990 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4c9QGj0CM5z3wk2 for ; Mon, 25 Aug 2025 09:19:25 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4c9QGg5Jwnz5PS for ; Mon, 25 Aug 2025 09:19:23 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4c9QGg4bRWz2yy6 for ; Mon, 25 Aug 2025 09:19:23 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4c9QGc61zfz2yxC for ; Mon, 25 Aug 2025 09:19:20 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4c9QGc1txCz3Fq; Mon, 25 Aug 2025 09:19:20 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1756113560; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TYGf39nX4N+9p54Mv11hev/zKsNYEtbJRH4EX2A6/rk=; b=0lu+3dInPgD3ImS1IzHdWQSSnW4E/mwwx83P06Cb4iPayyPwyA6kAoRSCwS+SB0COO/UI2 RC/w7y1ZTg90NPAg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1756113560; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=TYGf39nX4N+9p54Mv11hev/zKsNYEtbJRH4EX2A6/rk=; b=du8PT1aCC1uvjD0hQobDNpFBQeVVv5wDK37dPNQTn/XSbrlpEo6wCXnAl35IjEcA81ZKfl ZOVQfSTg3+PsbMg8dgYAYIeWJ/0JfKGYeztyDjSB0T1Zp9tVJNWSg3lu1rtW4JDDoclh7b EJvW7WFTDsonmqG3oeTBODZNKir4166oUI3uj00xZtRClJw7xQ3DNkDnh422xwZyqFuTeS ZLvDOsmnyB2vdGglvkUZ0TbNo2bRkApKSzDLM4iFHmDKs9vK6pFTv/DZ7/R8ak5hjUzKXv DuCeeJIbiSNEynxm59Ys960cDvVctC+h4xx6eC25PsLRqI1lEQpKDMfpWn85hQ== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 2/2] update.sh: Ensure ncp-disable is removed from config and DATACIPHERS added Date: Mon, 25 Aug 2025 11:19:14 +0200 Message-ID: <20250825091914.5761-2-adolf.belka@ipfire.org> In-Reply-To: <20250825091914.5761-1-adolf.belka@ipfire.org> References: <20250825091914.5761-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - This is doing the same thing as the other patch of this series dealing with backup.pl Signed-off-by: Adolf Belka --- config/rootfiles/core/197/update.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/rootfiles/core/197/update.sh b/config/rootfiles/core/197/update.sh index 0fd5cc6f0..f1800b2c0 100644 --- a/config/rootfiles/core/197/update.sh +++ b/config/rootfiles/core/197/update.sh @@ -123,6 +123,10 @@ ldconfig /usr/local/bin/filesystem-cleanup # Update the OpenVPN configuration +if grep -q "ncp-disable" /var/ipfire/ovpn/server.conf; then + sed -r -e "/ncp-disable/d" -i /var/ipfire/ovpn/server.conf + echo "DATACIPHERS=AES-256-GCM|AES-128-GCM|CHACHA20-POLY1305" >> /var/ipfire/ovpn/settings +fi sudo -u nobody /srv/web/ipfire/cgi-bin/ovpnmain.cgi # Apply SSH configuration