From patchwork Sat Apr 11 11:45:26 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9686 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ftBgp5Rd1z3wkS for ; Sat, 11 Apr 2026 11:45:42 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E7" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ftBgn2XF0z7Db for ; Sat, 11 Apr 2026 11:45:41 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ftBgl27G4z34BP for ; Sat, 11 Apr 2026 11:45:39 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ftBgh4vv4z30H9 for ; Sat, 11 Apr 2026 11:45:36 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ftBgg0fcKz5kp; Sat, 11 Apr 2026 11:45:35 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1775907935; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=RoMreupMLOuxNvDqu4xFh+EDLa/evBAwHdHD73Rm8tM=; b=ZzzG0YkYZ0CFjh4ag8C1OSVUIexY/Jk5kji5K0m+xQ0vt3Skd4SC9Tk64lZcgPxxMw3hE8 FrKsHObSyry0z0CA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1775907935; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=RoMreupMLOuxNvDqu4xFh+EDLa/evBAwHdHD73Rm8tM=; b=pfeGAosYVfsBPkBsSdW7ZfdYRrL+6fTyo51DfEQfdttCFGrpB2ImSpmnUXwV5XNJ3iEEz+ j5ZouRbt8UQPUY2gXvkP7t3KgOQY+NUQBxCVb1neqH/AkO9m0B4Fc4y8t+bjGf7PcYhrq2 UgLlybYwsAUuQ5WMj20Qu94edeV1g45ZmBpif/jKChboe+n4lWMPrWCnfbScdGnzjHEZ44 dOD9pRTRLI4VbVqoqdYdqC1/JUPTyFm8Otu4pOAc3ztLANeDe0deQ3epaZdbePxgOekVkX bG1q/VaKHEejQ9wrwIFuLstHbOxMvUOxiLMR0wAag6me3eOkFOgoc8+aPHWi3w== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 1/7] openvpn: Update to version 2.7.1 Date: Sat, 11 Apr 2026 13:45:26 +0200 Message-ID: <20260411114532.43348-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Update from version 2.6.19 to 2.7.1 - Update of rootfile - Changelog 2.7.1 Bugfixes Fix usage of --lport inside a block - this got broken with the multi-socket patchset (GH #995) Do not try to run auto-pam unit test when cross-compiling. Do not break private-key passphrases of length >= 64 (GH #993) Fix obscure ASSERT() crash on TCP connects with TAP and no ip config. Make DCO work on FreeBSD systems that have no IPv4 support in kernel (FreeBSD PR 286263) Make DCO work on Linux on big endian systems (namely, MIPS and PowerPC) (GH OpenVPN/ovpn-dco#96) New features Add a new username-only flag argument to --auth-user-pass which will now make OpenVPN only query for username and send a dummy password to the server. This is only useful if auth schemes are used on the server side that will do some sort of external challenge base on username, and not password authentication. See discussion in GH #501 (starting Jan 30, 2024). Increase default sizing of internal hash maps to 4 * --max-clients. The default used to be 256 with a --max-clients default of 1024 - this is bad for performance, while the memory savings are minimal. On a very memory constrained system, reduce --max-clients. Long-term code maintenance Work on OpenSSL 4.0 API support, reducing use of ASN1_STRING members. Remove obsolete OpenSSL 1.0.x support code from unit tests. Improve documentation of management client versioning, replace magic numbers in the code with an enum type. Fixup responses to management interface version command (for >= 4). Make --enable-async-push work on FreeBSD 15 (which has native inotify support, and consequently no libinotify.pc anymore) Adjust some code parts to new "const" handling on string function returns (ISO C23, as implemented by glibc 2.43 and newer). Remove erroneous usage of M_ERR | M_ERRNO throughout the code. User-visible Changes When compiled with the AWS-LC SSL library, using --tls-cert-profile will now print a run-time warning - the library does not support it, so it would silently do nothing. Systemd unit files: change LimitNPROC to TasksMax and increase limit (GH: #929) Documentation improvements. port-share: log incoming connections at verb 3, not on error level anymore (GH: #976). 2.7.0 New features Multi-socket support for servers OpenVPN servers now can listen on multiple sockets at the same time. Multiple --local statements in the configuration can be used to configure this. This way the same server can e.g. listen for UDP and TCP connections at the same time, or listen on multiple addresses and/or ports. Client implementations for DNS options sent by server for Linux/BSD/macOS Linux, BSD and macOS versions of OpenVPN now ship with a per-platform default --dns-updown script that implements proper handling of DNS configuration sent by the server. The scripts should work on systems that use systemd or resolveconf to manage the DNS setup, as well as raw /etc/resolv.conf files. However, the exact features supported will depend on the configuration method. On Linux and MacOS this should usually make split-DNS configurations supported out-of-the-box now. Note that this new script will not be used by default if a --up script is already in use to reduce problems with backwards compatibility. See documentation for --dns-updown and --dns for more details. New client implementation for DNS options sent by server for Windows The Windows client now uses NRPT (Name Resolution Policy Table) to handle DNS configurations. This adds support for split-DNS and DNSSEC and improves the compatbility with local DNS resolvers. Requires the interactive service. On Windows the block-local flag is now enforced with WFP filters. The block-local flag to --redirect-gateway and --redirect-private is now also enforced via the Windows Firewall, making sure packets can't be sent to the local network. This provides stronger protection against TunnelCrack-style attacks. Windows network adapters are now generated on demand This means that on systems that run multiple OpenVPN connections at the same time the users don't need to manually create enough network adapters anymore (in addition to the ones created by the installer). Windows automatic service now runs as an unpriviledged user All tasks that need privileges are now delegated to the interactive service. NOTE this has the risk of breaking existing setups if the Windows certificate store is used (cryptoapi), and the certificates are not readable for NT SERVICE\OpenVPNService. Support for new version of Linux DCO module OpenVPN DCO module is moving upstream and being merged into the main Linux kernel. For this process some API changes were required. OpenVPN 2.7 will only support the new API. The new module is called ovpn. Out-of-tree builds for older kernels are available. Please see the release announcements for futher information. Support for server mode in win-dco driver On Windows the win-dco driver can now be used in server setups. Support for TLS client floating in DCO implementations The kernel modules will detect clients floating to a new IP address and notify userland so both data packets (kernel) and TLS packets (sent by userland) can reach the new client IP. (Actual support depends on recent-enough kernel implementation) Enforcement of AES-GCM usage limit OpenVPN will now enforce the usage limits on AES-GCM with the same confidentiality margin as TLS 1.3 does. This mean that renegotiation will be triggered after roughly 2^28 to 2^31 packets depending of the packet size. More details about usage limit of AES-GCM can be found here: https://datatracker.ietf.org/doc/draft-irtf-cfrg-aead-limits/ Epoch data keys and packet format This introduces the epoch data format for AEAD data channel ciphers in TLS mode ciphers. This new data format has a number of improvements over the standard "DATA_V2" format. AEAD tag at the end of packet which is more hardware implementation friendly Automatic key switchover when cipher usage limits are hit, similar to the epoch data keys in (D)TLS 1.3 64 bit instead of 32 bit packet ids to allow the data channel to be ready for 10 GBit/s without having frequent renegotiation IV constructed with XOR instead of concatenation to not have (parts) of the real IV on the wire Support for Epoch data channel on Windows, using the win-dco driver (2.8.0+) Default ciphers in --data-ciphers Ciphers in --data-ciphers can contain the string DEFAULT that is replaced by the default ciphers used by OpenVPN, making it easier to add an allowed cipher without having to spell out the default ciphers. TLS alerts OpenVPN 2.7 will send out TLS alerts to peers informing them if the TLS session shuts down or when the TLS implementation informs the peer about an error in the TLS session (e.g. mismatching TLS versions). This improves the user experience as the client shows an error instead of running into a timeout when the server just stops responding completely. Support for tun/tap via unix domain socket and lwipovpn support To allow better testing and emulating a full client with a full network stack OpenVPN now allows a program executed to provide a tun/tap device instead of opening a device. The co-developed lwipovpn program based on lwIP stack allows to simulate full IP stack. An OpenVPN client using --dev-node unix:/path/to/lwipovpn can emulate a full client that can be pinged, can serve a website and more without requiring any elevated permission. This can make testing OpenVPN much easier. For more details see lwipovpn on Github. Allow overriding username with --override-username This is intended to allow using --auth-gen-token in scenarios where the clients use certificates and multi-factor authentication. This will also generate a push "auth-token-user newusername" directive in push replies. --port-share now properly supports IPv6 Issues with logging of IPv6 addresses were fixed. The feature now allows IPv6 connections towards the proxy receiver. Support for Haiku OS TLS1.3 support with mbedTLS (requires mbedTLS >= 3.6.4) PUSH_UPDATE client support It is now possible to update parts of the client-side configuration (IP address, routes, MTU, DNS) by sending a new server-to-client control message, PUSH_UPDATE,. See also: https://openvpn.github.io/openvpn-rfc/openvpn-wire-protocol.html NOTE: PUSH_UPDATE client support is currently disabled if DCO is active (on all platforms). PUSH_UPDATE server support (minimal) New management interface commands push-update-broad and push-update-cid to send PUSH_UPDATE option updates to all clients ("there is a new DNS server") or only a specific client ID ("privileges have changed, here's a new IP address"). See doc/management-notes.txt NOTE: PUSH_UPDATE server support is currently disabled if DCO is active (on all platforms). Support for user-defined routing tables on Linux See the --route-table option in the manpage PQE support for WolfSSL Two new environment variables have been introduced to communicate desired default gateway redirection to plugins like Network Manager, route_redirect_gateway_ipv4 and route_redirect_gateway_ipv6. See the "Environmental Variables" section in the man page Improved logging of service events/errors to event log on Windows. "Recursive Routing" check is now more granular, and will only drop packets-in-tunnel if destination IP, protocol and port matches with those needed to reach the VPN server. With that change, you can now use policies that direct "everything that is not OpenVPN" into the tunnel, and have IP packets to the VPN server address arrive as expected (no such policies are currently installed by OpenVPN) (GH: #669). COPYING: license details only relevant to our Windows installers have been updated and moved to the openvpn-build repo Improved BYTECOUNT support - more strictly adhere to timing interval requested, correctly support client and server counters with Linux and Windows DCO offloading. Improve compatibility with OpenSSL 3.6.0 (do not fail t_lpback selftest) New option --tls-crypt-v2-max-age n to check tls-crypt-v2 timestamps (When a client is older than n days or has no timestamp, the server will reject it) mbedTLS 4 support has been added. Note that with mbedTLS 4 algorithms need to be translated to mbedTLS 4 internal IDs by OpenVPN, and some names might be missing. Deprecated features secret support has been removed (by default). static key mode (non-TLS) is no longer considered "good and secure enough" for today's requirements. Use TLS mode instead. If deploying a PKI CA is considered "too complicated", using --peer-fingerprint makes TLS mode about as easy as using --secret. This mode can still be enabled by using --allow-deprecated-insecure-static-crypto but will be removed in OpenVPN 2.8. Support for wintun Windows driver has been removed. OpenVPN 2.6 added support for the new dco-win driver, so it supported three different device drivers: dco-win, wintun, and tap-windows6. OpenVPN 2.7 now drops the support for wintun driver. By default all modern configs should be supported by dco-win driver. In all other cases OpenVPN will fall back automatically to tap-windows6 driver. NTLMv1 authentication support for HTTP proxies has been removed. This is considered an insecure method of authentication that uses obsolete crypto algorithms. NTLMv2 support is still available, but will be removed in a future release. When configured to authenticate with NTLMv1 (ntlm keyword in --http-proxy) OpenVPN will try NTLMv2 instead. persist-key option has been enabled by default. All the keys will be kept in memory across restart. OpenSSL 1.0.2 support has been removed. Support for building with OpenSSL 1.0.2 has been removed. The minimum supported OpenSSL version is now 1.1.0. mbedTLS 2.x support has been removed Support for building with mbedTLS 2.x has been removed (it is out of support since March 2025, and the necessary compatibility code is making maintenance and support for mbedTLS 4.x hard). The minimum supported mbedTLS version is now 3.2.1. Compression on send has been removed. OpenVPN 2.7 will never compress data before sending. Decompression of received data is still supported. --allow-compression yes is now an alias for --allow-compression asym. --memstats feature removed The --memstats option was largely undocumented and there is no known user of this feature. This feature provided very limited statistics (number of users, link bytes read/written) and we do not except any usage because of this. Using --push in a mode that is not --mode server will now print a clear warning that this is an unsupported operation and might cause negotiation failures. --reneg-bytes and --reneg-packets do not work in DCO mode, and will now print an appropriate warning. On-connect resolving of --remote addresses in --tcp-server mode was not working since 2.4, so the code was completely removed. --opt-verify feature removed This option was already deprecated and it is now being converted to a no-op. Using this option will only print a warning. User-visible Changes Default for --topology changed to subnet for --mode server. Previous releases always used net30 as default. This only affects configs with --mode server or --server (the latter implies the former), and --dev tun, and only if IPv4 is enabled. Note that this changes the semantics of --ifconfig, so if you have manual settings for that in your config but not set --topology your config might fail to parse with the new version. Just adding --topology net30 to the config should fix the problem. By default --topology is pushed from server to client. --x509-username-field will no longer automatically convert fieldnames to uppercase. This was deprecated since OpenVPN 2.4, and has now been removed. --dh none is now the default if --dh is not specified. Modern TLS implementations will prefer ECDH and other more modern algorithms anyway. And finite field Diffie Hellman is in the proces of being deprecated (see draft-ietf-tls-deprecate-obsolete-kex) --lport 0 does not imply --bind anymore. --redirect-gateway now works correctly if the VPN remote is not reachable by the default gateway. --show-gateway now supports querying the gateway for IPv4 addresses. --static-challenge option now has a third parameter format that can change how password and challenge response should be combined. --key and --cert now accept URIs implemented in OpenSSL 3 as well as optional OpenSSL 3 providers loaded using --providers option. --cryptoapicert now supports issuer name as well as Windows CA template name or OID as selector string. TLS handshake debugging information contains much more details now when using recent versions of OpenSSL. The IV_PLAT_VER variable sent by Windows clients now contains the full Windows build version to make it possible to determine the Windows 10 or Windows 11 version used. The --windows-driver option to select between various windows drivers will no longer do anything - it's kept so existing configs will not become invalid, but it is ignored with a warning. The default is now ovpn-dco if all options used are compatible with DCO, with a fallback to tap-windows6. To force TAP (for example because a server pushes DCO incompatible options), use the --disable-dco option. Apply more checks to incoming TLS handshake packets before creating new state - namely, verify message ID / acked ID for "valid range for an initial packet". This fixes a problem with clients that float very early but send control channel packet from the pre-float IP (Github: #704). Use of --dh dh2048.pem in all sample configs has been replaced with --dh none. The dh2048.pem file has been removed. The startup delay in t_client.sh has been reduced from 3s to 1s, making a noticeable difference for setups with many tests. Changed from using uncrustify for code formatting and pre-commit checks to clang-format. This reformatted quite a bit of code, and requires that regular committers change their pre-commit checks accordingly. On Linux, on interfaces where applicable, OpenVPN explicitly configures the broadcast address again. This was dropped for 2.6.0 "because computers are smart and can do it themselves", but the kernel netlink interface isn't, and will install "0.0.0.0". This does not normally matter, but for broadcast-based applications that get the address to use from "ifconfig", this change repairs functionality (this has been backported to 2.6.15, but is not in earlier 2.6 versions). max-routes-per-client 0 used to be silently upgraded to 1. This now produces an error. ifconfig and ifconfig-ipv6 values are now stored in pre-connect options cache, and will be restored to pre-connect values on reconnects if the server stops pushing the respective option. tapctl.exe helper binary on Windows has been reworked to improve help texts (making clear that it can not only do TAP-Adapters but Win-DCO as well), add printing of the hwid to all adapter outputs, and change the default adapter type created to ovpn-dco. The default for multihome egress interface handling has changed. 2.7.0 will default to ipi_ifindex=0, that is, leave the decision to the routing/policy setup of the operating system. The pre-2.7 behaviour (force egress = ingress interface) can be achieved with the new --multihome same-interface sub-option. Windows openvpn.exe binary manifest now sets code page UTF8 - which has no direct effect on OpenVPN itself, but this repairs OpenSSL file loading for key/cert files with non-ASCII characters in their file names (GH: #920). The test-crypto option no longer requires a --secret argument and will automatically generate a random key. The configure-time option --enable-x509-alt-username is no longer conditional, and always-on (GH: #917). Signed-off-by: Adolf Belka --- config/rootfiles/common/openvpn | 3 ++- lfs/openvpn | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index 760fafd99..46c242d10 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -8,6 +8,8 @@ usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so #usr/lib/openvpn/plugins/openvpn-plugin-down-root.la usr/lib/openvpn/plugins/openvpn-plugin-down-root.so usr/lib/openvpn/verify +#usr/libexec/openvpn +usr/libexec/openvpn/dns-updown usr/sbin/openvpn usr/sbin/openvpn-authenticator #usr/share/doc/openvpn @@ -15,7 +17,6 @@ usr/sbin/openvpn-authenticator #usr/share/doc/openvpn/COPYRIGHT.GPL #usr/share/doc/openvpn/Changes.rst #usr/share/doc/openvpn/README -#usr/share/doc/openvpn/README.IPv6 #usr/share/doc/openvpn/README.auth-pam #usr/share/doc/openvpn/README.down-root #usr/share/doc/openvpn/README.mbedtls diff --git a/lfs/openvpn b/lfs/openvpn index 10f1f54c4..80eb94032 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -24,7 +24,7 @@ include Config -VER = 2.6.19 +VER = 2.7.1 THISAPP = openvpn-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 4eabecd3be43c7a45dbf2fb92236f568d5273978b18d5068200277771a5f6cad5fd3cc138232812c7f2e3c9a7812e73ca63c362ec942f361401c0712dc7d8498 +$(DL_FILE)_BLAKE2 = a5f598a4f2366c3134578af6bf08750c3d4269ab036f1b49b44799174bca01dc4d79c8ddfce2b5948f186a7729cd96e428b74dda4a685bf44323aaa188739405 install : $(TARGET) From patchwork Sat Apr 11 11:45:27 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9691 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ftBgw3QKnz3wkS for ; Sat, 11 Apr 2026 11:45:48 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E7" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ftBgs4zjSz7BJ for ; Sat, 11 Apr 2026 11:45:45 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ftBgr4f3Kz33gV for ; Sat, 11 Apr 2026 11:45:44 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ftBgn2lpkz349h for ; Sat, 11 Apr 2026 11:45:41 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ftBgh0Kfkz6dD; Sat, 11 Apr 2026 11:45:36 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1775907936; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+ZUj0GuMPW4phCs1ymZCDrTb47WQE/WB3rRkAK/ePkk=; b=2f1lmVDSJWSgWQkgW5zh+pZ6cNZcEcXGUQ28aQoRhqiR5+4QXVOzZmaBHpH3957QC3o99o udf+QjvJ59KkN1Bg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1775907936; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+ZUj0GuMPW4phCs1ymZCDrTb47WQE/WB3rRkAK/ePkk=; b=nXGyAj7sr6OT/WRmhbC/Rq/ZZlaibKmV+pN1407T2/zc0Xrg9mswM6cJ4m/QKb+OMARL/D qkp0eSo/fqHat27QcIXwGDHPttFAtqG2r9SFoq2xviPQ7DjXvGVz8pcQkv3qeuFBpq0+5o B8EB9a7BrycE67Mc8RVXtXY9FsE6fAZLSVacUA5zKSC1MaS03phj3zyoAOBRkMnVQvRKAo RNh4awKkrNROfIpO+CqgdUdG9CGox9DsFZ+eEKQmGEsSvDta9h2LkfwGkuiYZqheLydd84 cBh9rE80BhcxKAuvxnSqBFrNrhZGT8ZjYo0PzfWwT5HSqIdBq8amOhDPFJb51g== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 2/7] core202: Ship openvpn Date: Sat, 11 Apr 2026 13:45:27 +0200 Message-ID: <20260411114532.43348-2-adolf.belka@ipfire.org> In-Reply-To: <20260411114532.43348-1-adolf.belka@ipfire.org> References: <20260411114532.43348-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Signed-off-by: Adolf Belka --- config/rootfiles/core/202/filelists/openvpn | 1 + 1 file changed, 1 insertion(+) create mode 120000 config/rootfiles/core/202/filelists/openvpn diff --git a/config/rootfiles/core/202/filelists/openvpn b/config/rootfiles/core/202/filelists/openvpn new file mode 120000 index 000000000..493f3f7a4 --- /dev/null +++ b/config/rootfiles/core/202/filelists/openvpn @@ -0,0 +1 @@ +../../../common/openvpn \ No newline at end of file From patchwork Sat Apr 11 11:45:28 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9685 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ftBgp3tNNz3wbG for ; Sat, 11 Apr 2026 11:45:42 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E7" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ftBgn15y4z7GD for ; Sat, 11 Apr 2026 11:45:41 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ftBgl1KYlz349L for ; Sat, 11 Apr 2026 11:45:39 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ftBgh4PLlz2xHP for ; Sat, 11 Apr 2026 11:45:36 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ftBgh1vjJz752; Sat, 11 Apr 2026 11:45:36 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1775907936; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6+Ku5KJuo3bHHTAG1hoAlo2ZHzUI2AKY179gxOVMDD0=; b=VCveRZv/EbcW5vRd2okbInOh1ARn078KV/4aonRomDZhFLyy48rLRW4dOe2ReaiBYgLV4u wvTFUtZF6wRR7cCg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1775907936; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6+Ku5KJuo3bHHTAG1hoAlo2ZHzUI2AKY179gxOVMDD0=; b=o3SKiMg1pW6mTzNNDheJxc6bFBftlbQWGDi4OSLgO9nanFavqrxAY1ov+Jdy71NVhjUqNT fHj9EXFPT5P7zpWCwBH66oM2PYM99XM2/Y8Ix419N9G3LWwzyzbHuIL6uhIBIuEGv+LzJj ywUsnMQyD3mnILKMy4TOLY+7TTAlJIELxBcpgNJSO5sPJJ8OHU0Aw68d3ozOsHeuzdvn5Q csrt78P1aNFbC6RtlI6ddOyLzf4K8ONsB0x9NnIGbWoFa6dZwuklyjXAESuI4ptUK2BA3K uk8msOHSUbxdqtEZ+6mbZZJa92oW64Iu1IIAt6ln860IjTIunI6qkw/lpg7lQw== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 3/7] core202: Ship ovpnmain.cgi Date: Sat, 11 Apr 2026 13:45:28 +0200 Message-ID: <20260411114532.43348-3-adolf.belka@ipfire.org> In-Reply-To: <20260411114532.43348-1-adolf.belka@ipfire.org> References: <20260411114532.43348-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 Signed-off-by: Adolf Belka --- config/rootfiles/core/202/filelists/files | 1 + 1 file changed, 1 insertion(+) diff --git a/config/rootfiles/core/202/filelists/files b/config/rootfiles/core/202/filelists/files index 6866afb14..d33860022 100644 --- a/config/rootfiles/core/202/filelists/files +++ b/config/rootfiles/core/202/filelists/files @@ -3,6 +3,7 @@ etc/rc.d/init.d/sysklogd etc/rc.d/init.d/unbound srv/web/ipfire/cgi-bin/dnsbl.cgi srv/web/ipfire/cgi-bin/ids.cgi +srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/proxy.cgi srv/web/ipfire/cgi-bin/services.cgi srv/web/ipfire/cgi-bin/vpnmain.cgi From patchwork Sat Apr 11 11:45:29 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9688 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ftBgp6J3Nz3wsm for ; Sat, 11 Apr 2026 11:45:42 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E7" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ftBgn2SgMz7BZ for ; Sat, 11 Apr 2026 11:45:41 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ftBgl23kFz34BB for ; Sat, 11 Apr 2026 11:45:39 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ftBgh4zwGz30X7 for ; Sat, 11 Apr 2026 11:45:36 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ftBgh3SNyz76v; Sat, 11 Apr 2026 11:45:36 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1775907936; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=m03a/Dw7Q0wwW0DgHtBKd+4BG+EXN2zqh4nOUF0/lk4=; b=JdzLPyi2IWQv1/bNTPsUBtUDwDP6dRW3JHm4KRYgSHupJ25MfMavmnCHd2DHx01CmzaUKA 6Afa15IpKWVlkjCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1775907936; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=m03a/Dw7Q0wwW0DgHtBKd+4BG+EXN2zqh4nOUF0/lk4=; b=pnHe2HwICvezY8bAvm2zXxX/uLzHXtnDC5GevjhizuovUC5vr70di7nvkF9VCqXu0OS1L2 gsr3Wk6MimKg/vHZPloWWtl5M0FFXCTFoJSZ08gt4rmOCNIyoZvmc9rXmSIhfDDFLoUWre 1zWmSyUiTB0T90RwN3Ioi0ReC6d0qvOPkq/vPsVgDGBehWjuXvtoYlzfdkzr4BxcN/4+7V DFusP1TWseSE827N5U9Q8MZXzdmCru8z8X/pBfhfoEmxufUmTbPj9SGUZB2b7ccm/BIBlD uOjJ/ENC0bptG7pBvNsKKZ/wStBxYQMBMFEJNEHJM8sZQ42SC6yFIl2+ssvm9g== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 4/7] ovpnmain.cgi: Display only IP for Real Address in Connection Statistics Page Date: Sat, 11 Apr 2026 13:45:29 +0200 Message-ID: <20260411114532.43348-4-adolf.belka@ipfire.org> In-Reply-To: <20260411114532.43348-1-adolf.belka@ipfire.org> References: <20260411114532.43348-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - In the Connection Statistics page under Real Address it was showing the IP:Port instead of just the IP. - The IP was being split out in $address but this variable was not then used to display the Real Address. - This patch fixes that so that only the IP is shown for the Real Address. Signed-off-by: Adolf Belka --- html/cgi-bin/ovpnmain.cgi | 1 + 1 file changed, 1 insertion(+) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index b435d9e1b..b0d950cbb 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -3192,6 +3192,7 @@ END $users[$uid]{'Since'} = $match[5]; my $address = (split ':', $users[$uid]{'RealAddress'})[0]; + $users[$uid]{'RealAddress'} = $address; $users[$uid]{'Country'} = &Location::Functions::lookup_country_code($address); $uid++; From patchwork Sat Apr 11 11:45:30 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9687 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ftBgp6NmZz3x6k for ; Sat, 11 Apr 2026 11:45:42 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E7" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ftBgn2n7Nz7GT for ; Sat, 11 Apr 2026 11:45:41 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ftBgl34smz34S5 for ; Sat, 11 Apr 2026 11:45:39 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ftBgh5vrYz33Lc for ; Sat, 11 Apr 2026 11:45:36 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ftBgh4hxmz752; Sat, 11 Apr 2026 11:45:36 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1775907936; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bYzmeUpOGQ6DbZnv3fUmMSGiY8iJhfa9iUNXwhNICJs=; b=cI7Wr8lo+6Z5E2ue6wc8X3rm3ZSTU9HEDXfpLhN6UhLEQKZXO5I4v93zi3agimlIrGTpBj JE4/A2v/0+ILzoBw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1775907936; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bYzmeUpOGQ6DbZnv3fUmMSGiY8iJhfa9iUNXwhNICJs=; b=A4cx6yObmlgT0e444f2dgPR1RSEJxPxLmQQjwQQGMqphaa7PG2/UpgHw95VGU8CqOgnT0n adDFSwNrWQkeezK3xnU1JQjCKuzYKsoLcq9DyIJWBYYIpV6OS3n+JIHC9SYaxmJEskXHgB y2p6PX+VoWcDR8iavOtizVKISskD++PYfGZcpqSoWjd284yGwzDo/3pSQixTG9iIt03md8 46cWazdXAmf5NAXN6ywz7WO0GtK6Uf1MBM4mo1A0HFUrh+2CFdw6FAbzAdwHr7XlC1vDWT RSsrgZwUlyXd8JbTXqqd9zuzrEIoLjdMDA1km2irRLYVM/hH0ftSrb186Sa0YA== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 5/7] ovpnmain.cgi: Change status extraction for RW connection statistics page Date: Sat, 11 Apr 2026 13:45:30 +0200 Message-ID: <20260411114532.43348-5-adolf.belka@ipfire.org> In-Reply-To: <20260411114532.43348-1-adolf.belka@ipfire.org> References: <20260411114532.43348-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - The format of the status file has changed in 2.7.0 - This patch changes the regex to extract requyired status to maintain the same status output Signed-off-by: Adolf Belka --- html/cgi-bin/ovpnmain.cgi | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index b0d950cbb..def043d9b 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -3178,8 +3178,8 @@ END @match = split(/^Updated,(.+)/, $line); $status = $match[1]; - } elsif ( $line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) { - @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line); + } elsif ( $line =~ /^(.+),(.+\:\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) { + @match = split(m/^(.+),(.+\:\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line); # Skip the header next if ($match[1] eq "Common Name"); @@ -3196,8 +3196,8 @@ END $users[$uid]{'Country'} = &Location::Functions::lookup_country_code($address); $uid++; - } elsif ($line =~ /^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/) { - @match = split(m/^(\d+\.\d+\.\d+\.\d+),(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(.+)/, $line); + } elsif ($line =~ /^(\d+\.\d+\.\d+\.\d+),(.+),(.+\:\d+\.\d+\.\d+\.\d+\:\d+),(.+)/) { + @match = split(m/^(\d+\.\d+\.\d+\.\d+),(.+),(.+\:\d+\.\d+\.\d+\.\d+\:\d+),(.+)/, $line); # Skip the header next if ($match[1] eq "Virtual Address"); From patchwork Sat Apr 11 11:45:31 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9689 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ftBgq0tW5z3x95 for ; Sat, 11 Apr 2026 11:45:43 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E7" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ftBgn4DXGz7Dd for ; Sat, 11 Apr 2026 11:45:41 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ftBgl47qDz34Ct for ; Sat, 11 Apr 2026 11:45:39 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ftBgj0Nhjz33pl for ; Sat, 11 Apr 2026 11:45:37 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ftBgh5pjxz5j5; Sat, 11 Apr 2026 11:45:36 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1775907936; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YSWEvKswW9UbRIDvI288/3GC0IxUI7Uv5I5MUNsaEvM=; b=xikzSpEHc7p+dhCb/zHo9IEfr3ehX8QbzvfZEd5vOAprc8vfd3EZ1YVeLzpFAoRbuZ7yNn gWI1+cRaqeeVKSDg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1775907936; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YSWEvKswW9UbRIDvI288/3GC0IxUI7Uv5I5MUNsaEvM=; b=SEH1QKPC8QPgyiLGX15wHj0ICTg4w8qYqS4ao1aQ4ekfM+3IlS9kuZ9jSLHYpgatBuRFg+ LYJsFbt3Gm8WHVnmLWaIFq+ZP7ylX/NhuCi+00e+KK3/Lm4TmF43pzZqPt1+OZVazY+5pd 9Zt+OLIen4GZE6ssoxg21KRhplVREChh5GiQnBNgBzJ1IqViOM8wJoHnqSqGVjF+LwIVaU fDmiSo20afkz6FRazfu60wKzIvDbal7b8Uy/Cx7vNTix4Gc4ZSH0V2HLWP95FvZxySqubw ahvNySXDHhwK3rSHaZfLHXuAs4aEa8vQzDI3sx9id7p8DRV89WBkVEiwVDcM2w== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 6/7] ovpnmain.cgi: remove persist-key as this is now default Date: Sat, 11 Apr 2026 13:45:31 +0200 Message-ID: <20260411114532.43348-6-adolf.belka@ipfire.org> In-Reply-To: <20260411114532.43348-1-adolf.belka@ipfire.org> References: <20260411114532.43348-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - The persist-key option has been enabled by default. All the keys will be kept in memory across restart. Signed-off-by: Adolf Belka --- html/cgi-bin/ovpnmain.cgi | 4 ---- 1 file changed, 4 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index def043d9b..3fb356acd 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -400,7 +400,6 @@ sub writeserverconf { print CONF "reneg-sec 86400\n"; print CONF "user nobody\n"; print CONF "group nobody\n"; - print CONF "persist-key\n"; print CONF "persist-tun\n"; print CONF "verb 3\n"; @@ -1247,7 +1246,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print SERVERCONF "user nobody\n"; print SERVERCONF "group nobody\n"; print SERVERCONF "persist-tun\n"; - print SERVERCONF "persist-key\n"; print SERVERCONF "script-security 2\n"; print SERVERCONF "# IP/DNS for remote Server Gateway\n"; @@ -1346,7 +1344,6 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General print CLIENTCONF "user nobody\n"; print CLIENTCONF "group nobody\n"; print CLIENTCONF "persist-tun\n"; - print CLIENTCONF "persist-key\n"; print CLIENTCONF "script-security 2\n"; print CLIENTCONF "# IP/DNS for remote Server Gateway\n"; print CLIENTCONF "remote $cgiparams{'REMOTE'}\n"; @@ -2331,7 +2328,6 @@ END print CLIENTCONF "user nobody\n"; print CLIENTCONF "group nobody\n"; print CLIENTCONF "persist-tun\n"; - print CLIENTCONF "persist-key\n"; print CLIENTCONF "script-security 2\n"; print CLIENTCONF "# IP/DNS for remote Server Gateway\n"; print CLIENTCONF "remote $vpnsettings{'VPN_IP'}\n"; From patchwork Sat Apr 11 11:45:32 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9690 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ftBgw30Myz3wbG for ; Sat, 11 Apr 2026 11:45:48 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E7" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ftBgs4LsHz7Jl for ; Sat, 11 Apr 2026 11:45:45 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ftBgr4d9Vz33gK for ; Sat, 11 Apr 2026 11:45:44 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R12" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ftBgj1mWGz33ty for ; Sat, 11 Apr 2026 11:45:37 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ftBgj0KBqz752; Sat, 11 Apr 2026 11:45:36 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1775907937; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Q5aEoSCKJ8sIGsle7xlk093nSwXhh7KorniQwpW4RtA=; b=A3FRuBqyQHNlXZV1DPkgfWzx3o3pNNBM70venmeBvy1e4xRepMMfd6dgRgIEOEhefaSt5c 3rg3pF4qHRjFxeDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1775907937; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Q5aEoSCKJ8sIGsle7xlk093nSwXhh7KorniQwpW4RtA=; b=J8vWMl4gBKaAYITrgfvvPUiN1itkrRYmZ4gz7m+zCjGZwb0eYq5lfhCjsGkPliPVNd5bzG G+ZWdM1p8yMb0IQPBExe5tKyfk7e9N55D3kgJ+DmKk9G4vK0HI12JiifOGiVUUhlp14hoR cnZNQF2mizNsS/NgJWvSNEvEXlUg71I2+xjVw2PMxPJVoyhZV1KPI5cFu5Gxvc9eTIXtIJ 77pBmRHyqv9zT02815b72rCaTu/wCeVMwEOttRjs/aQHDv0bhH0MwlcrU9ovnFS4iY2Y6A EfhtvgKjs4GJJ1J1fB0nvG947Ansy0RvqdfdO5LYqCXg5UcUdw8a890Bdal3Hw== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 7/7] ovpnmain.cgi: Update status extraction for Connection Status Date: Sat, 11 Apr 2026 13:45:32 +0200 Message-ID: <20260411114532.43348-7-adolf.belka@ipfire.org> In-Reply-To: <20260411114532.43348-1-adolf.belka@ipfire.org> References: <20260411114532.43348-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - The format of the connection status has changed and this change ensures that the status is correctly shown in the Connection Status and Control table Signed-off-by: Adolf Belka --- html/cgi-bin/ovpnmain.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 3fb356acd..ab91eec57 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -5314,8 +5314,8 @@ END foreach my $line (@status) { chomp($line); - if ($line =~ /^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) { - my @match = split(m/^(.+),(\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line); + if ($line =~ /^(.+),(.+\:\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/) { + my @match = split(m/^(.+),(.+\:\d+\.\d+\.\d+\.\d+\:\d+),(\d+),(\d+),(.+)/, $line); if ($match[1] ne "Common Name") { $cn = $match[1];