CRL fixes for empty CRLs (so they don't kill OpenVPN)
Merge remote-tracking branch 'upstream/master'
Conflicts: etc/inc/easyrule.inc etc/inc/filter.inc etc/inc/interfaces.inc etc/inc/services.inc etc/inc/xmlrpc_client.inc usr/local/www/fbegin.inc usr/local/www/services_dhcp.php
Merge remote-tracking branch 'mainline/master' into inc
Conflicts: etc/inc/priv.defs.inc
Don't check OpenVPN ports in use against disabled clients or servers
No need to use nohup when using mwexec_bg since it calls nohup itself. Also use fullpath to executables.
Conflicts: etc/inc/voucher.inc usr/local/www/fbegin.inc
Merge remote branch 'upstream/master'
Conflicts: etc/inc/openvpn.inc
When making a P2P SSL/TLS OpenVPN server, if the given CIDR for the tunnel network is a /30, don't use the OpenVPN server directive. See ticket #1417
Conflicts: etc/inc/interfaces.inc etc/inc/upgrade_config.inc etc/inc/vpn.inc
Conflicts: etc/inc/vslb.inc etc/version
Various CRL fixes, handle empty internal CRLs better.
Conflicts: etc/inc/pfsense-utils.inc
Push the ipv6 routes for the local network with push route-ipv6
Add the ipv6 configuration options for routing ipv6 over the tunnel. Currently only a /64 is supported for the routed network, so use a /64 and then route the /56
Confirmed working fix for ticket #1417 - with this change I have two-way connectivity on Site-to-Site (SSL/TLS) with iroutes.
Backing out changes from ticket #1417, it was not a valid openvpn config that the user was trying to make.
Slightly different fix for #1417 that doesn't mess up other parameters needed by p2p_tls
Conflicts: etc/inc/gwlb.inc
Putting client-config-dir in the config is valid also for p2p_tls servers. Fixes #1417.
Conflicts: etc/inc/shaper.inc
Switch back to dev_mode so existing configs aren't broken by the other changes.
Conflicts: etc/inc/interfaces.inc etc/inc/priv.defs.inc etc/inc/shaper.inc etc/inc/system.inc
Conflicts: etc/inc/auth.inc etc/inc/config.lib.inc etc/inc/filter.inc etc/inc/pfsense-utils.inc etc/inc/pkg-utils.inc etc/inc/priv.defs.inc etc/inc/services.inc...
Added option to select the type of device for use in the tunnel openvpn
fix NTP server IPs in openvpn config
Merge branch 'master' into inc
Conflicts: etc/inc/captiveportal.inc etc/inc/config.console.inc etc/inc/config.lib.inc etc/inc/easyrule.inc etc/inc/filter.inc etc/inc/ipsec.inc etc/inc/pkg-utils.inc etc/inc/shaper.inc...
Don't pass these by reference. Might be related to ticket #1231
Add drop-down to select OpenVPN hardware crypto (finds usable devices from "openssl engine" list) for clients and servers.
Add a checkbox for duplicate-cn on OpenVPN servers.
Ticket #1198. Fix code when checking client or server
fix text
nuke trailing carriage returns
Merge remote branch 'mainline/master' into inc
Conflicts: etc/inc/auth.inc etc/inc/config.lib.inc etc/inc/filter.inc etc/inc/gwlb.inc etc/inc/interfaces.inc etc/inc/pfsense-utils.inc etc/inc/pkg-utils.inc...
Do not spam filter reload at boot.
Add suggested fix from ticket #1037
Ticket #1037. Move environment manipulation to the authentication script since escaping slashes is not so easz on dynamic built paths.
Ticket #1037. Add suggestion in the ticket for using the CA supplied to openvpn for authenticating to SSL LDAP.
Reorder some code and combine the nobind test with the lport code to ensure only the needed options are used in any given combination.
When the local port is left blank on an OpenVPN client, use 'lport 0' to direct the client to use a random source port. Fixes #1025
The way this option is currently defined, the configuration variable is always set; for this case, isset is not the correct condition. Reported at http://forum.pfsense.org/index.php/topic,30153.0.html
Remove trailing carriage return
Conflicts: etc/inc/auth.inc etc/inc/config.lib.inc etc/inc/priv.defs.inc etc/inc/system.inc etc/inc/upgrade_config.inc etc/inc/vpn.inc
Refresh OpenVPN CRL files when a CRL has a cert added/removed. Ticket #555
Add backend code to verify username against cn on login if set by user. Needs GUI code to set the option yet. Ticket #887
Allow selecting an OpenVPN Server CRL if we are in an SSL mode.
Conflicts: etc/inc/filter.inc
Send a log entry when openvpn resync is called.
Conflicts: etc/inc/filter.inc etc/inc/gwlb.inc
Since the OpenVPN management is done via unix socket and not tcp, we no longer need to require the local_port be set in order to activate the daemon.
Conflicts: etc/inc/filter.inc etc/inc/pkg-utils.inc etc/inc/service-utils.inc etc/inc/system.inc etc/inc/vpn.inc
Use the new events mechanisms to dispatch events.
Conflicts: etc/inc/interfaces.inc
Ticket #826. Add more bandage to notice when a reading on socket timeouts.
Ticket #826. Convert to unix domain sockets for management interface so we do not have problems when interface is any.
Ticket #826. Add timeout of 1 second for all read/write actions performed on the socket. This should fix point 1) on the ticket.
Print a notice that OpenVPN status information is not available for shared key servers.
Implement gettext() calls on openvpn.inc
End processing when we receive an ERROR line. Part of ticket #826
Add OpenVPN none/null cipher.
Reorg this test a little, and make sure we only add client-to-client for remote access types.
Various fixes to usage of ip2long, long2ip, and negated subnet masks, mostly affecting 64-bit. Ticket #459
Revert "Allow the user to override OpenVPN interface name in custom options (e.g. dev tap99 or dev tun99) and set related options appropriately. ticket #482 Item 2a/2b." - Revert for now, may cause more issues than it fixes.
This reverts commit be58c36ded298a1cb7a0eac40cd2edd62908d882.
Allow the user to override OpenVPN interface name in custom options (e.g. dev tap99 or dev tun99) and set related options appropriately. ticket #482 Item 2a/2b.
Add scpecific scripts for when ovpn goes up and down so we get neccessary values for used in varius areas of pfSense. TODO is find out how to get DNS info form openvpn.
Add client-to-client to OpenVPN server config if the option is checked. Resolves #572.
Use nobind for OVPN client when no local port and/or no local interface is requested. Ticket #282
Fix typo in comment
Move these functions to a more central location. Part of ticket #496
Ticket #474. Properly check for disabled openvpn configs.
Ticket #449. Teach OpenVPN to reload only tunnels for the specified interface. Use this is rc.newwanip script to reload only these tunnels.
Fix local and nobind for client settings
Ticket #413. Hanlde cases when no authentication is specified.
Ignore chmod errors for files that do not exist.
Add tls-auth to server even when authenticating in user/pass mode.
Do not include tls-auth on authentication based only on user/pass.
Allow openvpn server to authenticate only based on username/password credentials.
Allow the GUI auth API to be used for doing authentication against authentication servers specified. Teach Openvpn to use this API. Allow openvpn to authenticate against multiple servers that can be selected on the server configuration page.
Allow the authentication scripts to detect configuration changes. Allow multiple OUs to be specified on basedn.
Use 0 when configuring tls-auth in server.
Correct script used for OpenVPN authentication to actually work.
Include missing quotes.
Add support for authenticating users against server specified in the system->user manager->servers for openvpn. While there propperly fill the shared secret field for raidus in the servers page.
Add proxy authentication capabilities to OpenVPN client.
Add statistics for OpenVPN client instances
Feature #248. Ticket #248. Merge patch from Antonio No to add tap device type to OpenVPN.
fix openvpn user auth. thanks to thompsa@ for finding fix
Apparently OpenVPN 2.1 requires setting "script-security 2" to run given the other options we currently employ.
Use get_interface_ip instead of a manual shell_exec(ifconfig). Ticket #69
Add IP alias and 'any' support to OpenVPN. Feedback #69
Add carp support for OpenVPN. Ticket #69
Add pfSense_BUILDER_BINARIES: and pfSense_MODULE: additions
Include certs.inc is needed by lookup_certs.
Remove filter_configure from openvpn.inc it just ends up in recursive calls.
Propperly fix openvpn parameter parsing.