Permit openvpn to use same port on different interfaces. It should fix #814
is_subnet() will fail here if using comma-separated lists of networks. Use openvpn_validate_cidr() instead.
Display a list of ciphers accelerated by a specific engine. Also, skip engines that are listed but unavailable for direct use.
Fixup paths when executing OpenSSL.
Allow specifying multiple local/remote networks for OpenVPN separated by commas. While I'm here, fix up the IPv6 tunnel/remote/local network input validation. Simplify some code using functions.
Add GUI option to use "topology subnet" for OpenVPN, since the OpenVPN Connect iOS client requires it for IPv6
Add routing table display for each OpenVPN ssl/tls server instance, collapsed by default. Part of feature #2766
Needs more thought - might route something an unintended path. Perhaps a checkbox. Revert "Exclude the VPN peer from routes so as to not break connectivity to the actual VPN peer if a route includes its IP."
This reverts commit 5d8e8c9d25b55c6d3260e69fcf4620f76488d173.
Update etc/inc/openvpn.inc
Mute error when interface does not exist, e.g. after reboot.
Exclude the VPN peer from routes so as to not break connectivity to the actual VPN peer if a route includes its IP.
Use functions to reduce code duplication; Add function to clear route to the interface IP before starting openvpn, otherwise the process cannot start. Ticket #2712
Activate choices for UDP6 and TCP6 for OpenVPN. Make sure interface IP selection chooses the proper IP and sets the proper protocol string. May need some GUI input validation to prevent someone from selecting a *6 proto with an IPv4 VIP and vice versa.
Use the IPv6 tunnel network for peer to peer OpenVPN modes.
Wrap dir creation for openvpn in a function to reduce duplication, and use the function before places that could potentially write in the dir.
Create directory if it does not exists
Presence of a directory does not mean anthing. Just continue up. Pointy-hat: myself
Unbreak the openvpn reading of configs. A dir needs to be executable to be searchable and readble inside. Reported-by: http://forum.pfsense.org/index.php/topic,55934.0/topicseen.html
Create necessary dir and unset conf string after writing to file
Merge pull request #244 from bcyrill/ovpn-alias
Fix: Use specified IP if available
Remove unused/unuseful tags anymore
Allow for changing OpenVPN TUN to TAP device mode without reboot.
Revert "Allow for changing OpenVPN TUN to TAP device mode without reboot." -- Adds blank OpenVPN servers, see ticket #2643
This reverts commit c8bb7f1527a99c69784ab6c01d9050adcde6a8a0.
Add forgotten "ipv6 remote network", clean up a couple bits, make sure local network box is hidden for shared key servers.
OpenVPN servers can start on carp vips, just not clients.
If we only have a IPv6 interface we'll use that, otherwise a IPv4 address always has preference. Revisit this for OpenVPN 2.3
Check in code that allows for using a gateway group as the interface on the OpenVPN server page. Only allow IPv4 gateway groups for now. We'll need to add IPv6 suppport here later when we import OpenVPN 2.3.Unbreak the gateway group function on broken configurations like a missing 3G stick....
Only add openvpn acl script lines if it's a server mode that does user auth
Import OpenVPN cisco style radius attributes applying policy to logged in users. Feature #2100
Whoops, don't flip these since I negated the test.
Flip this test around since it's safer to assume the dev mode is tun. Ticket #2432
Unbreak openvpn
Make vips vhid be unique per parent interface!
Be more intelligent when managing OpenVPN client connections bound to CARP VIPs. If the interface is in BACKUP status, do not start the client. Add a section to rc.carpmaster and rc.carpbackup to trigger this start/stop.If an OpenVPN client is active on both the master and backup system, they will cause conflicting connections to the server. Servers do not care as they only accept, not initiate.
Fix this ifconfig-push to also account for tap.
If there is a tunnel network in tap mode, the second parameter is a subnet mask, not the other IP.
username-as-common-name is not compatible with server-bridge, so don't put it in the config if server-bridge is active. Testing is needed to determine if there is any other negative impact, but with both present, openvpn will not start.
Fix order of client/server IPs and add a note, and clarify variable names. Fixes #2004.
Rework this a little since using tap+tunnel network is valid, but using tap+tunnel network+bridging is not (will not do what the user expects/wants)
Fix up OpenVPN server tap modes, support various options for providing or passing through DHCP. (Work in progress)
Assume a default value of 1 for cert_depth to disallow chaining.
Add GUI option to limit the certificate depth allowed when OpenVPN clients are connecting.
Fixup OpenVPN status a bit to properly handle SSL servers using a /30 (no server directive) and also be a little more verbose about what is happening, if we can tell.
Make initial changes to allow pfSense to work in a jail.
This mostly avoids starting things that will not work and gets theinitial config. Most of the pfSense functionality will not work(pf rules, routing, etc) but it can be used for testing.
Rework OpenVPN status, show status for shared key servers.
Resolves #1719. Prevent disabled client/servers from being displayed on the widget.
Only apply remote_network setting for p2p modes, since it is not valid for remote access modes. Fixes #1707
CRL fixes for empty CRLs (so they don't kill OpenVPN)
Merge remote-tracking branch 'upstream/master'
Conflicts: etc/inc/easyrule.inc etc/inc/filter.inc etc/inc/interfaces.inc etc/inc/services.inc etc/inc/xmlrpc_client.inc usr/local/www/fbegin.inc usr/local/www/services_dhcp.php
Merge remote-tracking branch 'mainline/master' into inc
Conflicts: etc/inc/priv.defs.inc
Don't check OpenVPN ports in use against disabled clients or servers
No need to use nohup when using mwexec_bg since it calls nohup itself. Also use fullpath to executables.
Conflicts: etc/inc/voucher.inc usr/local/www/fbegin.inc
Merge remote branch 'upstream/master'
Conflicts: etc/inc/openvpn.inc
When making a P2P SSL/TLS OpenVPN server, if the given CIDR for the tunnel network is a /30, don't use the OpenVPN server directive. See ticket #1417
Conflicts: etc/inc/interfaces.inc etc/inc/upgrade_config.inc etc/inc/vpn.inc
Conflicts: etc/inc/vslb.inc etc/version
Various CRL fixes, handle empty internal CRLs better.
Conflicts: etc/inc/pfsense-utils.inc
Push the ipv6 routes for the local network with push route-ipv6
Add the ipv6 configuration options for routing ipv6 over the tunnel. Currently only a /64 is supported for the routed network, so use a /64 and then route the /56
Confirmed working fix for ticket #1417 - with this change I have two-way connectivity on Site-to-Site (SSL/TLS) with iroutes.
Backing out changes from ticket #1417, it was not a valid openvpn config that the user was trying to make.
Slightly different fix for #1417 that doesn't mess up other parameters needed by p2p_tls
Conflicts: etc/inc/gwlb.inc
Putting client-config-dir in the config is valid also for p2p_tls servers. Fixes #1417.
Conflicts: etc/inc/shaper.inc
Switch back to dev_mode so existing configs aren't broken by the other changes.
Conflicts: etc/inc/interfaces.inc etc/inc/priv.defs.inc etc/inc/shaper.inc etc/inc/system.inc
Conflicts: etc/inc/auth.inc etc/inc/config.lib.inc etc/inc/filter.inc etc/inc/pfsense-utils.inc etc/inc/pkg-utils.inc etc/inc/priv.defs.inc etc/inc/services.inc...
Added option to select the type of device for use in the tunnel openvpn
fix NTP server IPs in openvpn config
Merge branch 'master' into inc
Conflicts: etc/inc/captiveportal.inc etc/inc/config.console.inc etc/inc/config.lib.inc etc/inc/easyrule.inc etc/inc/filter.inc etc/inc/ipsec.inc etc/inc/pkg-utils.inc etc/inc/shaper.inc...
Don't pass these by reference. Might be related to ticket #1231
Add drop-down to select OpenVPN hardware crypto (finds usable devices from "openssl engine" list) for clients and servers.
Add a checkbox for duplicate-cn on OpenVPN servers.
Ticket #1198. Fix code when checking client or server
fix text
nuke trailing carriage returns
Merge remote branch 'mainline/master' into inc
Conflicts: etc/inc/auth.inc etc/inc/config.lib.inc etc/inc/filter.inc etc/inc/gwlb.inc etc/inc/interfaces.inc etc/inc/pfsense-utils.inc etc/inc/pkg-utils.inc...
Do not spam filter reload at boot.
Add suggested fix from ticket #1037
Ticket #1037. Move environment manipulation to the authentication script since escaping slashes is not so easz on dynamic built paths.
Ticket #1037. Add suggestion in the ticket for using the CA supplied to openvpn for authenticating to SSL LDAP.
Reorder some code and combine the nobind test with the lport code to ensure only the needed options are used in any given combination.
When the local port is left blank on an OpenVPN client, use 'lport 0' to direct the client to use a random source port. Fixes #1025
The way this option is currently defined, the configuration variable is always set; for this case, isset is not the correct condition. Reported at http://forum.pfsense.org/index.php/topic,30153.0.html
Remove trailing carriage return
Conflicts: etc/inc/auth.inc etc/inc/config.lib.inc etc/inc/priv.defs.inc etc/inc/system.inc etc/inc/upgrade_config.inc etc/inc/vpn.inc
Refresh OpenVPN CRL files when a CRL has a cert added/removed. Ticket #555
Add backend code to verify username against cn on login if set by user. Needs GUI code to set the option yet. Ticket #887
Allow selecting an OpenVPN Server CRL if we are in an SSL mode.
Conflicts: etc/inc/filter.inc