pfSense

fix text

nuke trailing carriage returns

Do not spam filter reload at boot.

Add suggested fix from ticket #1037

Ticket #1037. Move environment manipulation to the authentication script since escaping slashes is not so easz on dynamic built paths.

Ticket #1037. Add suggestion in the ticket for using the CA supplied to openvpn for authenticating to SSL LDAP.

Reorder some code and combine the nobind test with the lport code to ensure only the needed options are used in any given combination.

When the local port is left blank on an OpenVPN client, use 'lport 0' to direct the client to use a random source port. Fixes #1025

The way this option is currently defined, the configuration variable is always set; for this case, isset is not the correct condition. Reported at http://forum.pfsense.org/index.php/topic,30153.0.html

Remove trailing carriage return

Refresh OpenVPN CRL files when a CRL has a cert added/removed. Ticket #555

Add backend code to verify username against cn on login if set by user. Needs GUI code to set the option yet. Ticket #887

Allow selecting an OpenVPN Server CRL if we are in an SSL mode.

Send a log entry when openvpn resync is called.

Since the OpenVPN management is done via unix socket and not tcp, we no longer need to require the local_port be set in order to activate the daemon.

Use the new events mechanisms to dispatch events.

Ticket #826. Add more bandage to notice when a reading on socket timeouts.

Ticket #826. Convert to unix domain sockets for management interface so we do not have problems when interface is any.

Ticket #826. Add timeout of 1 second for all read/write actions performed on the socket. This should fix point 1) on the ticket.

Print a notice that OpenVPN status information is not available for shared key servers.

End processing when we receive an ERROR line. Part of ticket #826

Add OpenVPN none/null cipher.

Reorg this test a little, and make sure we only add client-to-client for remote access types.

Various fixes to usage of ip2long, long2ip, and negated subnet masks, mostly affecting 64-bit. Ticket #459

Revert "Allow the user to override OpenVPN interface name in custom options (e.g. dev tap99 or dev tun99) and set related options appropriately. ticket #482 Item 2a/2b." - Revert for now, may cause more issues than it fixes.

This reverts commit be58c36ded298a1cb7a0eac40cd2edd62908d882.

Allow the user to override OpenVPN interface name in custom options (e.g. dev tap99 or dev tun99) and set related options appropriately. ticket #482 Item 2a/2b.

Add scpecific scripts for when ovpn goes up and down so we get neccessary values for used in varius areas of pfSense. TODO is find out how to get DNS info form openvpn.

Add client-to-client to OpenVPN server config if the option is checked. Resolves #572.

Use nobind for OVPN client when no local port and/or no local interface is requested. Ticket #282

Fix typo in comment

Move these functions to a more central location. Part of ticket #496

Ticket #474. Properly check for disabled openvpn configs.

Ticket #449. Teach OpenVPN to reload only tunnels for the specified interface. Use this is rc.newwanip script to reload only these tunnels.

Fix local and nobind for client settings

Ticket #413. Hanlde cases when no authentication is specified.

Ignore chmod errors for files that do not exist.

Add tls-auth to server even when authenticating in user/pass mode.

Do not include tls-auth on authentication based only on user/pass.

Allow openvpn server to authenticate only based on username/password credentials.

Allow the GUI auth API to be used for doing authentication against authentication servers specified. Teach Openvpn to use this API. Allow openvpn to authenticate against multiple servers that can be selected on the server configuration page.

Allow the authentication scripts to detect configuration changes. Allow multiple OUs to be specified on basedn.

Use 0 when configuring tls-auth in server.

Correct script used for OpenVPN authentication to actually work.

Include missing quotes.

Add support for authenticating users against server specified in the system->user manager->servers for openvpn. While there propperly fill the shared secret field for raidus in the servers page.

Add proxy authentication capabilities to OpenVPN client.

Add statistics for OpenVPN client instances

Feature #248. Ticket #248. Merge patch from Antonio No to add tap device type to OpenVPN.

fix openvpn user auth. thanks to thompsa@ for finding fix

Apparently OpenVPN 2.1 requires setting "script-security 2" to run given the other options we currently employ.

Use get_interface_ip instead of a manual shell_exec(ifconfig). Ticket #69

Add IP alias and 'any' support to OpenVPN. Feedback #69

Add carp support for OpenVPN. Ticket #69

Add pfSense_BUILDER_BINARIES: and pfSense_MODULE: additions

Include certs.inc is needed by lookup_certs.

Remove filter_configure from openvpn.inc it just ends up in recursive calls.

Propperly fix openvpn parameter parsing.

Fix correction of openvpn parameters.

Modify the OpenVPN server configuration to allow the DH parameter length
to be specified. Upgraded 1.2.x configurations will default to 1024 bits.

Comment out the code that creates a dh-parameters file at boot time and
add three new static parameters files to the /etc directory. In the near
term OpenVPN configurations will use the 2048 bit file.

Correct a bug where we attempt to kill an OpenVPN process even though its
pid file does not exist.

Revert the dh parameters generation back to 1024 bits. There were several
complaints that 2048 bit parameters took too long to generate.

Log why we're writing a new config out

When restarting an OpenVPN process, don't send a term signal and expect it
to exit within a fixed time frame of two seconds. The old process may take
longer to exit and cause the new process creation to fail. Instead, check
the process status every 1/4 seconds and only continue once it terminates.

Minor re-work of OpenVPN configuration. Use operational modes to determine
what configuration options are appropriate. The operational mode dictates
the authentication method. They are defines as follows ...

Peer to Peer ( SSL/TLS )
Peer to Peer ( Shared Key )...

Correct the path for OpenVPN client specific configuration files. When the
directory creation moved to the rc script, the path name was changed from
/var/etc/openvpn_csc to /var/etc/openvpn-csc. Update the code to match.

Revert to the previous method of referencing OpenVPN device names in the
filter.inc file. We now specify the openvpn device name which is actually
an os managed group. OpenVPN tap instances are added or removed from this
group when OpenVPN configurations are created or destroyed. Portions of...

Bump the system dh-parameters file to 2048 per request on dev@.

Correct problems with OpenVPN that prevented the lzo compression and pass
tos options from being set correctly in configuration files.

Now that we are delaying the creation of OpenVPN dh parameters, it appears
we need an explicit call to write_config() to ensure the data is saved.

Delay writing out the dh-parameters file if the paths have not yet been
initialized by the rc scripts. I hope this will make the initial boot
process more pleasant during install. If not, I will revert this commit.

Don't create the standard OpenVPN paths in openvpn_resync_all(). These are
now created during the bootup process.

Ensure $g is populated by reading in globals.inc

Store the OpenVPN system DH parameters contents in the config.xml file so
it is not generated each time on embedded systems. Problem reported by
Scott.

Replace the old openvpn status page with a new implementation. We now add
a tcp management port option to each OpenVPN server. Instead of rooting
through the OpenVPN logs once a minute for status updates, we now submit a
request to the management port to obtain informaiton. We probably need to...

Correct some problems with the filter code where we were calling foreach
on data that wasn't necessarily a valid array.

Modify the OpenVPN code to stop passing the array index around and then
immediately obtaining a reference to the array entry. We already have a...

Set some important default values for the new OpenVPN interface screens.
Add functions and interface code to handle local port conflict detection
and resolution.

Dump the per-configuration dh parameters data. It make no sense to keep
this information in the configuration as its not specific to the server.
It only contains the parameters ( a safe large prime number ) that is
used during a DH key exchange. Instead, we now use a system wide dh file...

Rework most of the OpenVPN support. The interfaces have been updated to
not use the pkg system and the configuration has been migrated to an
openvpn prefix. The centralized user and certificate manager is now used
to support the openvpn configurations. Most of the files removed in this...

This check is needed to prevent php oddities with arrays and strange behaviour of count and empty! As commit fixes errors with not configured openvpn.

Try to do better sanity checks.

Correctly name clients and server interfaces otherwise we have clashes.

Reformat file.

Pass mode

Just handle server instances for now.

Escape \$2

Shutdown deleted process

Move assignment

Define interface correctly

Use unique name

move variable assignment more near to the code it is used in

Use array name for .crt|.key

Set keysize correctly

Use $int$port$proto for unique server name

Check for descr

• Obtain keysize
• Use keyname for server

Add missing #!

Add a shell interpriter

Make multi-user friendly and lock config.xml during cert creation.

Make script executable.