Fix order of client/server IPs and add a note, and clarify variable names. Fixes #2004.
Assume a default value of 1 for cert_depth to disallow chaining.
Add GUI option to limit the certificate depth allowed when OpenVPN clients are connecting.
Fixup OpenVPN status a bit to properly handle SSL servers using a /30 (no server directive) and also be a little more verbose about what is happening, if we can tell.
Revert "Make initial changes to allow pfSense to work in a jail."
This reverts commit a26d95383a6146734f67c9db21cd83534052843a.
Make initial changes to allow pfSense to work in a jail.
This mostly avoids starting things that will not work and gets theinitial config. Most of the pfSense functionality will not work(pf rules, routing, etc) but it can be used for testing.
Rework OpenVPN status, show status for shared key servers.
Resolves #1719. Prevent disabled client/servers from being displayed on the widget.
Only apply remote_network setting for p2p modes, since it is not valid for remote access modes. Fixes #1707
CRL fixes for empty CRLs (so they don't kill OpenVPN)
Don't check OpenVPN ports in use against disabled clients or servers
No need to use nohup when using mwexec_bg since it calls nohup itself. Also use fullpath to executables.
When making a P2P SSL/TLS OpenVPN server, if the given CIDR for the tunnel network is a /30, don't use the OpenVPN server directive. See ticket #1417
Various CRL fixes, handle empty internal CRLs better.
Confirmed working fix for ticket #1417 - with this change I have two-way connectivity on Site-to-Site (SSL/TLS) with iroutes.
Backing out changes from ticket #1417, it was not a valid openvpn config that the user was trying to make.
Slightly different fix for #1417 that doesn't mess up other parameters needed by p2p_tls
Putting client-config-dir in the config is valid also for p2p_tls servers. Fixes #1417.
Switch back to dev_mode so existing configs aren't broken by the other changes.
Added option to select the type of device for use in the tunnel openvpn
fix NTP server IPs in openvpn config
Don't pass these by reference. Might be related to ticket #1231
Add drop-down to select OpenVPN hardware crypto (finds usable devices from "openssl engine" list) for clients and servers.
Add a checkbox for duplicate-cn on OpenVPN servers.
Ticket #1198. Fix code when checking client or server
fix text
nuke trailing carriage returns
Do not spam filter reload at boot.
Add suggested fix from ticket #1037
Ticket #1037. Move environment manipulation to the authentication script since escaping slashes is not so easz on dynamic built paths.
Ticket #1037. Add suggestion in the ticket for using the CA supplied to openvpn for authenticating to SSL LDAP.
Reorder some code and combine the nobind test with the lport code to ensure only the needed options are used in any given combination.
When the local port is left blank on an OpenVPN client, use 'lport 0' to direct the client to use a random source port. Fixes #1025
The way this option is currently defined, the configuration variable is always set; for this case, isset is not the correct condition. Reported at http://forum.pfsense.org/index.php/topic,30153.0.html
Remove trailing carriage return
Refresh OpenVPN CRL files when a CRL has a cert added/removed. Ticket #555
Add backend code to verify username against cn on login if set by user. Needs GUI code to set the option yet. Ticket #887
Allow selecting an OpenVPN Server CRL if we are in an SSL mode.
Send a log entry when openvpn resync is called.
Since the OpenVPN management is done via unix socket and not tcp, we no longer need to require the local_port be set in order to activate the daemon.
Use the new events mechanisms to dispatch events.
Ticket #826. Add more bandage to notice when a reading on socket timeouts.
Ticket #826. Convert to unix domain sockets for management interface so we do not have problems when interface is any.
Ticket #826. Add timeout of 1 second for all read/write actions performed on the socket. This should fix point 1) on the ticket.
Print a notice that OpenVPN status information is not available for shared key servers.
End processing when we receive an ERROR line. Part of ticket #826
Add OpenVPN none/null cipher.
Reorg this test a little, and make sure we only add client-to-client for remote access types.
Various fixes to usage of ip2long, long2ip, and negated subnet masks, mostly affecting 64-bit. Ticket #459
Revert "Allow the user to override OpenVPN interface name in custom options (e.g. dev tap99 or dev tun99) and set related options appropriately. ticket #482 Item 2a/2b." - Revert for now, may cause more issues than it fixes.
This reverts commit be58c36ded298a1cb7a0eac40cd2edd62908d882.
Allow the user to override OpenVPN interface name in custom options (e.g. dev tap99 or dev tun99) and set related options appropriately. ticket #482 Item 2a/2b.
Add scpecific scripts for when ovpn goes up and down so we get neccessary values for used in varius areas of pfSense. TODO is find out how to get DNS info form openvpn.
Add client-to-client to OpenVPN server config if the option is checked. Resolves #572.
Use nobind for OVPN client when no local port and/or no local interface is requested. Ticket #282
Fix typo in comment
Move these functions to a more central location. Part of ticket #496
Ticket #474. Properly check for disabled openvpn configs.
Ticket #449. Teach OpenVPN to reload only tunnels for the specified interface. Use this is rc.newwanip script to reload only these tunnels.
Fix local and nobind for client settings
Ticket #413. Hanlde cases when no authentication is specified.
Ignore chmod errors for files that do not exist.
Add tls-auth to server even when authenticating in user/pass mode.
Do not include tls-auth on authentication based only on user/pass.
Allow openvpn server to authenticate only based on username/password credentials.
Allow the GUI auth API to be used for doing authentication against authentication servers specified. Teach Openvpn to use this API. Allow openvpn to authenticate against multiple servers that can be selected on the server configuration page.
Allow the authentication scripts to detect configuration changes. Allow multiple OUs to be specified on basedn.
Use 0 when configuring tls-auth in server.
Correct script used for OpenVPN authentication to actually work.
Include missing quotes.
Add support for authenticating users against server specified in the system->user manager->servers for openvpn. While there propperly fill the shared secret field for raidus in the servers page.
Add proxy authentication capabilities to OpenVPN client.
Add statistics for OpenVPN client instances
Feature #248. Ticket #248. Merge patch from Antonio No to add tap device type to OpenVPN.
fix openvpn user auth. thanks to thompsa@ for finding fix
Apparently OpenVPN 2.1 requires setting "script-security 2" to run given the other options we currently employ.
Use get_interface_ip instead of a manual shell_exec(ifconfig). Ticket #69
Add IP alias and 'any' support to OpenVPN. Feedback #69
Add carp support for OpenVPN. Ticket #69
Add pfSense_BUILDER_BINARIES: and pfSense_MODULE: additions
Include certs.inc is needed by lookup_certs.
Remove filter_configure from openvpn.inc it just ends up in recursive calls.
Propperly fix openvpn parameter parsing.
Fix correction of openvpn parameters.
Modify the OpenVPN server configuration to allow the DH parameter lengthto be specified. Upgraded 1.2.x configurations will default to 1024 bits.
Comment out the code that creates a dh-parameters file at boot time andadd three new static parameters files to the /etc directory. In the nearterm OpenVPN configurations will use the 2048 bit file.
Correct a bug where we attempt to kill an OpenVPN process even though itspid file does not exist.
Revert the dh parameters generation back to 1024 bits. There were severalcomplaints that 2048 bit parameters took too long to generate.
Log why we're writing a new config out
When restarting an OpenVPN process, don't send a term signal and expect itto exit within a fixed time frame of two seconds. The old process may takelonger to exit and cause the new process creation to fail. Instead, checkthe process status every 1/4 seconds and only continue once it terminates.
Minor re-work of OpenVPN configuration. Use operational modes to determinewhat configuration options are appropriate. The operational mode dictatesthe authentication method. They are defines as follows ...
Peer to Peer ( SSL/TLS )Peer to Peer ( Shared Key )...
Correct the path for OpenVPN client specific configuration files. When thedirectory creation moved to the rc script, the path name was changed from/var/etc/openvpn_csc to /var/etc/openvpn-csc. Update the code to match.
Revert to the previous method of referencing OpenVPN device names in thefilter.inc file. We now specify the openvpn device name which is actuallyan os managed group. OpenVPN tap instances are added or removed from thisgroup when OpenVPN configurations are created or destroyed. Portions of...
Bump the system dh-parameters file to 2048 per request on dev@.
Correct problems with OpenVPN that prevented the lzo compression and passtos options from being set correctly in configuration files.
Now that we are delaying the creation of OpenVPN dh parameters, it appearswe need an explicit call to write_config() to ensure the data is saved.
Delay writing out the dh-parameters file if the paths have not yet beeninitialized by the rc scripts. I hope this will make the initial bootprocess more pleasant during install. If not, I will revert this commit.
Don't create the standard OpenVPN paths in openvpn_resync_all(). These arenow created during the bootup process.
Ensure $g is populated by reading in globals.inc
Store the OpenVPN system DH parameters contents in the config.xml file soit is not generated each time on embedded systems. Problem reported byScott.
Replace the old openvpn status page with a new implementation. We now adda tcp management port option to each OpenVPN server. Instead of rootingthrough the OpenVPN logs once a minute for status updates, we now submit arequest to the management port to obtain informaiton. We probably need to...