pfSense

Update copyright notices to 2019. Happy New Year

Disable OpenVPN compression for new instances by default. Fixes #8788

Also add warning text that cautions against enabling compression.

While here, also add missing "stub-v2" compression mode.

Merge pull request #3908 from pdemonaco/master

Make sure /var/etc/openvpn-csc directory is created

Remove RFC 7919 from DH group titles

Nothing is preventing the user from overwriting them, which would mean they're no longer the RFC groups.

Added new DH groups to valid groups list

Gateways, allow for configuring a gatewaygroup as the default gateway.
-Avoid changing routes by just visiting a webgui page.
-Avoid change some unneeded events when nothing changed.

Remove Whitespace

I'm aware this is a very large commit. Let me know if you'd rather have it broken down by file type (ie: PHP/shell scripts) so it would be easier to review.

-RJ

Bug 7905 - Auth Script & Openvpn Config

Replaces the current auth-user-pass-verify directive with the new plugin
call in the config-file generation code.

Also modifies the new asynchronous script to use "echo -n". This
probably isn't necessary but it doesn't hurt.

Merge pull request #3895 from PiBa-NL/20180106-openvpn-fix-subnet31

openvpn, clear route also for /31 for ptp interfaces

Add an option to push a gatewy address to bridged tap clients. Implements #8267

openvpn, fix the ifconfig ip1 ip2 when subnet /31 is used

Update the Copyright notice for pfSense.

Merge pull request #3183 from znerol/feature/master/register-openvpn-cn

Merge pull request #3819 from PiBa-NL/20170910-show-interface-openvpn

Add a separate checkbox for OpenVPN servers to redirect an IPv6 gateway now that OpenVPN has a native flag for it. Implements #8082

While here, since local network boxes are hidden when redirect gateway is enabled, do not use the values in those boxes when crafting the configuration. That way the GUI configuration is consistent with the backend.

Change OpenVPN to retry client auth when it fails by default, rather than making the process exit which confuses users. Fixes #7506

openvpn, show interface configured for openvpn server/client on the overview

Correct typo. Fixes #7802

Fix OpenVPN Auth Digest Algorithm selection so it does not use duplicate/alias names in the list, and fix existing entries on upgrade so they use the actual digest name and not an alias.

The logic for resolv-retry infinite was always setting it in client mode no matter what the GUI option wanted. Remove the GUI option and clean up the logic so it isn't duplicated. Fixes #7572

Fix OpenVPN server port validation to disallow "0". 0 is still OK for client port, which is the same meaning as blank/empty. Fixes #7565

Validate domain parameter for the learn-address script

Use is_numeric() to make sure $prefix is not 0

Merge pull request #3604 from enukane/fix/openvpn-ipv6-remote-netmask-0-treated-as-128

Only add learn_address script in tun-mode

Register CN of OpenVPN clients in DNS Resolver

Add OpenVPN GUI Option for "sndbuf" and "rcvbuf", using the same value for both. Fixes #7507

Add OpenVPN GUI option for "fast-io" to clients and servers. Ticket #7507
Only compatible with UDP modes, and also not compatible with "shaper".

Fix parsing "::/0" as "::/128" on OpenVPN IPv6 Tunnel Remote network

Always force compress when calling Net_IPv6

Fix #7136 Start OpenVPN on ordinary VIP

Fix #6603: Wait while interface is in 'tentative' state before try to bind OpenVPN to its address

Remove extra parenthesis and blank line

Simplify logic

Also check IPv6 when determining if we should use nobind or lport.

Merge pull request #3361 from PiBa-NL/openvpn_waitforpid_20170107

openvpn, check for valid pid using isvalidpid()

openvpn, make sure config is written and not overwritten while starting openvpn, and wait for pid of child process to be written before exiting function

Fix up OpenVPN CSC page help text, add IPv6 tunnel network. Fixes #7053

Destroy tun/tap device when delete OpenVPN tunnel

Remove unnecessary reference

Revert "Destroy tun/tap device when delete OpenVPN tunnel"

This reverts commit 0a07be0287189cda229fab27ad733e9de3dc12f5.

Destroy tun/tap device when delete OpenVPN tunnel

Add backend support to OpenVPN for NCP. Ticket #7072

Fix #7074: Fix automatic port number guessing

Rework openvpn_port_used() to take care of following conflicts after
ticket #7062 was committed:

• "UDP" is dual stack and conflicts with "UDP4" and "UDP6"
• "TCP" is dual stack and conflicts with "TCP4" and "TCP6"...

Remove this extra comma. It's not causing a syntax error but it's also not necessary.

Rework openvpn_vpnid_next() and remove duplicated code

Add some more help text to OpenVPN pages.

Replace "client-cert-not-required" with "verify-client-cert none". Fixes #7073

Add --tls-crypt support for OpenVPN servers and clients. Implements #7071

Bring compression options in line with OpenVPN 2.4. Note that the old style options are deprecated/legacy but don't remove yet, for compatibility. Implements #7064

Make sure $openvpn_dh_lengths is declared global. Ticket #7065

Fix var name cut-paste error in openvpn.inc

Add OpenVPN ECDH options. Implements #7063

Update OpenVPN protocol preferences to match the new behavior of OpenVPN 2.4. Fixes #7062

Allow OpenVPN DNS servers for clients to be IPv6 as well as IPv4. Implements #7061

Add IPv6 virtual address to SSL/TLS client output, formatting corrections/enhancement for SSL/TLS client and server. Ticket #2766

Update OpenVPN SSL/TLS server status to reflect changes in OpenVPN 2.4. Ticket #2766

Ticket #7054: Remove tun-ipv6 option, deprecated on OpenVPN 2.4.0 and related GUI knobs

Merge pull request #3236 from PiBa-NL/openvpn_startup_lock

Encode the auth server list before passing it on the CLI, to avoid issues with special characters that break when interpreted as URL parameters during OpenVPN auth. Fixes #7002

openvpn, startup locking sequence to prevent issues around pid file / process management
fixes: https://redmine.pfsense.org/issues/6940

Adjust parsing of OpenVPN ciphers to new output format. Fixes #6849

Move copyright from ESF to Netgate

Add a selection for OpenVPN to have no compression preference + comp-noadapt, which is necessary in some client edge cases. Fixes #6739

Add an option to push "block-outside-dns" to clients of an RA OpenVPN. Fixes #6719

Some small improvements to OpenVPN server handling when using CARP VIPs in Gateway Groups. Might help with issue #6607

openvpn_add_dhcpopts already sets redirect-gateway, don't add it a second time. Ticket #6633

Move to Apache License 2.0

Make a function to resync all OpenVPN CSCs and use it when saving an OpenVPN server. Fixes #6139

Review license / copyright on all files (final round)

Review license / copyright on all files (1st round)

Added and modified functions to send correct Radius attributes to the Radius authenticator.

Merge pull request #2966 from scipiojr/master

Update openvpn.inc

Update openvpn.inc

Update openvpn.inc

Add missing recommended key lengths to OpenVPN options

Add key lengths to the OpenVPN options, for asymmetric keys of size 3072 (for current use), 7680, 15360 (for long term resistance), 8192 and 16384 (common binary exponents).

These are both supported by OpenVPN anyhow, and for certain uses are currently recommended (eg long term resistance to replay/decryption). See keylength.com for citations....

Trim the OpenVPN tunnel network before use, and on save. Fixes #6198

Remove dead note from OpenVPN widget

This note is never going to display, because $DisplayNote is only set in
a function and is not global.
In any case, I don't think the message is true (maybe it was true in the
past?).

Only specify auth-user-pass for TLS mode. Ticket #5941

Fix OpenVPN ifconfig. Ticket #5930

Use high level functions

Internationalize etc inc i through s

Fix style issues.

Review of CARP uniqid changes.

It turns out that current CARP implementation is not much different from an IP alias.

This commit converts the IP alias to also use the CARP uniqid scheme, this simplify the code in all other places because now we have only two different cases to deal with:...

Omit topology for tap OpenVPN, as it has no meaning in that context

Remove stray }

The topology line also must be skipped if an SSL/TLS mode is used with a CIDR less than 30.

Update license on files from /etc/inc

Remove spaces at EOL as requested

redmine 5702 - change to use high level IPv4 functions where low level ip2long32() etc are used

Consolidate OpenVPN kill_client routine

After a gitsync just now I started getting "cannot redeclare
kill_client" error messages. Whatever it was that caused this to start
happening, the kill_client() function in these 2 places is identical.
Might as well put it in openvpn.inc

Remove all pfSense_MODULE and pfSense_BUILDER_BINARIES definitions, whatever was the reason they were added, it was never finished and it's not being used

Fixed #5602 by dynamically updating hte help text based on the cert selected.

Code style and white space in etc

Prioritize and separate server certs for OpenVPN servers to make it more clear they should be using certificates created as Server certificates for this purpose -- it's still valid to use non-server certs but it's not what most people intend to do. Ticket #5602

whitespace/style fixups