pfSense

OpenVPN status improvements. Implements #13129

• Clean up and improve client/p2p state interpretation
• Output OpenVPN instance interface names
• Improve formatting of service status and control icons

Restart DNS Resolver after OpenVPN config save. Fixes #13117

Improve OpenVPN "tls-client"/"pull". Fixes #13116

"tls-client" and "client" are redundant, so only use "tls-client" and
"pull". Omit "pull" in cases where it is known to be incompatible.

Do not restart IPv4 OpenVPN on IPv6 gateway events and vice versa. Fixes #13061

Reload filter on OpenVPN instance delete. Fixes #13055

Fix syntax error

OpenVPN unbound restart fixes. Issue #12991

Add option to limit concurrent connections per OpenVPN user. Implements #12267

Use OpenVPN deferred client-connect. Implements #12407

OpenVPN shared key warning. Implements #12981.

Adds a warning to the OpenVPN client and server list and edit pages
warning the user about shared key mode being deprecated by OpenVPN.

Warning only displays on the instance lists if there is an existing
shared key instance. Warning only displays when editing an instance...

Restart unbound to update ACL on OpenVPN change. Issue #12991

Skip unresolved OpenVPN alias DNS entries. Fixes #12984

OpenVPN FQDN in alias netmask fix. Issue #12925

OpenVPN FQDN in alias support. Fixes #12925

OpenVPN status TAP mode double entries fix. Issue #12884

OpenVPN status incorrect TAP mode RA server+empty tunnel. Fixes #12884

Optimize openvpn_resync_all(). Fixes #12628

Convert OpenVPN Tunnel Network to correct format on save. Issue #11416

Improve OpenVPN Data Cipher handling. Fixes #12677

Revert "Use OpenVPN async client-connect, clear stale rules, add option to limit connections per user. Implements #12407 and #12332 and #12267"

This reverts commit 7aaa20d95a345c4688e8786c755c7d0433451688.

Update the Copyright year of the files owned by Rubicon/Netgate.

Use OpenVPN async client-connect, clear stale rules, add option to limit connections per user. Implements #12407 and #12332 and #12267

Delete stale OpenVPN RADIUS ACL generated rules. Fixes #12481

Fix OpenVPN status page halt function when client_id=0. Issue #12416

Allow to halt OpenVPN client on status page. Issue #12416

OpenVPN exit notify & inactive incompatibilities

• Ignore exit notify in problematic cases. Fixes #12102
• Ignore inactive seconds in problematic cases. Fixes #12219
• Warn against using these options in problematic scenarios
• Hide from the GUI in obvious incompatible scenarios

OpenVPN Aliases support. Implements #2668

Prevent deletion of OpenVPN instances with assigned interfaces. Fixes #12224

Use client-connect/client-disconnect script for Remote Access (SSL/TLS) server mode. Fixes #12238

Delete OpenVPN related config files for disabled instance. Fixes #12223

OpenVPN status f/tap+empty tunnel net Fixes #12232

Fix OpenVPN CA/CRL cleanup. Fixes #12192

Always apply IPsec changes on HA secondary. Fixes #12075

Add OpenVPN remote-cert-tls option. Implements #11865

Configure OpenVPN-parent QinQ interfaces on boot. Fixes #11662

Fix missing ')' in openvpn.inc

Do not start an OpenVPN instance if vip aliased to BACKUP CARP. Fixes #11793

OpenVPN TAP ifconfig-ipv6 syntax fix. Issue #11869

Correct local IPv6 address for OpenVPN on 6RD/6to4 interfaces. Fixes #11674

OpenVPN auth sources strlen validation. Issue #11104

Merge pull request #4501 from mschiegl/patch-1

Put OpenVPN route-nopull option after custom options. Fixes #11448

Allow to use OpenVPN provided DNS servers. Implements #11140

Fix openssl digest algorithm param in openvpn.inc

At least in OpenSSL 1.1.1i-freebsd, used by pfsense 2.5, there is no longer a "list-message-digest-algorithms" parameter. It has been replaced by "list -digest-algorithms".
The old parameter results in an error 'Invalid command 'list-message-digest-algorithms'; type "help" for a list' and may even cause an endless loop on startup/migration.

Display negotiated cipher on Status / OpenVPN page. Implements #7077

OpenVPN rmdir fix. Issue #11254

Delete all OpenVPN related files on instance deletion. Issue #11254

OpenVPN genkey secret command fix. Issue #11249

Update the Copyright year.

A subsequent commit will deal with .po's.

OpenVPN compression settings improvements. Issue #11020

• Hide compression options when compression is not allowed
• Omit compression options from the OpenVPN configuration when
  compression is not allowed

Fix display of OpenVPN data cipher when NCP is disabled. Issue #10919

OpenVPN Data Cipher changes. Fixes #10919

• Change handling of data ciphers so they work properly for TLS and
  shared key
• Move some duplicate code to a function
• Improve display of data ciphers in the OpenVPN server list
• Other misc improvements to OpenVPN server and client list to bring...

OpenVPN data cipher negotiation updates. Fixes #10919

• Rename "NCP Algorithms" to "Data Encryption Algorithms" to reflect the change in OpenVPN (frontend and backend, e.g. "ncp-ciphers" changes to "data_ciphers")
• Change "Encryption Algorithm" to "Fallback Data Encryption Algorithm" and move it below "Data Encryption Algorithms"...

OpenVPN compression options update. Issue #11020

• Add new "Allow Compression" option for OpenVPN 2.5.0. Defaults to asymmetric
  (Decompress incoming packets, do not compress outgoing packets) for a more
  secure and smooth transition to disabling compression entirely....

Remove OpenVPN tun server IPv4 tunnel network requirement. Issue #11020

No longer required on OpenVPN 2.5.0

Revert "Remove non captive-portal logs from Local4 syslog facility."

This reverts commit 6960993dc53c559619fe3f8d8ea903e7730b4fa6.

Revert "Adjust some missing ident on syslog"

This reverts commit 12719a87e3ba77f5459938a4cfec7f007bbe0c4a.

Adjust some missing ident on syslog

Allow to register OpenVPN Remote Access (User Auth) client in DNS Resolver. Implements #10999

Fix #10680: Rewrite cache system in interfaces.inc

Change it to not invalidate cache when not needed. Makes boot much faster
when we have many VLANs

Merge pull request #4352 from vktg/ovpntcpfix

Merge pull request #4150 from Augustin-FL/captiveportal-db-sync

OpenVPN TCP client fix. Issue #10650

OpenVPN CSO remove routes option. Implements #9702

Remove non captive-portal logs from Local4 syslog facility.
Various logs are recorded in local4 in HA situation. They should not be recorded here.
Redmine #97

Remote OpenVPN server proto definition. Issue #10368

Correct 'default' behavior of OpenVPN TLS key dir. Fixes #10287

Revert "Fix #10235"

This reverts commit 32218e9e1e69a0e2b91bcd829fcba04ec8586bdc.

Fix #10235

Add a missing break to case statement. Without it, $compression was
being filled with a bad value and also if push compress was being used,
it added the option breaking connection.

Reported by: Vinicius Dell'Aglio on Telegram pfSense group

This is 2020. Issue #9245

Unset temp vars when refreshing CRLs. Issue #9915

Otherwise it might unintentionally add a CRL to a server which does not
have one selected

When refreshing CRLs, increment suffix, do not clean up. Fixes #9915

While here, fix a bug with refresh path.

Restructure OpenVPN settings directory layout

• Changed from /var/etc/openvpn[-csc]/<mode><id>.<file> to
  /var/etc/openvpn/<mode><id>/<x>
• This keeps all settings for each client and server in a clean
  structure
• Move to CApath style CA structure for OpenVPN, which implements #9915...

Make OpenVPN username-as-common-name options. Implements #8289

Add exit notify to OpenVPN servers/clients. Implements #9078

Prevent OpenVPN tunnel network reuse. Fixes #3244

Ensures that a submitted tunnel network is not already in use on other
OpenVPN client or server instances, to avoid conflicts.

OpenVPN ECDH/ECDSA filtering. Fixes #9744

Can be revisited in the future if the corresponding OpenVPN bug is
resolved.

Fix #9674: Do not set duplicate-cn in p2p_shared_key mode

Fix OpenVPN keepalive default values. Fixes #3473

Fix #3743: Allow OpenVPN keepalive configuration

- Remove hardcoded 'keepalive 10 60' configuration
- Added 'inactive seconds' option
- Let user configure 'keepalive interval timeout'. It defaults to 10 60
as it was hardcoded until now
- Let user define ping and chose between ping-exit or ping-restart...

Remove variable from gettext string

Remove line commented out in 2015

Remove code commented out in 2008

Merge pull request #3999 from vpiserchia/master

Deduplicate code in openvpn.inc

Remove unnecessary variable

Merge pull request #4072 from jwsi/openvpn-gwgroup

Improve efficiency of resync checks.

GW Group changes are checked iff the interface is not the empty string or the interface in question is not the same as the OpenVPN interface.

Add ability for OpenVPN instances to resync on IP changes and on boot.

OpenVPN instances resync if interface IP change occurs.
At boot, the interface is the empty string, so resync is mandatory to generate OpenVPN files in /var/etc/openvpn.

Add else clause for cases when OpenVPN interface file does not exist.

- Prevents potential race condition at startup resulting in failure to start OpenVPN instances.
- In cases where interface file is not present the openvpn_resync function handles a restart correctly.

Fix copyright message years to reflect BSDP -> ESF -> Netgate

Update openvpn.inc to allow OpenVPN instances to resync when running on a gateway group.

Implementation now checks if OpenVPN client/server running on gateway group should resync when IP changes occur or if cables are unplugged/replugged.

Merge remote-tracking branch 'upstream/master'

openvpn: cleaning default case handling in switch statements

Update copyright notices to 2019. Happy New Year

change after review

Update text

Added tlsauth keydir options to openvpn client and server

Disable OpenVPN compression for new instances by default. Fixes #8788

Also add warning text that cautions against enabling compression.

While here, also add missing "stub-v2" compression mode.

Merge pull request #3908 from pdemonaco/master