openvpn - additional configs for server and clients

1/24/21, 9:01 PMOpenVPN - Additional configs for server and clients - forum.ipfire.org

of 2https://forum.ipfire.org/viewtopic.php?f=50&t=11028

forum.ipfire.orgThe old IPFire Forum Archive Search… ! "

# FAQ $ Login

% Home ‹ Index ‹ English Area ‹ Development

Locked & Search this topic… ! " 79 posts 1 2 3 4 5 6 '

Locked & 79 posts 1 2 3 4 5 6 '

( Return to “Development”

% Home ‹ Index All times are UTC) Delete cookies

OpenVPN - Additional configs for server and clients

Powered by phpBB® Forum Software © phpBB Limited

Privacy | Terms

* Quick links

+ ,

ummeeggeCommunity Developer

Posts: 5001Joined: October 9th, 2010, 10:00 am

-

OpenVPN - Additional configs for server and clients. by ummeegge » July 11th, 2014, 12:01 pm

Last edited by ummeegge on November 19th, 2014, 4:15 pm, edited 1 time in total.

Hi all,[EDIT:] Since this feature will be released with Core 89 i wanted to leave here a brief information about that so there is no need (acceptyou are interessted in it) to read the whole thread through. IPFire o!ers with Core 89 the possibility to modify the server and client configuration over the console in two dedicated files locatedunder /var/ipfire/ovpn/scripts called 'server.conf.local' and 'client.conf.local'. You can add there OpenVPN directives to the existingconfiguration which will be wrote below the regular config lines, some examples can be found in this thread. After modifying one orboth of this files you need to restart the OpenVPN server that the changes takes a!ect.The WUI have only one more checkbox to activate and deactivate this feature, which looks like this

You can find in the IPFire wiki of OpenVPN also some informations --> http://wiki.ipfire.org/en/configuration ... vanced_set .

[/EDIT]

regarding to some nice ideas from another already finished development topic --> http://forum.ipfire.org//viewtopic.php? ... 1#msg70791 i wanted to cherry-pick some (as i think good ones) of them for a furtherenhancement for OpenVPN on IPFire.

Thanks to penne for his ideas and preparatory work .

What happens now:We decided to integrate two new globally working configuration files (server.conf.local and client.conf.local under/var/ipfire/ovpn/scripts), which will automatically generate by the patched CGI script (see below for the howto patch it) if the OpenVPNserver was stopped and the save button was pressed.

This feature does pretty much the same like Squid´s include.acl.

If new directives which aren´t supported by the ovpnmain.cgi at this time should be integrated, these files can now be used without thepain that changes over the ovpn WUI kills the manually added entries/directives/configs.

Files can be edited like e.g. this one,example for server.conf.local:

CODE: SELECT ALL

the syntax is the same as in usual OpenVPN configuration files.

and e.g. client.conf.local:

CODE: SELECT ALL

here also, the syntax is the same as in usual OpenVPN configuration files.

After editing the server.conf.local, you need to stop the OpenVPN server and hit the save button, the original server.conf looks then likethis:

CODE: SELECT ALL

the original client.ovpn like this:

CODE: SELECT ALL

Log in verbose level 4 after starting the OpenVPN server:

CODE: SELECT ALL

so all additional added entries from the server.conf.local are listed as functional.

Connection log on server side:

CODE: SELECT ALL

Connection log on client side:

CODE: SELECT ALL

So the connection is up with all new added config parameters from client.conf.local and server.conf.local

reneg-sec after 15 Minutes ,

CODE: SELECT ALL

New cipher mode AES-GCM and hash SHA384 for the Control Channel ,

CODE: SELECT ALL

Plugins and scripts are executed:

CODE: SELECT ALL

fast-io is enabled:

CODE: SELECT ALL

crypto engine support is activated:

CODE: SELECT ALL

The patch for the ovpnmain.cgi looks now like this, [b]please use Core 85:

CODE: SELECT ALL

de.pl:

CODE: SELECT ALL

en.pl:

CODE: SELECT ALL

Backup your existing ovpnmain.cgi and patch it then.

CODE: SELECT ALL

to bring your backUP back to live,

CODE: SELECT ALL

After all that you need to refresh the language cache, which can be done with the following command.

CODE: SELECT ALL

-----------

Where are now the advantages ?- Your manual added directives are from now on consistent and there is also no need anymore to fiddle around with the perl code.- *.config.local entries survives IPFire side updates on ovpnmain.cgi- Use more OpenVPN directives/options as IPFire currently provides it over the ovpn WUI.- More flexibility for individual configurations.

May there is more ? You got some ideas or enhancements, critics, ... whatever, you are welcome to test this feature and give someresponse or/and to bring on your own pattern too.

Greetings to all,

UE

EDIT(s): - Added patch for Core 81- Added patch for Core 85 including* Added a possibility to manualy extend OpenVPNs server and client configuration.* Added also a checkbox (on/o!) in the WUI under 'Advanced server options' .* Changed the order in 'Miscellaneous options' section for better overview.* Optimized code in particular sections a little. Perl makes now ccd* file generation (changed the system(touch...) command).Unified the html code tags.

# Plugins and scripts callplugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpnup /var/ipfire/ovpn/scripts/down-root.shplugin /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so /var/ipfire/ovpn/scripts/down-root.sh --down# Throughputfast-io# Server side cycle of the keyexchange in 900 sec.# remember to deactivate (with a 'reneg-sec 0') this function on client sidereneg-sec 900# Add serverside crypto engine supportengine cryptodev# Add TLSv1.2 only support cause all clients uses versions >= 2.3.3# but with backwards compatibilitytls-version-min 1.2

# Open dialog for serverside authenticationauth-user-pass# Deactivate keygeneration cycle cause server does it in less than 3600 sec.reneg-sec 0# Add crypto engine supportengine dynamic# Add TLSv1.2 support cause all clients using new OpenSSL libs (>= 2.3.3)# but with backwards compatibilitytls-version-min 1.2tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA

#OpenVPN Server conf

daemon openvpnserverwritepid /var/run/openvpn.pid#DAN prepare OpenVPN for listening on blue and orange;local 192.168.20.2dev tunproto udpport 11035script-security 3 systemifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600client-config-dir /var/ipfire/ovpn/ccdtls-serverca /var/ipfire/ovpn/ca/cacert.pem

#OpenVPN Client conftls-clientclientnobinddev tunproto udptun-mtu 1500remote 192.168.20.2 11035#Coment the above line and uncoment the next line, if you want to connect on the Blue interface;remote 192.168.9.1 11035pkcs12 TestConfig.p12cipher CAMELLIA-256-CBCauth whirlpooltls-auth ta.key

Jul 11 12:24:05 ipfire-server openvpnserver[19536]: Current Parameter Settings:Jul 11 12:24:05 ipfire-server openvpnserver[19536]: config = '/var/ipfire/ovpn/server.conf'Jul 11 12:24:05 ipfire-server openvpnserver[19536]: mode = 1Jul 11 12:24:05 ipfire-server openvpnserver[19536]: persist_config = DISABLEDJul 11 12:24:05 ipfire-server openvpnserver[19536]: persist_mode = 1Jul 11 12:24:05 ipfire-server openvpnserver[19536]: show_ciphers = DISABLEDJul 11 12:24:05 ipfire-server openvpnserver[19536]: show_digests = DISABLEDJul 11 12:24:05 ipfire-server openvpnserver[19536]: show_engines = DISABLEDJul 11 12:24:05 ipfire-server openvpnserver[19536]: genkey = DISABLEDJul 11 12:24:05 ipfire-server openvpnserver[19536]: key_pass_file = '[UNDEF]'Jul 11 12:24:05 ipfire-server openvpnserver[19536]: show_tls_ciphers = DISABLEDJul 11 12:24:05 ipfire-server openvpnserver[19536]: Connection profiles [default]:Jul 11 12:24:05 ipfire-server openvpnserver[19536]: proto = udpJul 11 12:24:05 ipfire-server openvpnserver[19536]: local = '[UNDEF]'

Jul 11 12:25:54 ipfire-server openvpnserver[19550]: MULTI: multi_create_instance calledJul 11 12:25:54 ipfire-server openvpnserver[19550]: 192.168.90.2:56536 Re-using SSL/TLS contextJul 11 12:25:54 ipfire-server openvpnserver[19550]: 192.168.90.2:56536 LZO compression initializedJul 11 12:25:54 ipfire-server openvpnserver[19550]: 192.168.90.2:56536 Control Channel MTU parms [ L:1606 D:210 EF:110 EB:0 ET:0 EL:0 ]Jul 11 12:25:54 ipfire-server openvpnserver[19550]: 192.168.90.2:56536 Data Channel MTU parms [ L:1606 D:1450 EF:106 EB:135 ET:0 EL:0 AF:3/1 ]Jul 11 12:25:54 ipfire-server openvpnserver[19550]: 192.168.90.2:56536 Fragmentation MTU parms [ L:1606 D:1450 EF:105 EB:135 ET:1 EL:0 AF:3/1 ]Jul 11 12:25:54 ipfire-server openvpnserver[19550]: 192.168.90.2:56536 Local Options String: 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher CAMELLIA-256-CBC,auth whirlpool,keysize 256,tls-auth,key-method 2,tls-server'Jul 11 12:25:54 ipfire-server openvpnserver[19550]: 192.168.90.2:56536 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1606,tun-mtu 1500,proto UDPv4,comp-lzo,mtu-dynamic,cipher CAMELLIA-256-CBC,auth whirlpool,keysize 256,tls-auth,key-method 2,tls-client'Jul 11 12:25:54 ipfire-server openvpnserver[19550]: 192.168.90.2:56536 Local Options hash (VER=V4): '062667d3'Jul 11 12:25:54 ipfire-server openvpnserver[19550]: 192.168.90.2:56536 Expected Remote Options hash (VER=V4): '439e2e07'Jul 11 12:25:54 ipfire-server openvpnserver[19550]: 192.168.90.2:56536 TLS: Initial packet from [AF_INET]192.168.90.2:56536, sid=8e24838e 817b4071Jul 11 12:25:55 ipfire-server openvpnserver[19550]: 192.168.90.2:56536 VERIFY SCRIPT OK: depth=1, C=DE, ST=HH, L=Hamburg, O=NewCNtest, OU=FZeit, CN=NewCNtest CA, [email protected] 11 12:25:55 ipfire-server openvpnserver[19550]: 192.168.90.2:56536 CRL CHECK OK: C=DE, ST=HH, L=Hamburg, O=NewCNtest, OU=FZeit, CN=NewCNtest CA, [email protected] 11 12:25:55 ipfire-server openvpnserver[19550]: 192.168.90.2:56536 VERIFY OK: depth=1, C=DE, ST=HH, L=Hamburg, O=NewCNtest, OU=FZeit, CN=NewCNtest CA, [email protected]

2014-07-11 12:25:39 *Tunnelblick: OS X 10.6.8; Tunnelblick 3.4beta26 (build 3828)2014-07-11 12:25:39 *Tunnelblick: Attempting connection with TestConfig using shadow copy; Set nameserver = 1; monitoring connection2014-07-11 12:25:39 *Tunnelblick: openvpnstart start TestConfig.tblk 1337 1 0 1 0 16688 -ptADGNWradsgnw 2.3.42014-07-11 12:25:40 *Tunnelblick: openvpnstart log: Tunnelblick: OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line): /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.4/openvpn --daemon --log /Library/Application Support/Tunnelblick/Logs/-SUsers-Szebra-SLibrary-SApplication Support-STunnelblick-SConfigurations-STestConfig.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_16688.1337.openvpn.log --cd /Library/Application Support/Tunnelblick/Users/zebra/TestConfig.tblk/Contents/Resources --config

Jul 11 12:40:56 ipfire-server openvpnserver[19550]: TestConfig/192.168.90.2:56536 TLS: soft reset sec=0 bytes=3260841/0 pkts=20994/0Jul 11 12:40:57 ipfire-server openvpnserver[19550]: TestConfig/192.168.90.2:56536 VERIFY SCRIPT OK: depth=1, C=DE, ST=HH, L=Hamburg, O=NewCNtest, OU=FZeit, CN=NewCNtest CA, [email protected] 11 12:40:57 ipfire-server openvpnserver[19550]: TestConfig/192.168.90.2:56536 CRL CHECK OK: C=DE, ST=HH, L=Hamburg, O=NewCNtest, OU=FZeit, CN=NewCNtest CA, [email protected] 11 12:40:57 ipfire-server openvpnserver[19550]: TestConfig/192.168.90.2:56536 VERIFY OK: depth=1, C=DE, ST=HH, L=Hamburg, O=NewCNtest, OU=FZeit, CN=NewCNtest CA, [email protected] 11 12:40:57 ipfire-server openvpnserver[19550]: TestConfig/192.168.90.2:56536 VERIFY SCRIPT OK: depth=0, C=DE, ST=HH, O=NewCNtest, OU=FZeit, CN=TestConfigJul 11 12:40:57 ipfire-server openvpnserver[19550]: TestConfig/192.168.90.2:56536 CRL CHECK OK: C=DE, ST=HH, O=NewCNtest, OU=FZeit, CN=TestConfigJul 11 12:40:57 ipfire-server openvpnserver[19550]: TestConfig/192.168.90.2:56536 VERIFY OK: depth=0, C=DE, ST=HH, O=NewCNtest, OU=FZeit, CN=TestConfigJul 11 12:40:58 ipfire-server openvpnserver[19550]: TestConfig/192.168.90.2:56536 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0Jul 11 12:40:58 ipfire-server openvpnserver[19550]: TestConfig/192.168.90.2:56536 TLS: Username/Password authentication succeeded for username 'ummeegge' Jul 11 12:40:58 ipfire-server openvpnserver[19550]: TestConfig/192.168.90.2:56536 Data Channel Encrypt: Cipher 'CAMELLIA-256-CBC' initialized with 256 bit keyJul 11 12:40:58 ipfire-server openvpnserver[19550]: TestConfig/192.168.90.2:56536 Data Channel Encrypt: Using 512 bit message hash 'whirlpool' for HMAC authenticationJul 11 12:40:58 ipfire-server openvpnserver[19550]: TestConfig/192.168.90.2:56536 Data Channel Decrypt: Cipher 'CAMELLIA-256-CBC' initialized with 256 bit keyJul 11 12:40:58 ipfire-server openvpnserver[19550]: TestConfig/192.168.90.2:56536 Data Channel Decrypt: Using 512 bit message hash 'whirlpool' for HMAC authenticationJul 11 12:40:58 ipfire-server openvpnserver[19550]: TestConfig/192.168.90.2:56536 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

Jul 11 12:24:06 ipfire-server openvpnserver[19536]: PLUGIN_INIT: POST /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so '[/usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so] [openvpn]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY Jul 11 12:24:06 ipfire-server openvpnserver[19536]: PLUGIN_INIT: POST /usr/lib/openvpn/plugins/openvpn-plugin-down-root.so '[/usr/lib/openvpn/plugins/openvpn-plugin-down-root.so] [/var/ipfire/ovpn/scripts/down-root.sh] [--down]' intercepted=PLUGIN_UP|PLUGIN_DOWN

Jul 11 12:24:05 ipfire-server openvpnserver[19536]: fast_io = ENABLED

Jul 11 12:24:06 ipfire-server openvpnserver[19536]: Initializing OpenSSL support for engine 'cryptodev'

--- ovpnmain.cgi.core85 2014-11-11 16:17:56.000000000 +0100+++ ovpnmain.cgi 2014-11-11 14:48:08.000000000 +0100@@ -70,6 +70,9 @@ my $customnet="${General::swroot}/fwhosts/customnetworks"; my $name; my $col="";+my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";+my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";+ &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} = 'off'; $cgiparams{'ENABLED_BLUE'} = 'off';@@ -94,10 +97,33 @@ $cgiparams{'DAUTH'} = '';

--- de.pl.core85.pl 2014-11-11 16:18:22.000000000 +0100+++ de.pl 2014-11-11 14:16:20.000000000 +0100@@ -1689,6 +1689,7 @@ 'outgoing traffic in bytes per second' => 'Abgehender Verkehr', 'override mtu' => 'Überschreibe Standard MTU', 'ovpn' => 'OpenVPN',+'ovpn add conf' => 'Erweiterte Konfiguration', 'ovpn con stat' => 'OpenVPN Verbindungs-Statistik', 'ovpn config' => 'OVPN-Konfiguration', 'ovpn crypt options' => 'Kryptografieoptionen',

--- en.pl.core85.pl 2014-11-11 16:18:32.000000000 +0100+++ en.pl 2014-11-11 14:16:05.000000000 +0100@@ -1720,6 +1720,7 @@ 'outgoing traffic in bytes per second' => 'Outgoing Traffic', 'override mtu' => 'Override default MTU', 'ovpn' => 'OpenVPN',+'ovpn add conf' => 'Additional configuration', 'ovpn con stat' => 'OpenVPN Connection Statistics', 'ovpn config' => 'OVPN-Config', 'ovpn crypt options' => 'Cryptographic options',

cp /srv/web/ipfire/cgi-bin/ovpnmain.cgi /srv/web/ipfire/cgi-bin/ovpnmain.cgi.origpatch /srv/web/ipfire/cgi-bin/ovpnmain.cgi ovpnmain_conf.patch

mv /srv/web/ipfier/cgi-bin/ovpnmain.cgi.orig /srv/web/ipfire/cgi-bin/ovpnmain.cgi

perl -e "require '/var/ipfire/lang.pl'; &Lang::BuildCacheLang"

penne

Posts: 682Joined: September 21st, 2011, 12:48 pm

-

Re: OpenVPN - Additional configs for server and clients. by penne » July 12th, 2014, 4:24 pm

Hoi Ummmegge,

great work. Do u know if ur new modification will be part of the new Core80 release?

greets



-

Re: OpenVPN - Additional configs for server and clients. by ummeegge » July 13th, 2014, 8:29 am

Last edited by ummeegge on July 18th, 2014, 8:04 pm, edited 1 time in total.

Hi penne,no this won´t come with Core 80. Some more feedback and testing results would be nice in this topic and also a condition for furtherprocessings (Bugzilla and Git).

Greetings,

UE

EDIT: What did you tried out until now ?

ESLALO001

Posts: 270Joined: February 15th, 2014, 1:31 pm

-

Re: OpenVPN - Additional configs for server and clients. by ESLALO001 » July 13th, 2014, 2:55 pm

Last edited by ESLALO001 on July 13th, 2014, 3:03 pm, edited 1 time in total.

Hello UE,

i receive following error when i patch the ovpnmain.cgi:

CODE: SELECT ALL

you can see the result at the attachment.

Any hints?

ALO

[root@ipfire ftpuser]# patch ovpnmain.cgi ovpnmain_conf.patchpatching file ovpnmain.cgiHunk #3 succeeded at 311 with fuzz 2.patch unexpectedly ends in middle of lineHunk #4 succeeded at 2245 with fuzz 1 (offset -1 lines).



-

Re: OpenVPN - Additional configs for server and clients. by ummeegge » July 13th, 2014, 3:08 pm

Hi ALO,you need a clean Core79 ovpnmain.cgi to patch it without hunks. Possibly you have changed something on ovpnmain.cgi before youpatched it.

You can get a clean one from here --> http://git.ipfire.org/?p=ipfire-2.x.git ... ads/core79 .

Greetings,

UE

ESLALO001


-


Hi UE,

i receive the file and patch ist again.Now i receive following:

CODE: SELECT ALL

I look into the new generated file and check the updates. all looks good.Wy the error message?

[root@ipfire ftpuser]# patch ovpnmain.cgi ovpnmain_conf.patchpatching file ovpnmain.cgipatch unexpectedly ends in middle of lineHunk #4 succeeded at 2246 with fuzz 1.

ESLALO001


-


here are the files that i use for patch.

ESLALO001


-


i found the error.

in the patch file you compare following lines:

CODE: SELECT ALL

in the ovpnmain.cgi (that is the file that i receive from your link) are:

CODE: SELECT ALL

the o!set is wrong?!

@@ -2226,6 +2246,21 @@ print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\r\n"; } }

print CLIENTCONF "mtu-disc $vpnsettings{'PMTU_DISCOVERY'}\r\n"; } }

penne


-


Hoi,

here it works like ummegge told:

CODE: SELECT ALL

i reloaded the original ovpnmain.cgi file from git and after that i applied the patch from ummegge....

[root@ipfire cgi-bin]# patch ovpnmain.cgi patch-ovpn patching file ovpnmain.cgi



-


Have here also no problem this ?

You can also install it in that way, checkout the console/SSH on IPFire and

Warning: BackUP your original ovpnmain.cgi before with a

CODE: SELECT ALL

then install it in the second way:

CODE: SELECT ALL

Stop the OpenVPN server, press save and edit the server.conf.local or client.conf.local

CODE: SELECT ALL

and press save again on OpenVPN server site and take a look to server.conf or client.ovpn.

May this works.

UE

cp /srv/web/ipfire/cgi-bin/ovpnmain.cgi /srv/web/ipfire/cgi-bin/ovpnmain.cgi.orig

cd /tmpwget http://people.ipfire.org/~ummeegge/OpenVPN_development_13.03.2014/ovpnmain.cgicp ovpnmain.cgi /srv/web/ipfire/cgi-bin

vim /var/ipfire/ovpn/scripts/server.conf.local# orvim /var/ipfire/ovpn/scripts/client.conf.local

ESLALO001


-


Hello UE,

can you post a link for download the unchanged ovpnmain.cgi and the patch file?

I believe i have a problem with transfer the files fro windows machine to my ipfire.

penne


-


take a look in ummegges last poste: ;-)

CODE: SELECT ALL

greets

wget http://people.ipfire.org/~ummeegge/OpenVPN_development_13.03.2014/ovpnmain.cgi

ESLALO001


-


This is not the unchanged ovpnmain.cgi.Look into the file and you see the patched lines.



-


Here --> http://people.ipfire.org/~ummeegge/Open ... tch.tar.gz you can find it in a tar.gz package bundle which includes the originalCore 79 ovpnmain.cgi and the config patch.

unpack it with

CODE: SELECT ALL

UE

tar xvfz ovpn_orig_core79+patch.tar.gz

ESLALO001


-


Hello UE,

the ovpnmain.cgi file in the tar are in binary format and not readable.the patch file is o.k.

ALO

+ , / ,

https://community.ipfire.org/

https://forum.ipfire.org/search.php

https://forum.ipfire.org/app.php/help/faq

https://forum.ipfire.org/ucp.php?mode=login


https://forum.ipfire.org/index.php

https://forum.ipfire.org/viewforum.php?f=84


https://forum.ipfire.org/posting.php?mode=reply&f=50&t=11028


https://forum.ipfire.org/viewtopic.php?f=50&t=11028&start=15
















https://forum.ipfire.org/ucp.php?mode=delete_cookies

https://forum.ipfire.org/viewtopic.php?f=50&t=11028

https://www.phpbb.com/

https://forum.ipfire.org/ucp.php?mode=privacy

https://forum.ipfire.org/ucp.php?mode=terms

https://forum.ipfire.org/viewtopic.php?f=50&t=11028%23

https://forum.ipfire.org/search.php?author_id=2743&sr=posts

https://forum.ipfire.org/memberlist.php?mode=viewprofile&u=2743

https://forum.ipfire.org/viewtopic.php?p=71150%23p71150

http://fireinfo.ipfire.org/profile/72d11e77621ec66ea75d39e3c9b10025e746e5af

http://fireinfo.ipfire.org/profile/90b70d583ed7740f0977a386418a2ff110293570



http://wiki.ipfire.org/en/configuration/services/openvpn/config/advanced_set

http://forum.ipfire.org//viewtopic.php?t=08.msg70791%23msg70791










































http://git.ipfire.org/?p=ipfire-2.x.git;a=blob_plain;f=html/cgi-bin/ovpnmain.cgi;hb=refs/heads/core79

















































http://people.ipfire.org/~ummeegge/OpenVPN_development_13.03.2014/ovpn_orig_core79+patch.tar.gz






1/24/21, 9:01 PMOpenVPN - Additional configs for server and clients - - forum.ipfire.org

Page 1 of 2https://forum.ipfire.org/viewtopic.php?f=50&t=11028&start=15


# FAQ $ Login


Locked & Search this topic… ! " 79 posts ' 1 2 3 4 5 6 (

Locked & 79 posts ' 1 2 3 4 5 6 (

) Return to “Development”

% Home ‹ Index All times are UTC* Delete cookies



Privacy | Terms

+ Quick links

, -



.

Re: OpenVPN - Additional configs for server and clients/ by ummeegge » July 13th, 2014, 4:29 pm

Upps,try it again have uploaded a new one.

UE

ESLALO001


.

Re: OpenVPN - Additional configs for server and clients/ by ESLALO001 » July 13th, 2014, 4:45 pm

now it's running.

CODE: SELECT ALL

next day i will do the rest.

[root@ipfire ftpuser]# patch ovpnmain.cgi.Core79 ovpnmain_conf.patchpatching file ovpnmain.cgi.Core79



.


Alright,soccer break for me now too .

UE



.


Are there some testing results somewhere ? Or possibly no interrest anymore ?

UE

ESLALO001


.


Hey UE,

i continue and finish the test at weekend.I hope that other people test also.

ALO

ESLALO001


.



Hello UE,

when the feature are shipped in any of the following Core Update, do you change the WUI openVPN/additional server option with twonew free text fields for the entries in the *.local files?In the client field i can comment the additional action that iOS-user need for tunnel configuration. (Split the .p12 file)

ALO



.

Re: OpenVPN - Additional configs for server and clients/ by ummeegge » July 17th, 2014, 9:18 am

Hi ALO,

0 ESLALO001 wrote:I hope that other people test also.

Me too.

0 ESLALO001 wrote:when the feature are shipped in any of the following Core Update, do you change the WUI openVPN/additional server option with two newfree text fields for the entries in the *.local files?

I don´t think so, the reason is that the manual input can be a better prevention for possible missconfiguration cause the user needs tobe a little familar with the console thus probably a little more experienced in that manner. Also, using this files should include a userside warranty for the functionality of OpenVPN which will be di!cult if this feature are provided over the WUI.

0 ESLALO001 wrote:In the client field i can comment the additional action that iOS-user need for tunnel configuration. (Split the .p12 file)

You can´t handle this globally over the client.local.conf cause the "pkcs12 *.p12" entry will be nevertheless printed by the CGI scriptand you would have to delete this entry for every single client.ovpn.But in another topic --> https://forum.ipfire.org/http://forum.i ... 0#msg70980 this feature (INLINE certs/keys) are actually developed.So this could probably be possible in the closer future ?!

Will see...

Greetings,

UE

ESLALO001


.


hello UE,

now i have finish the test.the server and client conf files create correct.

next steps:

delete x509define the CA, host and client configurationuse DH parameter with 4096 key lentest tunnel with iPhone and iPad

ALO



.


Thanks for your feedback.

Greetings,

UE

ESLALO001


.


now i am finish.iPhone and iPad tunnel running without errors (incl. 4096 DH parmameter length)



.


Last edited by ummeegge on July 17th, 2014, 5:45 pm, edited 1 time in total.

Great ,how your configs looks like now ? Which additionals ?

UE

EDIT: How much time ~ needs the keyexchange after an hour ?

ESLALO001


.


Hello UE,

Here are the new server.conf

CODE: SELECT ALL

I see now that the DH not 4096?!I generate the certificate with 1024 and than i upload the 4096 file.In WUI the value changed from 1024 to 4096, but in the server.conf there is a reference to the DH1024.pem file.What is the problem?

and this is the client.conf

CODE: SELECT ALL

I test the tunnel 2 minutes and can't say how long the keyexchange need.

ALO

#OpenVPN Server conf

daemon openvpnserverwritepid /var/run/openvpn.pid#DAN prepare OpenVPN for listening on blue and orange;local xxxxx.xxxxx.xxxxdev tunproto udpport nnnnscript-security 3 systemifconfig-pool-persist /var/ipfire/ovpn/ovpn-leases.db 3600client-config-dir /var/ipfire/ovpn/ccdtls-serverca /var/ipfire/ovpn/ca/cacert.pem

#OpenVPN Client conftls-clientclientnobinddev tunproto udptun-mtu 1500remote xxxxxx.xxxxxx.xxxx 9999# pkcs12 iPhone5s.p12cipher AES-256-CBCauth SHA512comp-lzoverb 3ns-cert-type server

ESLALO001


.



Hello UE,

I stop the server and save the configuration.The DH parameter in the server.conf show the same (dh1024.pem).

The WUI say

CODE: SELECT ALL

but in the CA Directory i found only the dh1024.pem file.

What is wrong?

ALO

Diffie-Hellman-Parameter PKCS#3 DH Parameters: (4096 bit)

ESLALO001


.


And the best is that in the openVPN Log i found following entry:

CODE: SELECT ALL

What now 1024 or 4096?

ALO

21:02:17 openvpnserver[8830]: Diffie-Hellman initialized with 4096 bit key



.


Hi ESLALO001,

0 ESLALO001 wrote:

CODE: SELECT ALL

I see now that the DH not 4096?!I generate the certificate with 1024 and than i upload the 4096 file.In WUI the value changed from 1024 to 4096, but in the server.conf there is a reference to the DH1024.pem file.What is the problem?

There is not really a problem, the name 'dh1024.pem' was kept for compatibily purposes. Checkout the info button, or take a look intothe "Certificate Authorities and -Keys" chart the line "Di!e-Hellman parameters" contains also the actual bit lenght of DH parametersIf you try out the appropriate openssl command:

CODE: SELECT ALL

you can check out also similarities to the info button in the "Di!e-Hellman parameters" line in the WUI.

Most important checkout your OpenVPN server log where you can find the indeed used bit lenght --> from https://forum.ipfire.org/http://forum.i ... 0#msg71150 -->

0 ummeegge wrote:Jul 11 12:24:07 ipfire-server openvpnserver[19536]: Di!e-Hellman initialized with 3072 bit key

in the server log you can find also the needed time for the sessionkey exchanges which are indicated by for example a log entry like this

CODE: SELECT ALL

'TLS: soft reset' --> the needed time ends normally with a kind like this log entry

CODE: SELECT ALL

as a beside info. This entries (keyexchange) are progressive every hour.

Greetings,

UE

dh /var/ipfire/ovpn/ca/dh1024.pem

openssl dhparam -text -in dh1024.pem

ipfire openvpnserver[19550]: TestConfig/192.168.9.2:56536 TLS: soft reset sec=0 bytes=3260841/0 pkts=20994/0

ipfire openvpnserver[19550]: TestConfig/192.168.9.2:56536 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA

, - 1 -


































https://forum.ipfire.org/viewtopic.php?f=50&t=11028&start=15%23







































https://forum.ipfire.org/http://forum.ipfire.org//viewtopic.php?t=12.msg70980%23msg70980





















































# FAQ $ Login



Locked & 79 posts ' 1 2 3 4 5 6 (





Privacy | Terms

+ Quick links

, -

ESLALO001


.


Hello UE,

I check the keylength with the openssl command and look into the info area from DH (WUI).Both say that the key is 4096 .

Now i am happy

!

I check the keyexchange time next days.

ALO

ESLALO001


.


Hello UE,

back to the topic.Is it possible that this feature shipped in any of the next core update?

ALO



.


Hi ALO,yes it is but some more feedback and testing results from other people might also be great, so i can bring it to Bugzilla for furtherprocessings.Another thing which i ask myself is, should this feature also exists for N2N connections ?

Greetings,

UE

penne


.

Re: OpenVPN - Additional configs for server and clients/ by penne » July 18th, 2014, 2:15 pm

Last edited by penne on July 19th, 2014, 7:48 am, edited 1 time in total.

Hoi,

i put ur new opnvpnmain.cgi patch to my productive system. I m using user-auth, tls-minimum with the newserver.conf.local/client.conf.local.

All works as it should.....

Sorry i cannot test n2n, cuz i dont use this

//update, i guess, that it's a good idea to use ur patch for n2n too

greets

great work...greets



.


Hi penne,

0 penne wrote:

Is there a problem with ä or + inside the pkcs pass?

very good possible... Did you find some other characters so that we can integrate an appropriate plausicheck in ovpnmain.cgi ?

UE



.


Good to know, seems to be a bigger one ,let´s checkout another topic for this...

Greetings,

UE

penne


.

Re: OpenVPN - Additional configs for server and clients/ by penne » July 19th, 2014, 7:57 am

Hoi,

deleted my o!topic posts in that thread an moved to: http://forum.ipfire.org//viewtopic.php?t=6

All is fine with the related patch in this topic :-)

greets

ESLALO001


.


0 ummeegge wrote:

EDIT: How much time ~ needs the keyexchange after an hour ?

Now i test the tunner over 1 hour.The keyexchange need 12 seconds from

0

2014-07-19 17:49:47 LZO-ASYM init swap=0 asym=02014-07-19 17:49:48 Tunnel Options:V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,authSHA512,keysize 256,tls-auth,key-method 2,tls-client

To

0

2014-07-19 17:50:00 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-AES-256-CBC-SHA

ALO



.


Guten Abend ALO,erstmal danke für die Rückmeldung. 12 Sekunden ist natürlich schon eine Hausnummer, bei dauerhaftem Tra"c gibt es für denZeitraum eine Unterbrechung der Verbindung. Als Nebeninfo:Es gibt auch die Möglichkeit die Zeiträume des Keyexchanges zu konfigurieren entweder nach transferierter Zeit '--reneg-sec n' oderBytes '--reneg-bytes n' (auch nach Paketen '--reneg-pkts n') --> http://openvpn.net/index.php/open-sourc ... npage.html . Beizunehmender Länge des DH Parameter steigt die Sicherheit des Sessionkey ebenfalls, wenn von daher ein Keyexchange erst nach 2anstatt (wie per Default) nach einer Stunde statt finden kann, lässt sich das auch machen.... Nur so nebenbei.

Grüsse,

UE

ESLALO001


.


Hallo UE,

Ich habe über den Tunnel MP3 Files 1,5 Stunden abspielen lassen und keinerlei Unterbrechung festgestellt.Liegt wahrscheinlich daran das gepu!ert wird.

Ich selber bin aber nie mehr als 10-20 Minuten über VPN verbunden.Somit tri!t mich die 12 Sekunden im Normalfall nicht.

Aber ein Test war es mal wert

"

und es ist einfach eine Frage der Sicherheit.Maximale Sicherheit geht nicht ohne Einschränkungen an einer anderen Stelle. Und max. Sicherheit ist mir persönlich wichtig.

Gruss

ALO

ESLALO001


.


Hi all,

Sorry for the german reply. Wrong area.

Translation:

I hear 1,5 hour music (mp3) over the tunnel and i have no interrupt. (I believe that the music soft bu!ering the mp3 files)

Normaly, i use the vpn tunnel 10-20 minutes and the keyexchange in not a problem for me.

My interest is a high security level and the interrupt over 12 seconds is for me o.k.

ALO



.


Hi all,have brought it now to Bugzilla and Git --> https://bugzilla.ipfire.org/show_bug.cgi?id=10577 .

Greetings,

UE



.

Re: OpenVPN - Additional configs for server and clients/ by ummeegge » August 4th, 2014, 9:41 am

With IPfire Core 80 comes also some changes in ovpnmain.cgi, so your potential patched CGI was overwritten. Have updated now thepatch for IPFire version core 80 --> https://forum.ipfire.org/http://forum.i ... 0#msg71150 . You can patch it like described in thestart post, stop your server and hit the 'Save' button and start the server so the old state are back again.

UE

ESLALO001


.

Re: OpenVPN - Additional configs for server and clients/ by ESLALO001 » August 4th, 2014, 4:09 pm

hello UE,

i test the openVPN with new patch.The patch is done and the connection (after stop/save/start server) come up without errors.

tx

ALO

penne


.

Re: OpenVPN - Additional configs for server and clients/ by penne » August 7th, 2014, 1:55 pm

Last edited by penne on August 8th, 2014, 4:06 am, edited 1 time in total.

Hoi,

the release notes of 80/81 does not contain ur modification ummegge....hmm...do u know when it will be released?

//add, maybe it's interesting for the user, if in the webgui is a small note, that the server.conf.local/client.conf.local containsmodifications......just a transparency idea....just something to think about....its not really a request....

greets

, - 1 -






































































http://forum.ipfire.org//viewtopic.php?t=6











http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html















https://bugzilla.ipfire.org/show_bug.cgi?id=10577




















# FAQ $ Login



Locked & 79 posts ' 1 2 3 4 5 6 (





+ Quick links

, -



.

Re: OpenVPN - Additional configs for server and clients/ by ummeegge » August 8th, 2014, 4:19 am

Hi penne,

0 penne wrote:the release notes of 80/81 does not contain ur modification ummegge....hmm...do u know when it will be released?

Sorry i don´t know, until now there was no responds or further ideas for enhancements/corrections etc. ...

In Core 81 is a new check for the 'CERT_NAME' field in ovpnmain.cgi, so you need to patch your CGI again to use your additional configs(like above explained). The patch from the start post should work.

0 penne wrote://add, maybe it's interesting for the user, if in the webgui is a small note, that the server.conf.local/client.conf.local containsmodifications......just a transparency idea....just something to think about....its not really a request....

Why not, ideas ?

Greetings,

UE

penne


.


hmm, thanx for the info.....thought that this is not a very complex modification, so it gets fast implemented.....but does not seemsso....

greets



.

Re: OpenVPN - Additional configs for server and clients/ by ummeegge » August 8th, 2014, 4:14 pm

Hi penne, sometimes it doesn´t depends on complexity , time and other things to handle are also sometimes a factor. Also,

0 penne wrote://add, maybe it's interesting for the user, if in the webgui is a small note, that the server.conf.local/client.conf.local containsmodifications......just a transparency idea....just something to think about....its not really a request....

some ideas ? Why not develope a little bit more ?

Greetings,

UE

penne


.

Re: OpenVPN - Additional configs for server and clients/ by penne » August 9th, 2014, 8:40 am

Hoi,

have added a screenshot. Just a idea, another idea would be to list den modifications(just a list, not editable).

programming of this could be:count lines in server.conf.local/client.conf.local, which are not empty and begin with #or for the listreadlines which r not empty or begins with #

if all developers think that something like this would be a good idea, i will poste some code basics, otherwise i dont ;-). So i do notspend time in something which never will be released....

greets

ESLALO001


.

Re: OpenVPN - Additional configs for server and clients/ by ESLALO001 » August 9th, 2014, 9:35 am

Hi penne, hi unmeegge,

Is programming a viewbox with the user modification (from server/client.conf.local) to many work for this enhancement?The information that any modification found is good but is a complete display not better?if I forget what I have just entered, I need look in each file.

ALO



.


Last edited by ummeegge on August 13th, 2014, 8:24 am, edited 1 time in total.

Hi all,

0 penne wrote:have added a screenshot. Just a idea, another idea would be to list den modifications(just a list, not editable).

Possibly a good idea.

0 penne wrote:if all developers think that something like this would be a good idea, i will poste some code basics, otherwise i dont ;-). So i do not spendtime in something which never will be released....

How should this be done ??

0 ESLALO001 wrote:Is programming a viewbox with the user modification (from server/client.conf.local) to many work for this enhancement?The information that any modification found is good but is a complete display not better?if I forget what I have just entered, I need look in each file.

As a first idea:

The di!´s looks like this:

ovpnmain.cgi.patch:

CODE: SELECT ALL

de.pl.patch:

CODE: SELECT ALL

en.pl.patch:

CODE: SELECT ALL

There is the need to refresh the language cache cause the language files have new entries which can be done by using this perlcommand:

CODE: SELECT ALL

Please use fresh/unmodified versions of ovpnmain.cgi, de.pl and en.pl from Core 81 which can be found in here:

http://git.ipfire.org/?p=ipfire-2.x.git ... ads/core81http://git.ipfire.org/?p=ipfire-2.x.git ... ads/core81http://git.ipfire.org/?p=ipfire-2.x.git ... ads/core81

Thinkin about to integrate an editable WUI for *.local.conf´s that´s why there are this textboxes in there at this time.

Also the Bash code was removed and substituted with Perl to add|change permissions for the *.local.config´s.

UE

--- ovpnmain.cgi.core81 2014-08-13 10:19:41.599943197 +0200+++ ovpnmain.cgi 2014-08-13 10:20:45.322931313 +0200@@ -70,6 +70,9 @@ my $customnet="${General::swroot}/fwhosts/customnetworks"; my $name; my $col="";+my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";+my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";+ &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} = 'off'; $cgiparams{'ENABLED_BLUE'} = 'off';@@ -98,6 +101,14 @@ unless (-e "${General::swroot}/ovpn/ccd.conf") { system("touch ${General::swroot}/ovpn/ccd.conf"); }

--- de.pl.core81 2014-08-11 16:19:09.723482955 +0200+++ de.pl 2014-08-11 16:13:51.788538690 +0200@@ -1669,6 +1669,11 @@ 'outgoing traffic in bytes per second' => 'Abgehender Verkehr', 'override mtu' => 'Überschreibe Standard MTU', 'ovpn' => 'OpenVPN',+'ovpn add client conf' => 'Erweiterte Client Konfiguration',+'ovpn add config' => 'Server/Client Konfiguration',+'ovpn add config1' => 'Erweiterte Konfiguration',+'ovpn add config2' => 'User definiert',+'ovpn add server conf' => 'Erweiterte Server Konfiguration', 'ovpn con stat' => 'OpenVPN Verbindungs-Statistik', 'ovpn config' => 'OVPN-Konfiguration', 'ovpn crypt options' => 'Kryptografieoptionen',

--- en.pl.core81 2014-08-11 16:18:55.693558962 +0200+++ en.pl 2014-08-11 16:13:51.801871951 +0200@@ -1700,6 +1700,11 @@ 'outgoing traffic in bytes per second' => 'Outgoing Traffic', 'override mtu' => 'Override default MTU', 'ovpn' => 'OpenVPN',+'ovpn add client conf' => 'Additional client configuration',+'ovpn add config' => 'Server/Client configurations',+'ovpn add config1' => 'Additional Configuration',+'ovpn add config2' => 'User defined',+'ovpn add server conf' => 'Additional server configuration', 'ovpn con stat' => 'OpenVPN Connection Statistics', 'ovpn config' => 'OVPN-Config', 'ovpn crypt options' => 'Cryptographic options',


ESLALO001


.


Hello UE,

Great job. Perfect.

TX

ALO

penne


.


Hoi,

that looks great. Will test it...

greets

penne


.


Last edited by penne on August 11th, 2014, 4:30 pm, edited 1 time in total.

Hoi,

the patch does not work for me....if i navigate to Openvpn in the menubar:

"Globale Server und Client Erweiterungen" directly will be opened. There's no way to open the standard openvpn page any more....

0

if all developers think that something like this would be a good idea, i will poste some code basics, otherwise i dont ;-). So i do not spendtime in something which never will be released....

How should this be done ??

---> can be done via voting? Developers for special sections(openvpn,proxy,snort) will initiate a voting for new functions. The Leadersof the Ipfire project(michael,arne,stefan,......) have to vote for yes/no/modify....otherwise you will develope great new features, whichnever find the way into the release....i think, ur modification is great.......

//add: i will check the new patch later again...

greets



.


0 penne wrote:the patch does not work for me....if i navigate to Openvpn in the menubar:

"Globale Server und Client Erweiterungen" directly will be opened. There's no way to open the standard openvpn page any more....

Like above explained you need to execute

CODE: SELECT ALL

to refresh the language cache.

0 penne wrote:---> can be done via voting? Developers for special sections(openvpn,proxy,snort) will initiate a voting for new functions. The Leaders ofthe Ipfire project(michael,arne,stefan,......) have to vote for yes/no/modify....otherwise you will develope great new features, which neverfind the way into the release....i think, ur modification is great.......

At this time Bugzilla made this job. I have posted the link for this develpoment in this topic where it is already important that all ideascome togehter, all people which are interessted in that topic and have the ability to contribute some new ideas in it should bring all thatstu! togehter and go then for a introduction. I think it makes no sense to wait for a "o.k." or "not o.k." if the appropriate code isn´tthere for a overview. You may got some Ideas how to handle this somewhere else or even better ?

UE


penne


.


Last edited by penne on August 11th, 2014, 6:18 pm, edited 1 time in total.

Hoi,

now it works...i did not patch the en.pl, that was the mistake...

another idea:

normal users(like me) does not know, which openvpn config parameters are set via the webui for *.confs. so the Problem is, that weonly see the modifications of the *.local.confs. there's no way to see the *.confs via webui. Does it makes sense to see all parameters inthe webgui? R any possible converse constellations in *.confs and *.local.confs?

//add: the 'zurück' link leads to the standard openvpn Page, not to the 'erweiterte openvpn' page....

greets

ESLALO001


.


Last edited by ESLALO001 on August 15th, 2014, 9:45 am, edited 1 time in total.

hello UE,

tha patch of the german de.pl not running.I receive following messages:

CODE: SELECT ALL

i don't change the original de.pl anytime.

The patch for the english en.pl running without errors.

ALO

I compare the original de.pl with the file from your link.both are the same.

patching file de.plHunk #1 succeeded at 1669 with fuzz 2.Hunk #2 succeeded at 1687 with fuzz 2.

ESLALO001


.


Last edited by ESLALO001 on August 15th, 2014, 1:34 pm, edited 1 time in total.

i believe that the problem is the transfer (Windows to ipfire) the german patch file.the "Umlaute" not translate correct?!Have you a wget adress than i can download direct to my ipfire from the de.pl.patch file?

ALO

ESLALO001


.



i patch the de.pl (with error messages) and test it.All is running correct. (is the message a real error message?)

ALO

ESLALO001


.


I found a little error in the view. (see attachment)the box for client.conf.local have no scroll bar.

Any hints what wrong?

ALO

, - 1 -




































































http://git.ipfire.org/?p=ipfire-2.x.git;a=blob_plain;f=html/cgi-bin/ovpnmain.cgi;hb=refs/heads/core81

http://git.ipfire.org/?p=ipfire-2.x.git;a=blob_plain;f=langs/de/cgi-bin/de.pl;hb=refs/heads/core81

http://git.ipfire.org/?p=ipfire-2.x.git;a=blob_plain;f=langs/en/cgi-bin/en.pl;hb=refs/heads/core81

















































# FAQ $ Login



Locked & 79 posts ' 1 2 3 4 5 6 (





Privacy | Terms

+ Quick links

, -

ESLALO001


.



Next error.You can change the value in the box (the update don't save anything ).

ALO



.


Last edited by ummeegge on August 17th, 2014, 3:37 pm, edited 1 time in total.

Hi all,

0 penne wrote:normal users(like me) does not know, which openvpn config parameters are set via the webui for *.confs. so the Problem is, that we only seethe modifications of the *.local.confs. there's no way to see the *.confs via webui. Does it makes sense to see all parameters in the webgui?R any possible converse constellations in *.confs and *.local.confs?

this leads someday to the question, 'why the whole configuration shouldn´t be editable over the WUI', which i think is an interesstingone. In that way there is a highly flexible OpenVPN configuration possible. To make this first as an readonly, it should be no problem todo so with the whole server.conf cause there is already a file which can be readout, for the client.ovpn some more steps needs to bemade. Possibly you got some code ideas in this direction ?

0 penne wrote://add: the 'zurück' link leads to the standard openvpn Page, not to the 'erweiterte openvpn' page....

Yes, cause the 'erweiterte openvpn' page have no separated address where i can backlink to.

0 ESLALO001 wrote:tha patch of the german de.pl not running.I receive following messages:

CODE: SELECT ALL

This is not really an error but happens normally if there are 2 di!erent versions in the di!ed and patched file.Have had here no Hunks.

0 ESLALO001 wrote:Have you a wget adress than i can download direct to my ipfire from the de.pl.patch file?

If you still need it, i can upload you a package.

0 ESLALO001 wrote:I found a little error in the view. (see attachment)the box for client.conf.local have no scroll bar.

The scrollbar exists if the lines from the *.local.*conf´s are longer as the textbox width.But indeed the textbox oversize is not pretty, have this behavior here only with a very high valued page width setting which causes thedynamic page width i think. In the proxy WUI is an equal behavior altought not that vast. This can be solved by e.g. given another <tr></tr> between both windows, or even with less textarea cols. Did you played a little around with the values ?

0 ESLALO001 wrote:Next error.You can change the value in the box (the update don't save anything ).

This is no error, in the previouse post i wrote

0 ummeegge wrote:Thinkin about to integrate an editable WUI for *.local.conf´s that´s why there are this textboxes in there at this time.

where i meant that i´am not sure if *.local.config´s should be editable over the WUI, so a 'save' and 'cancel' button and a little bit morecode is needed to belong to this.

In generall thank you both for checking this out, but at this time i don´t think that the WUI feature is a good idea it was an idea for ALO´s request, where you ALO can gladly use this code idea for further development or whatever. Possibly i will try also some more thingsout if i have enough time to do so.

Greetings,

UE

patching file de.plHunk #1 succeeded at 1669 with fuzz 2.Hunk #2 succeeded at 1687 with fuzz 2.

ESLALO001


.


Hello UE,

i'm happy when the basic change (without WbGUI view) releasded in one of the following core update (have you any information aboutstatus?).The enhancements in the GUI are good, but not essential.

ALO



.


Hi ALO,Michael have already ask for merging the code --> http://lists.ipfire.org/pipermail/sig-v ... 00081.html but at this time i thought therewould possibly come some other ideas and a further development and wanted to spring a little more time but there wasn´t any furthersteps respectively a code contribution from other people. So i decided to push now the new version to Git --> http://git.ipfire.org/?p=people/ummeegg ... d73c83b8ab and make for the firstnow a stop with this here.

You can also answer (or even quest) something to the above linked mailinglist or either to Bugzilla.

Greetings,

UE

penne


.

Re: OpenVPN - Additional configs for server and clients/ by penne » August 17th, 2014, 10:09 am

great......greats

ESLALO001


.

Re: OpenVPN - Additional configs for server and clients/ by ESLALO001 » September 12th, 2014, 1:24 pm

Last edited by ESLALO001 on September 12th, 2014, 1:26 pm, edited 1 time in total.

hello UE,

i install the core 82 on my test system and i don't found the change in the vpn conf files. if there any problem with release the feature?

can you change the patch files for core82?

ALO



.

Re: OpenVPN - Additional configs for server and clients/ by ummeegge » September 12th, 2014, 8:04 pm

Hi ALO,try this one...

CODE: SELECT ALL

Greets,

UE

--- ovpnmain.cgi.Core82 2014-09-12 20:39:24.794824367 +0200+++ ovpnmain.cgi 2014-09-12 20:44:56.899691867 +0200@@ -70,6 +70,9 @@ my $customnet="${General::swroot}/fwhosts/customnetworks"; my $name; my $col="";+my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";+my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";+ &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} = 'off'; $cgiparams{'ENABLED_BLUE'} = 'off';@@ -98,6 +101,15 @@ unless (-e "${General::swroot}/ovpn/ccd.conf") { system("touch ${General::swroot}/ovpn/ccd.conf"); }

ESLALO001


.

Re: OpenVPN - Additional configs for server and clients/ by ESLALO001 » September 28th, 2014, 8:41 pm

Last edited by ESLALO001 on September 28th, 2014, 8:46 pm, edited 1 time in total.

Hi UE,

and the same question about core 83...

ALO

do you have any idea when that feature will be fix installed?



.

Re: OpenVPN - Additional configs for server and clients/ by ummeegge » September 29th, 2014, 5:04 am

Hi ALO,as a beside info you can search also for the lines without '+' before and after the new code and copy/paste the patch step by step toovpnmain.cgi (don´t forget to delete the '+'). Nevertheless here is the new one for Core 83.

CODE: SELECT ALL

0 ESLALO001 wrote:do you have any idea when that feature will be fix installed?

No. As i wrote here -->

0 ummeegge wrote:You can also answer (or even quest) something to the above linked mailinglist or either to Bugzilla.

there is also the possibility for people who are interessted in this feature to go the next step to a development discussion by the aboveposted addresses (mailinglist and bugzilla).Have tried to help out penne with his wish for this function and i think at least there should be a little more initiative from the usersidein here. Also if there where new ideas like this --> https://forum.ipfire.org/http://forum.i ... 4#msg72964 it should be self-evidentthat the code will be posted in here to belong to a better result.

May there will become some more movement in here but i think it depense on you who are interessted in it .

UE

--- ovpnmain.cgi.core83 2014-09-29 06:34:22.000000000 +0200+++ ovpnmain.cgi 2014-09-29 06:33:55.000000000 +0200@@ -70,6 +70,9 @@ my $customnet="${General::swroot}/fwhosts/customnetworks"; my $name; my $col="";+my $local_serverconf = "${General::swroot}/ovpn/scripts/server.conf.local";+my $local_clientconf = "${General::swroot}/ovpn/scripts/client.conf.local";+ &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); $cgiparams{'ENABLED'} = 'off'; $cgiparams{'ENABLED_BLUE'} = 'off';@@ -98,6 +101,15 @@ unless (-e "${General::swroot}/ovpn/ccd.conf") { system("touch ${General::swroot}/ovpn/ccd.conf"); }



.

Re: OpenVPN - Additional configs for server and clients/ by ummeegge » November 11th, 2014, 3:34 pm

Some changes:

* Added also a checkbox (on/o!) in the WUI under 'Advanced server options' .

* Changed the order in 'Miscellaneous options' section also a little.* Update for Core 85

* Optimized code in particular sections a little. Perl makes now ccd* file generation (changed the system(touch...) command).Unified the html code tags.

Patches can be found as usual here --> https://forum.ipfire.org/http://forum.i ... 0#msg71150

Greetings,

UE

ESLALO001


.

Re: OpenVPN - Additional configs for server and clients/ by ESLALO001 » November 11th, 2014, 7:54 pm

hello UE,

sorry, but i don't understand this topic update from you.The link you are posted are a loop. There link to this topic not to a new topic whit the patch.

Come this fix in the next core update 86, or what say me your update?

ALO



.

Re: OpenVPN - Additional configs for server and clients/ by ummeegge » November 12th, 2014, 4:55 am

Hi ALO,sorry that you don´t understand this update (this is not a fix) but there was an request from other people with other ideas. If you arestill interessted in this topic please check the lower end of the link and read the loop.

UE

ESLALO001


.

Re: OpenVPN - Additional configs for server and clients/ by ESLALO001 » November 12th, 2014, 4:52 pm

Hi UE,

Now i understand your update.I see your change for Core 85. sorry



.

Re: OpenVPN - Additional configs for server and clients/ by ummeegge » December 9th, 2014, 6:35 pm

Hi all,so for the first, the last changes from here, should come with Core 87 --> http://git.ipfire.org/?p=ipfire-2.x.git ... 7aa0352a4e . Haveadded also wiki explanationsin german:http://wiki.ipfire.org/de/configuration ... e_optionenand also in english:http://wiki.ipfire.org/en/configuration ... use_option

might be great if you can check all functions if Core 87 comes to testing tree, but also the wiki explanations for elements of possibleunlogic .

Thanks and greetings,

UE

ESLALO001


.

Re: OpenVPN - Additional configs for server and clients/ by ESLALO001 » December 9th, 2014, 8:52 pm

Hi UE,

SUPER. !!!Thanks for this feature. The wiki looks like good, but i believe that another user must be check it. I know the feature.....

ALO

, - 1 -


























































http://lists.ipfire.org/pipermail/sig-vpn/2014-August/000081.html

http://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=8ebb58c62b4fd3361a67f136d319a5d73c83b8ab

























































http://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=18f2b3d171c4b03a8801fcc595e2907aa0352a4e

http://wiki.ipfire.org/de/configuration/services/openvpn/config/advanced_set%23sonstige_optionen

http://wiki.ipfire.org/en/configuration/services/openvpn/config/advanced_set%23miscellaneouse_option








# FAQ $ Login


Locked & Search this topic… ! " 79 posts ' 1 2 3 4 5 6

Locked & 79 posts ' 1 2 3 4 5 6

( Return to “Development”

% Home ‹ Index All times are UTC) Delete cookies



Privacy | Terms

* Quick links

+ ,

ms007

Posts: 12Joined: September 13th, 2012, 1:12 pm

-

Re: OpenVPN - Additional configs for server and clients. by ms007 » March 14th, 2015, 3:17 pm

Hi UE,

great job!

Your post as of 12/09/14 should be some sort of sticky at top of the thread and even in "Deutschsprachiger Bereich | Konfiguration |VPN" ...

Do you have some best practice to get your update surviving future updates of ipfire? I do not really understand the positioning in git -commit. Does that mean we will see your update in the next (or some later) core edition? Or is your advice just "pay attention!"?

By the way, your link to the english wiki works for me whereas the link to the german wiki claims "permission denied"??

Thanks for your top support.ms007

ESLALO001


-

Re: OpenVPN - Additional configs for server and clients. by ESLALO001 » March 14th, 2015, 4:30 pm

Hi ms007,

i see in the english wiki this enhancement. The note say, that this feature come with core 88.

ALO



-

Re: OpenVPN - Additional configs for server and clients. by ummeegge » March 16th, 2015, 9:35 am

Hi ms007,thanks for your feedback.

/ ms007 wrote:

Your post as of 12/09/14 should be some sort of sticky at top of the thread and even in "Deutschsprachiger Bereich | Konfiguration | VPN"...

I wrote a little conclusion on the top of the thread, so there should be no need to read through the whole post anymore. Since thisfeature will be released with Core 88, i think i will leave the information transfer about this feature in this state, have linked from thewiki to this thread and the start post in here points also to the wiki. But if you like to write another post in the german section you arewelcome to do so.

/ ms007 wrote:

Do you have some best practice to get your update surviving future updates of ipfire? I do not really understand the positioning in git -commit. Does that mean we will see your update in the next (or some later) core edition? Or is your advice just "pay attention!"?later

Like Alo wrote, this feature should be released with Core 89. The development time was changed to testing time in here so some partsof this topic appears to be not so clear but i hope with the little conclusion in the start thread things should be more clearer.

/ ms007 wrote:

By the way, your link to the english wiki works for me whereas the link to the german wiki claims "permission denied"??

This is because all other languages (except the english one) was deleted --> http://planet.ipfire.org/post/the-death ... umentation .

/ ms007 wrote:

Thanks for your top support.

You are welcome, it might be great if there come some more suggestions of additional configurations from other people, so if you´dlike you can introduce also your ideas of this topic before i will close it (some days after release).

Greetings,

UE

EDIT: Since the Core 88 update was a security one, the release Core version of this feature has been changed to one later --> Core 89 .



-

Re: OpenVPN - Additional configs for server and clients. by ummeegge » April 22nd, 2015, 9:13 am

Hi all,since Core 89 contains this feature i would like to close this topic here in the next 2 days (and stay tuned for some more potential bugsor may some more ideas or emotions or whatever ) and would like to say a big thanks too all the helping hands in this community torealize such ideas...Otherwise if there are some further questions to this feature please head over to this topic --> viewtopic.php?f=5&t=13283 or use anown thread for this.

Greetings to all from

UmmeeggE

P.S. Updated the start post with the current state.

+ , 0 ,















































http://planet.ipfire.org/post/the-death-of-localized-documentation








openvpn - additional configs for server and clients

Documents