Update openvpn.inc
Added verbosity check in case when verbosity_level is absent in config.xml
Removed unnecessary "else {";
patchpack1
-Fix #3401 (Added tun option "Disable IPv6" -Added new options: route-nopull, route-noexec, verb;
Allow the user to select "None" for OpenVPN client certificate, so long as they supply and auth user/pass. Ticket #3633
client-config-dir is also useful when using OpenVPN's internal DHCP while bridging.
This doesn't need via-env
Correct the sense of the check to allow openvpn to work
Correct auth-user-pass-verify to include parameters properly so openvpn can start
tls-verify requires quotes around the command to be executed. Ticket #3596
openvpn, allow for entering client user credentials in the WebGUI
Add escapeshellarg() calls on exec parameters. While I'm here, replace some exec() calls by php functions like symlink, copy, unlink, mkdir
Fix openssl path
Add support for local (push route) and remote (iroute) network definitions in an OpenVPN client-specific override entry.
Move also tls-verify to fcgicli to avoid forking php process. Maybe even this should be done as a plugin to avoid overhead of forking.
Migrate openvpn authentication to use fcgicli rather than forking a php process. Maybe should could consider to write a short library todo this
Use does_interface_exist rather than calling ifconfig directly
Use _vip as identified for CARP vip IPs to allow easier upgrade code. This way only ipaliases on carp need to be upgraded.
Make more strict checks
Remove references to _vip interface and provide proper configuration for carp on FreeBSD 10. Still some places to deal with this and certainly missing upgrade code
Unset value should be '' and not 'none'
Change OpenVPN Compression settings to cover the full range of allowed settings on OpenVPN (unset, off, on, adaptive) rather than a simple off/on switch that either doesn't set the value or enables it with adaptive (OpenVPN's default).
Add an Authentication Digest Algorithm drop-down to OpenVPN server/client (SHA1 is the default since that is OpenVPN's default)
Fix #3174 Handling of gateway groups in openvpn_restart()If the underlying vip of a gateway group that an openvpn client is boundto is in backup mode then the client should not start.
Remove prior CSC entry when cleaning up. Fixes #3143
Declare globals as global before defining them in openvpn.inc
Add warning comment about missing IPv6 implementation
IPv6 OpenVPN TAP mode typo
OpenVPN w/ IPv6 fails to set ifconfig-ipv6 value in conf #2991
Remember which interface was used by each OpenVPN conf
When interfaces go down and up we need to know which interface (vr1, vr2 etc) each OpenVPN instance is using so we can optimize our decision about which instances to resync. That data is not in the conf file (the conf file contains the IP address the instance binds to). This change puts the interface name into a little file in /var/etc/openvpn for later use.
Merge pull request #499 from phil-davis/master
Resync relevant OpenVPN instances when gateway group settings are modified
Clarify notes when there is an error reaching the openvpn management daemon for service status. Also, add service controls to the openvpn status page.
Provide openvpn_resync_gwgroup function
Allows all OpenVPN servers and clients that use a particular gateway group to be resynced in one easy call.
Better check for the right bits being set.
Always clear the OpenVPN route when using shared key, no matter what the tunnel network "CIDR" is set to, it still needs it.
Use the actual openvpn restart routine when starting/stopping from services rather than killing/restarting manually.
Permit openvpn to use same port on different interfaces. It should fix #814
is_subnet() will fail here if using comma-separated lists of networks. Use openvpn_validate_cidr() instead.
Display a list of ciphers accelerated by a specific engine. Also, skip engines that are listed but unavailable for direct use.
Fixup paths when executing OpenSSL.
Allow specifying multiple local/remote networks for OpenVPN separated by commas. While I'm here, fix up the IPv6 tunnel/remote/local network input validation. Simplify some code using functions.
Add GUI option to use "topology subnet" for OpenVPN, since the OpenVPN Connect iOS client requires it for IPv6
Add routing table display for each OpenVPN ssl/tls server instance, collapsed by default. Part of feature #2766
Needs more thought - might route something an unintended path. Perhaps a checkbox. Revert "Exclude the VPN peer from routes so as to not break connectivity to the actual VPN peer if a route includes its IP."
This reverts commit 5d8e8c9d25b55c6d3260e69fcf4620f76488d173.
Update etc/inc/openvpn.inc
Mute error when interface does not exist, e.g. after reboot.
Exclude the VPN peer from routes so as to not break connectivity to the actual VPN peer if a route includes its IP.
Use functions to reduce code duplication; Add function to clear route to the interface IP before starting openvpn, otherwise the process cannot start. Ticket #2712
Activate choices for UDP6 and TCP6 for OpenVPN. Make sure interface IP selection chooses the proper IP and sets the proper protocol string. May need some GUI input validation to prevent someone from selecting a *6 proto with an IPv4 VIP and vice versa.
Use the IPv6 tunnel network for peer to peer OpenVPN modes.
Wrap dir creation for openvpn in a function to reduce duplication, and use the function before places that could potentially write in the dir.
Create directory if it does not exists
Presence of a directory does not mean anthing. Just continue up. Pointy-hat: myself
Unbreak the openvpn reading of configs. A dir needs to be executable to be searchable and readble inside. Reported-by: http://forum.pfsense.org/index.php/topic,55934.0/topicseen.html
Create necessary dir and unset conf string after writing to file
Merge pull request #244 from bcyrill/ovpn-alias
Fix: Use specified IP if available
Remove unused/unuseful tags anymore
Allow for changing OpenVPN TUN to TAP device mode without reboot.
Revert "Allow for changing OpenVPN TUN to TAP device mode without reboot." -- Adds blank OpenVPN servers, see ticket #2643
This reverts commit c8bb7f1527a99c69784ab6c01d9050adcde6a8a0.
Add forgotten "ipv6 remote network", clean up a couple bits, make sure local network box is hidden for shared key servers.
OpenVPN servers can start on carp vips, just not clients.
If we only have a IPv6 interface we'll use that, otherwise a IPv4 address always has preference. Revisit this for OpenVPN 2.3
Check in code that allows for using a gateway group as the interface on the OpenVPN server page. Only allow IPv4 gateway groups for now. We'll need to add IPv6 suppport here later when we import OpenVPN 2.3.Unbreak the gateway group function on broken configurations like a missing 3G stick....
Only add openvpn acl script lines if it's a server mode that does user auth
Import OpenVPN cisco style radius attributes applying policy to logged in users. Feature #2100
Whoops, don't flip these since I negated the test.
Flip this test around since it's safer to assume the dev mode is tun. Ticket #2432
Unbreak openvpn
Make vips vhid be unique per parent interface!
Be more intelligent when managing OpenVPN client connections bound to CARP VIPs. If the interface is in BACKUP status, do not start the client. Add a section to rc.carpmaster and rc.carpbackup to trigger this start/stop.If an OpenVPN client is active on both the master and backup system, they will cause conflicting connections to the server. Servers do not care as they only accept, not initiate.
Fix this ifconfig-push to also account for tap.
If there is a tunnel network in tap mode, the second parameter is a subnet mask, not the other IP.
username-as-common-name is not compatible with server-bridge, so don't put it in the config if server-bridge is active. Testing is needed to determine if there is any other negative impact, but with both present, openvpn will not start.
Fix order of client/server IPs and add a note, and clarify variable names. Fixes #2004.
Rework this a little since using tap+tunnel network is valid, but using tap+tunnel network+bridging is not (will not do what the user expects/wants)
Fix up OpenVPN server tap modes, support various options for providing or passing through DHCP. (Work in progress)
Assume a default value of 1 for cert_depth to disallow chaining.
Add GUI option to limit the certificate depth allowed when OpenVPN clients are connecting.
Fixup OpenVPN status a bit to properly handle SSL servers using a /30 (no server directive) and also be a little more verbose about what is happening, if we can tell.
Make initial changes to allow pfSense to work in a jail.
This mostly avoids starting things that will not work and gets theinitial config. Most of the pfSense functionality will not work(pf rules, routing, etc) but it can be used for testing.
Rework OpenVPN status, show status for shared key servers.
Resolves #1719. Prevent disabled client/servers from being displayed on the widget.
Only apply remote_network setting for p2p modes, since it is not valid for remote access modes. Fixes #1707
CRL fixes for empty CRLs (so they don't kill OpenVPN)
Merge remote-tracking branch 'upstream/master'
Conflicts: etc/inc/easyrule.inc etc/inc/filter.inc etc/inc/interfaces.inc etc/inc/services.inc etc/inc/xmlrpc_client.inc usr/local/www/fbegin.inc usr/local/www/services_dhcp.php
Merge remote-tracking branch 'mainline/master' into inc
Conflicts: etc/inc/priv.defs.inc
Don't check OpenVPN ports in use against disabled clients or servers
No need to use nohup when using mwexec_bg since it calls nohup itself. Also use fullpath to executables.
Conflicts: etc/inc/voucher.inc usr/local/www/fbegin.inc
Merge remote branch 'upstream/master'
Conflicts: etc/inc/openvpn.inc
When making a P2P SSL/TLS OpenVPN server, if the given CIDR for the tunnel network is a /30, don't use the OpenVPN server directive. See ticket #1417
Conflicts: etc/inc/interfaces.inc etc/inc/upgrade_config.inc etc/inc/vpn.inc
Conflicts: etc/inc/vslb.inc etc/version
Various CRL fixes, handle empty internal CRLs better.
Conflicts: etc/inc/pfsense-utils.inc