aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services/openvpn/Makefile
Commit message (Collapse)AuthorAgeFilesLines
* openvpn: fix shell compare operator in openvpn.initMartin Schiller2020-09-091-1/+1
| | | | | | | | Don't use bash syntax, because /bin/sh is used here. Signed-off-by: Martin Schiller <ms@dev.tdt.de> [bump PKG_RELEASE] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* openvpn: fix arguments passing to wrapped up and down scriptsJo-Philipp Wich2020-08-061-1/+1
| | | | | | | | | | | | | With the introduction of the generic OpenVPN hotplug mechanism, wrapped --up and --down scripts got the wrong amount and order of arguments passed, breaking existing configurations and functionality. Fix this issue by passing the same amount of arguments in the same expected order as if the scripts were executed by the OpenVPN daemon directly. Ref: https://github.com/openwrt/openwrt/pull/1596#issuecomment-668935156 Fixes: 8fe9940db6 ("openvpn: add generic hotplug mechanism") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* openvpn: Allow override of interface nameMichal Hrusecky2020-07-231-1/+1
| | | | | | | | | | | If using a configuration file for OpenVPN, allow overriding name of the interface. The reason is that then people could use configuration file provided by VPN provider directly and override the name of the interface to include it in correct firewall zone without need to alter the configuration file. Signed-off-by: Michal Hrusecky <michal@hrusecky.net> (cherry picked from commit c93667358515ec078ef4ac96393623ac084e5c9e)
* openpvn: Split out config parsing code for reuseMichal Hrusecky2020-07-231-0/+5
| | | | | | | | Split out code that parses openvpn configuration file into separate file that can be later included in various scripts and reused. Signed-off-by: Michal Hrusecky <michal@hrusecky.net> (cherry picked from commit 86d8467c8ab792c79809a08c223dd9d40da6da2e)
* openvpn: add generic hotplug mechanismFlorian Eckert2020-06-171-2/+18
| | | | | | | | | | | | | | | | | | | Pass a default --up and --down executable to each started OpenVPN instance which triggers /etc/hotplug.d/openvpn/ scripts whenever an instance goes up or down. User-configured up and down scripts are invoked by the default shipped 01-user hotplug handler to ensure that existing setups continue to work as before. As a consequence of this change, the up, down and script_security OpenVPN options are removed from the option file, since we're always passing them via the command line, they do not need to get included into the generated configuration. Signed-off-by: Florian Eckert <fe@dev.tdt.de> [reword commit message, move hotplug executable to /usr/libexec] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* openvpn: update to 2.4.9Magnus Kroken2020-04-181-2/+2
| | | | | | | | | | | | | | | This is primarily a maintenance release with bugfixes and improvements. This release also fixes a security issue (CVE-2020-11810) which allows disrupting service of a freshly connected client that has not yet negotiated session keys. The vulnerability cannot be used to inject or steal VPN traffic. Release announcement: https://openvpn.net/community-downloads/#heading-13812 Full list of changes: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.9 Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* openvpn: update to 2.4.8Magnus Kroken2019-12-221-4/+4
| | | | | | | | | | Backport two upstream commits that allow building openvpn-openssl without OpenSSLs deprecated APIs. Full changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.8 Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* build: include BUILD_VARIANT in PKG_BUILD_DIRJeffery To2019-08-051-1/+0
| | | | | | | | | | | This changes the default PKG_BUILD_DIR to take BUILD_VARIANT into account (if set), so that packages do not need to manually override PKG_BUILD_DIR just to handle variants. This also updates most base packages with variants to use the updated default PKG_BUILD_DIR. Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* openvpn: fix handling of list optionsMatt Merhar2019-07-031-1/+1
| | | | | | | | | | | | | | This addresses an issue where the list option specified in /etc/config/openvpn i.e. 'tls_cipher' would instead show up in the generated openvpn-<name>.conf as 'ncp-ciphers'. For context, 'ncp_ciphers' appears after 'tls_cipher' in OPENVPN_LIST from openvpn.options. Also, the ordering of the options in the UCI config file is now preserved when generating the OpenVPN config. The two currently supported list options deal with cipher preferences. Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
* openvpn: openssl: explicitly depend on deprecated APIsMagnus Kroken2019-04-031-1/+1
| | | | | | | | OpenVPN as of 2.4.7 uses some OpenSSL APIs that are deprecated in OpenSSL >= 1.1.0. Signed-off-by: Magnus Kroken <mkroken@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [white space fix]
* openvpn: update to 2.4.7Magnus Kroken2019-04-011-3/+3
| | | | Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* openvpn: re-add option comp_lzoMartin Schiller2018-12-121-1/+1
| | | | | | | | This option is deprecated but needs to be kept for backward compatibility. [0] [0] https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#a--comp-lzo Signed-off-by: Martin Schiller <ms@dev.tdt.de>
* openvpn: add list element parsingFlorian Eckert2018-12-031-1/+1
| | | | | | | | | | | | | For the parameters tls-cipher and ncp-ciphers more than one option can be used in the OpenVPN configuration, separated by a colon, which should be implemented as a list in order to configure it more clearly. By adding the new OPENVPN_LIST option to the openvpn.options file with the tls-cipher and ncp-cipher parameters, uci can now add this option as a "list" and the init script will generate the appropriate OpenVPN configuration from it. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* openvpn: update to 2.4.6Jo-Philipp Wich2018-11-281-7/+6
| | | | | | | | | | | | Update the OpenVPN package to version 2.4.6, refresh patches and drop menuconfig options which are not supported upstream anymore. Also fix the x509-alt-username configure flag - it is not supported by mbedtls and was syntactically wrong in the Makefile - and the port-share option which has been present in menuconfig but not been used in the Makefile. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* treewide: Bump PKG_RELEASE due to mbedtls updateDaniel Engberg2018-07-301-1/+1
| | | | | | | Bump PKG_RELEASE on packages that depends on (lib)mbedtls to avoid library mismatch. Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* openvpn: increase procd termination timeout to 15sJo-Philipp Wich2018-07-171-1/+1
| | | | | | | | | Increase the termination timeout to 15s to let OpenVPN properly tear down its connections, especially when weak links or complex down scripts are involved. Fixes FS#859. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* mbedtls: Update to 2.11.0Daniel Engberg2018-07-071-1/+1
| | | | | | | | | | | | | | | | Update mbed TLS to 2.11.0 Disable OFB block mode and XTS block cipher mode, added in 2.11.0. The soVersion of mbedtls changed, bump PKG_RELEASE for packages that use mbedTLS This is to avoid having a mismatch between packages when upgrading. The size of mbedtls increased a little bit: ipkg for mips_24kc before: 163.846 Bytes ipkg for mips_24kc after: 164.382 Bytes Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* mbedtls: update to version 2.9.0Hauke Mehrtens2018-05-221-1/+1
| | | | | | | | The soversion was changed in this version again and is now aligned with the 2.7.2 version. The size of the ipkg file stayed mostly the same. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* openvpn: remove deprecated config optionsHans Dedecker2018-03-201-1/+1
| | | | | | | | Remove deprecated config options in 2.5 as described in [0] [0] https://community.openvpn.net/openvpn/wiki/DeprecatedOptions Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* openvpn: add config param verify_client_certChristian Bayer2018-03-171-1/+1
| | | | | | | | | Option --client-cert-not-required DEPRECATED is deprecated in v2.4 and removed in OpenVPN 2.5. Replaced by param --verify-client-cert none|optional|require in v2.4 see https://community.openvpn.net/openvpn/wiki/ DeprecatedOptions#a--client-cert-not-required Signed-off-by: Christian Bayer <cave@cavebeat.org> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_ RELEASE increase]
* openvpn: update to 2.4.5Magnus Kroken2018-03-091-3/+3
| | | | | Signed-off-by: Magnus Kroken <mkroken@gmail.com> Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* add PKG_CPE_ID ids to package and toolsAlexander Couzens2017-11-171-0/+1
| | | | | | | | | | | CPE ids helps to tracks CVE in packages. https://cpe.mitre.org/specification/ Thanks to swalker for CPE to package mapping and keep tracking CVEs. Acked-by: Jo-Philipp Wich <jo@mein.io> Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* openvpn: add support to start/stop single instancesMartin Schiller2017-11-131-1/+1
| | | | | Signed-off-by: Martin Schiller <ms@dev.tdt.de> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
* openvpn: update to 2.4.4Magnus Kroken2017-09-281-5/+4
| | | | | | | | | Fixes CVE-2017-12166: out of bounds write in key-method 1. Remove the mirror that was temporarily added during the 2.4.3 release. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* openvpn: add "extra-certs" optionSven Roederer2017-09-191-1/+1
| | | | | | | | This option is used to specify a file containing PEM certs, to complete the local certificate chain. Which is quite usefull for "split-CA" setups. Signed-off-by: Sven Roederer <devel-sven@geroedel.de> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* openvpn: update to 2.4.3Magnus Kroken2017-06-261-3/+4
| | | | | | | | | | | | | | | | | | | | Fixes for security and other issues. See security announcement for more details: https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 * Remotely-triggerable ASSERT() on malformed IPv6 packet (CVE-2017-7508) * Pre-authentication remote crash/information disclosure for clients (CVE-2017-7520) * Potential double-free in --x509-alt-username (CVE-2017-7521) * Remote-triggerable memory leaks (CVE-2017-7512) * Post-authentication remote DoS when using the --x509-track option (CVE-2017-7522) * Null-pointer dereference in establish_http_proxy_passthru() * Restrict --x509-alt-username extension types * Fix potential 1-byte overread in TCP option parsing * Fix mbedtls fingerprint calculation * openssl: fix overflow check for long --tls-cipher option * Ensure option array p[] is always NULL-terminated * Pass correct buffer size to GetModuleFileNameW() (Quarkslabs finding 5.6) Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* openvpn: update to v2.4.2Jo-Philipp Wich2017-05-121-2/+2
| | | | | | | | | | | | | Update to version 2.4.2 in order to address two potential Denial-of-Service vectors in OpenVPN. CVE-2017-7478 - Don't assert out on receiving too-large control packets CVE-2017-7479 - Drop packets instead of assert out if packet id rolls over Ref: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.2 Ref: https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* openvpn: add myself as maintainerFelix Fietkau2017-04-121-1/+1
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* OpenVPN: Update to 2.4.1Daniel Engberg2017-04-121-4/+6
| | | | | | | | | Update OpenVPN to 2.4.1 Remove 200-small_build_enable_occ.patch as it's included upstream. Refresh patches Add mirror and switch to HTTPS Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* openvpn: move list of params and bools to a separate fileYousong Zhou2017-03-071-1/+5
| | | | | | | So that future patches for addition/removal of them can be more readable Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* openvpn: ssl-enabled variants also provide a virtual openvpn-crypto packageSven Roederer2017-01-261-1/+5
| | | | | | | | | | When relying on x.509 certs for auth and / or encryption of traffic you can't use package openvpn-nossl. Just have your package depend on openvpn-crypto to have SSL-encryption and X.509-support enabled in OpenVPN. If encryption / X.509 is not a must, use virtual packge openvpn, which is provided by all OpenVPN-variants. Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
* openvpn: let all openvpn variants provide a virtual openvpn packageJo-Philipp Wich2017-01-211-1/+2
| | | | | | | | | | Add PROVIDES:=openvpn to the default recipe in order to let all build variants provide a virtual openvpn package. The advantage of this approach is that downstream packages can depend on just "openvpn" without having to require a specific flavor. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* openvpn: update to 2.4.0Magnus Kroken2016-12-301-2/+2
| | | | Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* openvpn: use conditional dependencies to avoid pulling in unused ssl librariesFelix Fietkau2016-12-221-2/+2
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* openvpn: reduce binary size using --gc-sections on linkingFelix Fietkau2016-12-221-0/+3
| | | | | | Saves around 9kb gzipped on MIPS Signed-off-by: Felix Fietkau <nbd@nbd.name>
* openvpn: update to 2.4_rc2Magnus Kroken2016-12-221-8/+9
| | | | | | | | | | | | | | | | | OpenVPN 2.4 builds with mbedTLS 2.x, rename openvpn-polarssl variant to openvpn-mbedtls. Some feature highlights: * Data channel cipher negotiation * AEAD cipher support for data channel encryption (currently only * AES-GCM) * ECDH key exchange for control channel * LZ4 compression support See https://github.com/OpenVPN/openvpn/blob/master/Changes.rst for additional change notes. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* treewide: clean up download hashesFelix Fietkau2016-12-161-1/+1
| | | | | | Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256 Signed-off-by: Felix Fietkau <nbd@nbd.name>
* openvpn: update to 2.3.13Magnus Kroken2016-11-211-2/+2
| | | | | | Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.13 Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* openvpn: update to 2.3.12Magnus Kroken2016-08-241-3/+3
| | | | | | | | | 300-upstream-fix-polarssl-mbedtls-builds.patch has been applied upstream. Replaced 101-remove_polarssl_debug_call.patch with upstream backport. Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.12 Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* openvpn: fix missing cipher list for polarssl in v2.3.11Jo-Philipp Wich2016-06-281-1/+1
| | | | | | | | | | | Upstream OpenSSL hardening work introduced a change in shared code that causes polarssl / mbedtls builds to break when no --tls-cipher is specified. Import the upstream fix commit as patch until the next OpenVPN release gets released and packaged. Reported-by: Sebastian Koch <seb@metafly.info> Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* openvpn: update to 2.3.11Magnus Kroken2016-06-131-3/+3
| | | | | | | | | | Security fixes: * Fixed port-share bug with DoS potential * Fix buffer overflow by user supplied data Full changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11 Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* openvpn: add support for tls-version-minMatteo Panella2016-06-071-1/+1
| | | | | | | | | | | | | Currently, the uci data model does not provide support for specifying the minimum TLS version supported in an OpenVPN instance (be it server or client). This patch adds support for writing the relevant option to the openvpn configuration file at service startup. Signed-off-by: Matteo Panella <morpheus@level28.org> [Jo-Philipp Wich: shorten commit title, bump pkg release] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* openvpn: remove unrecognized optionDirk Neukirchen2016-06-011-1/+0
| | | | | | | | removed upstream in https://github.com/OpenVPN/openvpn/commit/9ffd00e7541d83571b9eec087c6b3545ff68441f now its always on Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
* openvpn: update to version 2.3.10Felix Fietkau2016-01-111-3/+3
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48201
* openvpn: fix configure optionsJohn Crispin2015-12-231-2/+1
| | | | | | | | | | | | | | | - eurephia: commit: Remove the --disable-eurephia configure option - fix option name: http proxy option is now called http-proxy (see configure.ac) fixes: configure: WARNING: unrecognized options: --disable-nls, --disable-eurephia, --enable-http Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de> SVN-Revision: 47979
* package: replace ifconfig-usage with ipSteven Barth2015-09-081-1/+1
| | | | | | Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46832
* openvpn: bump to 2.3.7.Felix Fietkau2015-06-181-3/+3
| | | | | | | | Two patches are dropped as they were already applied upstream. Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> SVN-Revision: 46027
* openvpn: bump PKG_RELEASE.Felix Fietkau2015-06-141-1/+1
| | | | | | Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> SVN-Revision: 45962
* openvpn: disable CBC record splitting in PolarSSL/mbedTLS (#19101)Jo-Philipp Wich2015-05-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | OpenVPN assumes that its control channel messages are sent and received unfragmented, this assumption is broken when CBC record splitting is enabled in mbedTLS. The record splitting is intended as countermeasure against BEAST attacks which do not apply to OpenVPN, therefore we simply disable it until upstream OpenVPN gains the ability to process fragmented control messages. Disabling the splitting also works around a (not remotely triggerable) segmentation fault in mbedTLS. References: * https://dev.openwrt.org/ticket/19101 * https://community.openvpn.net/openvpn/ticket/524 * https://github.com/ARMmbed/mbedtls/pull/185 Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 45602
* openvpn: autostart openvpn instances for each .conf file in /etc/openvpnJo-Philipp Wich2015-02-071-1/+1
| | | | | | | | | | | | | | | Align init behaviour with other distros by starting an OpenVPN instance for each config file found in /etc/openvpn/. This removes the additional requirement to "register" the configs with uci and thus simplifies the setup. Make sure to respect the disabled state in uci to not suddenly autostart instances which have been previously set to disabled, also skip configs which are already started due to uci configuration. Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> SVN-Revision: 44310