aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services/openvpn
Commit message (Collapse)AuthorAgeFilesLines
* build: include BUILD_VARIANT in PKG_BUILD_DIRJeffery To2019-09-041-1/+0
| | | | | | | | | | | | This changes the default PKG_BUILD_DIR to take BUILD_VARIANT into account (if set), so that packages do not need to manually override PKG_BUILD_DIR just to handle variants. This also updates most base packages with variants to use the updated default PKG_BUILD_DIR. Signed-off-by: Jeffery To <jeffery.to@gmail.com> (cherry picked from commit e545fac8d968864a965edb9e50c6f90940b0a6c9)
* openvpn: add new list option tls_ciphersuitesMartin Schiller2019-09-041-1/+2
| | | | | | | | To configure the list of allowable TLS 1.3 ciphersuites, the option tls_ciphersuites is used instead of tls_ciphers. Signed-off-by: Martin Schiller <ms@dev.tdt.de> (cherry picked from commit 261df949faad6dda43454868628f79265e9cc5e7)
* openvpn: fix handling of list optionsMatt Merhar2019-07-172-3/+4
| | | | | | | | | | | | | | | This addresses an issue where the list option specified in /etc/config/openvpn i.e. 'tls_cipher' would instead show up in the generated openvpn-<name>.conf as 'ncp-ciphers'. For context, 'ncp_ciphers' appears after 'tls_cipher' in OPENVPN_LIST from openvpn.options. Also, the ordering of the options in the UCI config file is now preserved when generating the OpenVPN config. The two currently supported list options deal with cipher preferences. Signed-off-by: Matt Merhar <mattmerhar@protonmail.com> (cherry picked from commit 1d4c4cbd20580dd211431ab58460a6eebd5e021e)
* openvpn: openssl: explicitly depend on deprecated APIsMagnus Kroken2019-04-031-1/+1
| | | | | | | | OpenVPN as of 2.4.7 uses some OpenSSL APIs that are deprecated in OpenSSL >= 1.1.0. Signed-off-by: Magnus Kroken <mkroken@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [white space fix]
* openvpn: update to 2.4.7Magnus Kroken2019-04-013-5/+5
| | | | Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* openvpn: re-add option comp_lzoMartin Schiller2018-12-122-1/+2
| | | | | | | | This option is deprecated but needs to be kept for backward compatibility. [0] [0] https://community.openvpn.net/openvpn/wiki/DeprecatedOptions#a--comp-lzo Signed-off-by: Martin Schiller <ms@dev.tdt.de>
* openvpn: add list element parsingFlorian Eckert2018-12-033-3/+20
| | | | | | | | | | | | | For the parameters tls-cipher and ncp-ciphers more than one option can be used in the OpenVPN configuration, separated by a colon, which should be implemented as a list in order to configure it more clearly. By adding the new OPENVPN_LIST option to the openvpn.options file with the tls-cipher and ncp-cipher parameters, uci can now add this option as a "list" and the init script will generate the appropriate OpenVPN configuration from it. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* openvpn: update to 2.4.6Jo-Philipp Wich2018-11-285-37/+8
| | | | | | | | | | | | Update the OpenVPN package to version 2.4.6, refresh patches and drop menuconfig options which are not supported upstream anymore. Also fix the x509-alt-username configure flag - it is not supported by mbedtls and was syntactically wrong in the Makefile - and the port-share option which has been present in menuconfig but not been used in the Makefile. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* treewide: Bump PKG_RELEASE due to mbedtls updateDaniel Engberg2018-07-301-1/+1
| | | | | | | Bump PKG_RELEASE on packages that depends on (lib)mbedtls to avoid library mismatch. Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* openvpn: increase procd termination timeout to 15sJo-Philipp Wich2018-07-172-1/+2
| | | | | | | | | Increase the termination timeout to 15s to let OpenVPN properly tear down its connections, especially when weak links or complex down scripts are involved. Fixes FS#859. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* mbedtls: Update to 2.11.0Daniel Engberg2018-07-071-1/+1
| | | | | | | | | | | | | | | | Update mbed TLS to 2.11.0 Disable OFB block mode and XTS block cipher mode, added in 2.11.0. The soVersion of mbedtls changed, bump PKG_RELEASE for packages that use mbedTLS This is to avoid having a mismatch between packages when upgrading. The size of mbedtls increased a little bit: ipkg for mips_24kc before: 163.846 Bytes ipkg for mips_24kc after: 164.382 Bytes Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* mbedtls: update to version 2.9.0Hauke Mehrtens2018-05-221-1/+1
| | | | | | | | The soversion was changed in this version again and is now aligned with the 2.7.2 version. The size of the ipkg file stayed mostly the same. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* openvpn: remove deprecated config optionsHans Dedecker2018-03-202-8/+1
| | | | | | | | Remove deprecated config options in 2.5 as described in [0] [0] https://community.openvpn.net/openvpn/wiki/DeprecatedOptions Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* openvpn: add config param verify_client_certChristian Bayer2018-03-172-1/+2
| | | | | | | | | Option --client-cert-not-required DEPRECATED is deprecated in v2.4 and removed in OpenVPN 2.5. Replaced by param --verify-client-cert none|optional|require in v2.4 see https://community.openvpn.net/openvpn/wiki/ DeprecatedOptions#a--client-cert-not-required Signed-off-by: Christian Bayer <cave@cavebeat.org> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_ RELEASE increase]
* openvpn: update to 2.4.5Magnus Kroken2018-03-094-24/+19
| | | | | Signed-off-by: Magnus Kroken <mkroken@gmail.com> Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* openvpn: fix interface with mbedtls_sha256Russell Senior2018-02-171-0/+11
| | | | | | | | | Between mbedtls 2.6.0 and 2.7.0, the void returning mbedtls_MODULE* functions were deprecated in favor of functions returning an int error code. Use the new function mbedtls_sha256_ret(). Signed-off-by: Russell Senior <russell@personaltelco.net> Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* add PKG_CPE_ID ids to package and toolsAlexander Couzens2017-11-171-0/+1
| | | | | | | | | | | CPE ids helps to tracks CVE in packages. https://cpe.mitre.org/specification/ Thanks to swalker for CPE to package mapping and keep tracking CVEs. Acked-by: Jo-Philipp Wich <jo@mein.io> Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* openvpn: add support to start/stop single instancesMartin Schiller2017-11-132-18/+37
| | | | | Signed-off-by: Martin Schiller <ms@dev.tdt.de> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
* openvpn: update to 2.4.4Magnus Kroken2017-09-282-34/+58
| | | | | | | | | Fixes CVE-2017-12166: out of bounds write in key-method 1. Remove the mirror that was temporarily added during the 2.4.3 release. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* openvpn: add "extra-certs" optionSven Roederer2017-09-192-1/+2
| | | | | | | | This option is used to specify a file containing PEM certs, to complete the local certificate chain. Which is quite usefull for "split-CA" setups. Signed-off-by: Sven Roederer <devel-sven@geroedel.de> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* openvpn: update to 2.4.3Magnus Kroken2017-06-265-13/+14
| | | | | | | | | | | | | | | | | | | | Fixes for security and other issues. See security announcement for more details: https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 * Remotely-triggerable ASSERT() on malformed IPv6 packet (CVE-2017-7508) * Pre-authentication remote crash/information disclosure for clients (CVE-2017-7520) * Potential double-free in --x509-alt-username (CVE-2017-7521) * Remote-triggerable memory leaks (CVE-2017-7512) * Post-authentication remote DoS when using the --x509-track option (CVE-2017-7522) * Null-pointer dereference in establish_http_proxy_passthru() * Restrict --x509-alt-username extension types * Fix potential 1-byte overread in TCP option parsing * Fix mbedtls fingerprint calculation * openssl: fix overflow check for long --tls-cipher option * Ensure option array p[] is always NULL-terminated * Pass correct buffer size to GetModuleFileNameW() (Quarkslabs finding 5.6) Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* openvpn: update to v2.4.2Jo-Philipp Wich2017-05-121-2/+2
| | | | | | | | | | | | | Update to version 2.4.2 in order to address two potential Denial-of-Service vectors in OpenVPN. CVE-2017-7478 - Don't assert out on receiving too-large control packets CVE-2017-7479 - Drop packets instead of assert out if packet id rolls over Ref: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.2 Ref: https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* openvpn: add myself as maintainerFelix Fietkau2017-04-121-1/+1
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* OpenVPN: Update to 2.4.1Daniel Engberg2017-04-124-20/+12
| | | | | | | | | Update OpenVPN to 2.4.1 Remove 200-small_build_enable_occ.patch as it's included upstream. Refresh patches Add mirror and switch to HTTPS Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* openvpn: add extra respawn parametersMartin Schiller2017-03-221-0/+3
| | | | | | | | | | | | | | | This change protects the openvpn instances to be marked as "in a crash loop" and thereby the connection retries will run infinitely. When the remote site of an openvpn connection goes down for some time (network failure etc.) the openvpn instance in an openwrt/lede device should not stop retrying to establish the connection. With the current limit of 5 retries, there is a user interaction required, which isn't really what you want when the device should simply do everything to keep the vpn connection up. Signed-off-by: Martin Schiller <ms@dev.tdt.de>
* openvpn: move list of params and bools to a separate fileYousong Zhou2017-03-073-30/+205
| | | | | | | So that future patches for addition/removal of them can be more readable Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* openvpn: adding key_direction to append_params.Brandon Koepke2017-02-031-2/+2
| | | | | | key_direction shows up as an openvpn option in the user-interface but does not end up in the /var/etc/openvpn*.conf file. Adding it to the list here fixed the issue for me. Signed-off-by: Brandon Koepke <bdkoepke@fastmail.com>
* openvpn: add support for various new 2.4 configuration optionsMagnus Kroken2017-01-271-24/+19
| | | | | | | Updates to openvpn.init were included in early OpenVPN 2.4 patch series, but got lost along the way and were never merged. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* openvpn: ssl-enabled variants also provide a virtual openvpn-crypto packageSven Roederer2017-01-261-1/+5
| | | | | | | | | | When relying on x.509 certs for auth and / or encryption of traffic you can't use package openvpn-nossl. Just have your package depend on openvpn-crypto to have SSL-encryption and X.509-support enabled in OpenVPN. If encryption / X.509 is not a must, use virtual packge openvpn, which is provided by all OpenVPN-variants. Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
* openvpn: let all openvpn variants provide a virtual openvpn packageJo-Philipp Wich2017-01-211-1/+2
| | | | | | | | | | Add PROVIDES:=openvpn to the default recipe in order to let all build variants provide a virtual openvpn package. The advantage of this approach is that downstream packages can depend on just "openvpn" without having to require a specific flavor. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* openvpn: update to 2.4.0Magnus Kroken2016-12-301-2/+2
| | | | Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* openvpn: use conditional dependencies to avoid pulling in unused ssl librariesFelix Fietkau2016-12-221-2/+2
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* openvpn: reduce binary size using --gc-sections on linkingFelix Fietkau2016-12-221-0/+3
| | | | | | Saves around 9kb gzipped on MIPS Signed-off-by: Felix Fietkau <nbd@nbd.name>
* openvpn: fix disabling DES support in mbedtlsFelix Fietkau2016-12-221-0/+81
| | | | | Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* openvpn: update to 2.4_rc2Magnus Kroken2016-12-2211-75/+103
| | | | | | | | | | | | | | | | | OpenVPN 2.4 builds with mbedTLS 2.x, rename openvpn-polarssl variant to openvpn-mbedtls. Some feature highlights: * Data channel cipher negotiation * AEAD cipher support for data channel encryption (currently only * AES-GCM) * ECDH key exchange for control channel * LZ4 compression support See https://github.com/OpenVPN/openvpn/blob/master/Changes.rst for additional change notes. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* treewide: clean up download hashesFelix Fietkau2016-12-161-1/+1
| | | | | | Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256 Signed-off-by: Felix Fietkau <nbd@nbd.name>
* openvpn: quote parameters to --push in openvpn config fileMagnus Kroken2016-12-121-1/+2
| | | | | | | | | | | | | | OpenVPN requires arguments to --push to be enclosed in double quotes. One set of quotes is stripped when the UCI config is parsed. Change append_params() of openvpn.init to enclose push parameters in double quotes. Unquoted push parameters do not cause errors in OpenVPN 2.3, but OpenVPN 2.4 fails to start with unquoted push parameters. Fixes: FS#290. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* openvpn: update to 2.3.13Magnus Kroken2016-11-211-2/+2
| | | | | | Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.13 Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* openvpn: cacert does not existJohn Crispin2016-10-271-2/+2
| | | | | | cacert is really called ca and already in the script Signed-off-by: John Crispin <john@phrozen.org>
* openvpn: add handling for capath and cafileJohn Crispin2016-10-271-1/+1
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* openvpn: update to 2.3.12Magnus Kroken2016-08-245-67/+37
| | | | | | | | | 300-upstream-fix-polarssl-mbedtls-builds.patch has been applied upstream. Replaced 101-remove_polarssl_debug_call.patch with upstream backport. Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.12 Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* openvpn: fix missing cipher list for polarssl in v2.3.11Jo-Philipp Wich2016-06-282-1/+43
| | | | | | | | | | | Upstream OpenSSL hardening work introduced a change in shared code that causes polarssl / mbedtls builds to break when no --tls-cipher is specified. Import the upstream fix commit as patch until the next OpenVPN release gets released and packaged. Reported-by: Sebastian Koch <seb@metafly.info> Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* openvpn: update to 2.3.11Magnus Kroken2016-06-133-4/+25
| | | | | | | | | | Security fixes: * Fixed port-share bug with DoS potential * Fix buffer overflow by user supplied data Full changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11 Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* openvpn: add support for tls-version-minMatteo Panella2016-06-072-2/+2
| | | | | | | | | | | | | Currently, the uci data model does not provide support for specifying the minimum TLS version supported in an OpenVPN instance (be it server or client). This patch adds support for writing the relevant option to the openvpn configuration file at service startup. Signed-off-by: Matteo Panella <morpheus@level28.org> [Jo-Philipp Wich: shorten commit title, bump pkg release] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* openvpn: remove unrecognized optionDirk Neukirchen2016-06-011-1/+0
| | | | | | | | removed upstream in https://github.com/OpenVPN/openvpn/commit/9ffd00e7541d83571b9eec087c6b3545ff68441f now its always on Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
* openvpn: add support for X.509 name optionsJohn Crispin2016-03-081-0/+1
| | | | | | | | | x509-username-field was added in OpenVPN 2.2, and verify-x509-name was added in 2.3. This fixes ticket #18807. Signed-off-by: Jeffery To <jeffery.to@gmail.com> SVN-Revision: 48969
* openvpn: update to version 2.3.10Felix Fietkau2016-01-115-276/+5
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48201
* openvpn: added service_triggers() to init scriptFelix Fietkau2016-01-071-0/+4
| | | | | | | | | Follow up of #21469 This patch enables autoreloading openvpn via procd. Signed-off-by: Federico Capoano <nemesis@ninux.org> SVN-Revision: 48150
* openvpn: fix configure optionsJohn Crispin2015-12-231-2/+1
| | | | | | | | | | | | | | | - eurephia: commit: Remove the --disable-eurephia configure option - fix option name: http proxy option is now called http-proxy (see configure.ac) fixes: configure: WARNING: unrecognized options: --disable-nls, --disable-eurephia, --enable-http Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de> SVN-Revision: 47979
* openvpn: enable options consistency check even in the small buildFelix Fietkau2015-11-101-0/+12
| | | | | | | | | Only costs about 3k compressed, but significantly improves handling of configuration mismatch Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 47439