The new DCO module depends on OpenVPN 2.7.1.
For details refer to https://github.com/OpenVPN/openvpn/blob/v2.7.1/Changes.rst
Removed upstreamed wolfSSL patches:
- 101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch
- 102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch
Reworked 100-mbedtls-disable-runtime-version-check.patch to use
MBEDTLS_VERSION_STRING instead of a mutable buffer.
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
This patch fixes two issues in the netifd protocol script:
1. Fix logic error in deprecated option filtering:
Previously, ${f%%:*} was called before checking for the deprecated
flag (:d). This stripped the suffix and made the check [ "${f#*:}" = "d" ]
always fail. The cleaning of $f is now deferred until after this check.
2. Improve parameter quoting for specific options:
- Adds single quotes to --push and --push-remove parameters to handle
spaces (e.g., "route 10.0.0.0 255.255.255.0").
- Unifies quoting for 'file' type options to improve shell safety.
- Refactors the build logic using a case statement for better
extensibility.
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
- Process 'up'/'down' events to manage interface status.
- Add IPv4/IPv6 addresses and routes via netifd-proto.
- Parse DNS/search domains from foreign options.
- Convert netmasks and CIDR strings with new helpers.
- Apply MTU settings from OpenVPN environment.
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
- Default to '--ifconfig-noexec' and '--route-noexec' to allow hotplug
script to handle IP and routing configuration.
- Only append '--auth-user-pass-verify' if the option is explicitly
configured to avoid unexpected authentication requirements.
- Fix missing retrieval of 'auth_user_pass', 'askpass', and 'tls_verify'.
- Remove redundant '--config' parameter (managed by option_builder).
- Simplify 'script_security' assignment logic.
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
Update the openvpn package to the latest version in
the 2.6.x branch while development of the 2.7.x branch
become stable enough to merge.
Signed-off-by: Sander van Deijck <sander@vandeijck.com>
move file and path type values to FILE type params
so they are better handled with quoting, in case
paths contain spaces.
Remove duplicate 'extra_certs'.
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
fix the pop() bug
write options to a config file in case argv length > 63
netifd has a hard limit of 64 argv entries for its ucode
proto.run_command whereby '--param' is one, and its
'option string' is two.
follow-up to affa96dc81
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
correct spacing for [] if blocks and var quoting.
use json_get_vars to get user-defined scripts so the
setenv parameters are appended to the command line.
handle ovpnproto as a PROTO_STRING so it is monitored
and loaded.
follow-up to 337a449c03
and 647b67e18b
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
remove duplicate 'push' entry from string types.
push and other array values shall be "double quoted".
we also must 'eval' so that the double-quoted array values
don't get split on spaces.
Also quote file paths in case they contain spaces.
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
There is already the 'append' command, which assembles all parameters that
are called 'proto_run_command'. Let´s move also the last params to the
top. To ensure that the sequence is correct, the parameters must be added
at the beginning, so that user parameters can overwrite them.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
There is already the 'append' command, which assembles all parameters that
are called 'proto_run_command'. Let´s use that. To ensure that the
sequence is correct, the parameters must be added at the beginning, so that
user parameters can overwrite them.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The common pattern for global variable is, to write the variable name in
capital letters. This improves maintainability in shell scripts.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The variable 'auth_file' is not used in the following programm sequence.
It therefore only makes sense to add it as a call parameter via 'append'
when calling the the 'proto_run_commmand'.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This was forgotten during renameing of this option.
Fixes: e026ce0f ("openvpn: handle ovpnproto exclusively")
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
By moving the file to a subdirectory, it is easier to track where the file
is located on the target without having to check the Makefile every time.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
By moving the file to a subdirectory, it is easier to track where the file
is located on the target without having to check the Makefile every time.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Move the 'INSTALL_DIR' creation in the make install target to the location
where the files are also installed. This prevents directories that are no
longer needed from being forgotten during refactoring.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Since proto was migrated to ovpnproto to avoid collision
with netifd proto, this shall be handled separately.
Also avoid using uci commands to migrate the config which
requires knowing property types; use awk instead.
follow-up to 2607b76154
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
This plugin has not seen updates to keep it synchronised
with recent openvpn, nor any updates in the last several
years. It relies on the SHA1 algo which is deprecated,
and iptables. ovpn has its own management interface.
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
https://github.com/openwrt/packages/pull/28533
openvpn needs a proto handler. Here it is.
Removed all of the up/down scripts from the init handler
and made those entirely optional (with some ucode examples).
The config options have been updated to reflect v 2.6/2.7,
with a 'd' flag to denote deprecated. Deprecated flags are
gated behind an 'allow_deprecated' config flag, which must
be on to use them. Some flags will cease to work in the next
version.
Users should not be using compression. Openvpn has enough
security holes and pitfalls already without using
compression.
Updated the example configs (left in place as legacy
documentation) and removed older cryptos which do not exist
in ovpn any longer.
A migration script is included -x. /etc/config/openvpn
entries become interface entries in /etc/config/network
with proto='openvpn'. The source config is retained.
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
https://github.com/openwrt/packages/pull/28533
This lets the --peer-fingerprint openvpn option be parsed which requires
a client TLS certificate fingerprint (colon separated SHA256 hash) to
match one specified in the option argument, during authentication.
Signed-off-by: Ben Kibbey <bjk@luxsci.net>
OpenVPN does work without the kernel module, it just won't be able to use DCO.
To make life easier for OpenVPN users on very space-constrained devices make it
an optional dependency.
Signed-off-by: Dennis Camera <dennis.camera+openwrt@riiengineering.ch>
Enable the DCO option by default in the openvpn package to allow for
better performance and have a use case for kmod-ovpn-dco-v2 :-)
Signed-off-by: Dennis Camera <dennis.camera+openwrt@riiengineering.ch>
Security fixes:
CVE-2025-2704: fix possible ASSERT() on OpenVPN servers using --tls-crypt-v2
Security scope: OpenVPN servers between 2.6.1 and 2.6.13 using --tls-crypt-v2 can be made
to abort with an ASSERT() message by sending a particular combination of authenticated and
malformed packets. No crypto integrity is violated, no data is leaked, and no remote code
execution is possible. This bug does not affect OpenVPN clients.
For details refer to https://github.com/OpenVPN/openvpn/blob/v2.6.14/Changes.rst
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Feature changes:
- on non-windows clients (MacOS, Linux, Unix) send "release" string from uname() call as IV_PLAT_VER to server
- Windows: protect cached username, password and token in client memory
- Windows: use new API to get dco-win driver version from driver
- Linux: pass --timeout=0 argument to systemd-ask-password, to avoid default timeout of 90 seconds
Security fixes:
- improve server-side handling of clients sending usernames or passwords longer than USER_PASS_LEN
Notable bug fixes:
- FreeBSD DCO: fix memory leaks in nvlist handling
- purge proxy authentication credentials from memory after use
For details refer to https://github.com/OpenVPN/openvpn/blob/v2.6.13/Changes.rst
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
This is a bugfix release
Bug fixes:
- the fix for CVE-2024-5594 (refuse control channel messages with nonprintable characters) was too strict, breaking user configurations
with AUTH_FAIL messages having trailing CR/NL characters. This often happens if the AUTH_FAIL reason is set by a script.
- Http-proxy: fix bug preventing proxy credentials caching
For details refer to https://github.com/OpenVPN/openvpn/blob/v2.6.12/Changes.rst
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
External scripts may only be specified with script-security 2 or higher,
otherwise OpenVPN fails at tunnel startup with an error.
This changes the previously hardcoded hotplug scripts to only be added if
script-security is 2 or higher is used.
Signed-off-by: Clemens Hopfer <openwrt@wireloss.net>
