Maintainer: Alexandru Ardelean <ardeleanalex@gmail.com>
ping @feckert
First of all big thanks to all involved devs, porting this to proto is not a minor task and besides some small quirks it is working well.
(Not all that happy with the use of a default route instead of /1 routes, because you loose internet if the tunnel goes down but that is just me nitpicking)
However I had problems with default routing as the host routes to the server endpoint were missing.
I tracked it down to code in the `openvpn-hotplug` script and made some changes and in my testing it appears to work now.
As a bonus I also added code for a future implementation of the `nohostroute` option.
Problem:
The host routes were created by just using route setup this however does not work.
Solution:
using `proto_add_host_dependency` seems the better solution.
Furthermore the correct guard for IPv6 seems to be `net_gateway_ipv6` instead of `route_ipv6_gateway` however even the correct guard is only working if ipv6 source routing is disabled on wan6, so perhaps we should consider removing the guard entirely.
For now I left it in place with a warning.
I have tested it on X86 running master build from 5 days ago, both for IPv4 and IPv6
Please have a look and consider implementing.
Thanks
Signed-off-by: Erik Conijn <egc112@msn.com>
When luci-proto-openvpn is selected in `make menuconfig`,
openvpn-openssl is picked up automatically. As mbedTLS is the default
TLS package, set DEFAULT_VARIANT on openvpn-mbedtls so that it is used
by default.
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
Introduce a new `ipv6` proto option for OpenVPN netifd integration and
export it to the hotplug environment. IPv6 remains enabled by default,
but can now be explicitly disabled per instance.
Update the hotplug helper to apply IPv6 addresses and routes only when
IPv6 is enabled, allowing cleaner IPv4-only tunnel deployments.
Also improve route handling by:
- ignoring invalid default gateway values (0.0.0.0 / ::)
- replacing fixed `seq` loops with shell-safe while loops
- keeping trusted peer host routes conditional on valid gateways
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
Seems a lot of packages are just getting abandoned by people.
Will pick these up and see them through.
Signed-off-by: Alexandru Ardelean <alex@shruggie.ro>
The new DCO module depends on OpenVPN 2.7.1.
For details refer to https://github.com/OpenVPN/openvpn/blob/v2.7.1/Changes.rst
Removed upstreamed wolfSSL patches:
- 101-Fix-EVP_PKEY_CTX_-compilation-with-wolfSSL.patch
- 102-Disable-external-ec-key-support-when-building-with-wolfSSL.patch
Reworked 100-mbedtls-disable-runtime-version-check.patch to use
MBEDTLS_VERSION_STRING instead of a mutable buffer.
Signed-off-by: Qingfang Deng <dqfext@gmail.com>
This patch fixes two issues in the netifd protocol script:
1. Fix logic error in deprecated option filtering:
Previously, ${f%%:*} was called before checking for the deprecated
flag (:d). This stripped the suffix and made the check [ "${f#*:}" = "d" ]
always fail. The cleaning of $f is now deferred until after this check.
2. Improve parameter quoting for specific options:
- Adds single quotes to --push and --push-remove parameters to handle
spaces (e.g., "route 10.0.0.0 255.255.255.0").
- Unifies quoting for 'file' type options to improve shell safety.
- Refactors the build logic using a case statement for better
extensibility.
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
- Process 'up'/'down' events to manage interface status.
- Add IPv4/IPv6 addresses and routes via netifd-proto.
- Parse DNS/search domains from foreign options.
- Convert netmasks and CIDR strings with new helpers.
- Apply MTU settings from OpenVPN environment.
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
- Default to '--ifconfig-noexec' and '--route-noexec' to allow hotplug
script to handle IP and routing configuration.
- Only append '--auth-user-pass-verify' if the option is explicitly
configured to avoid unexpected authentication requirements.
- Fix missing retrieval of 'auth_user_pass', 'askpass', and 'tls_verify'.
- Remove redundant '--config' parameter (managed by option_builder).
- Simplify 'script_security' assignment logic.
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
Update the openvpn package to the latest version in
the 2.6.x branch while development of the 2.7.x branch
become stable enough to merge.
Signed-off-by: Sander van Deijck <sander@vandeijck.com>
move file and path type values to FILE type params
so they are better handled with quoting, in case
paths contain spaces.
Remove duplicate 'extra_certs'.
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
fix the pop() bug
write options to a config file in case argv length > 63
netifd has a hard limit of 64 argv entries for its ucode
proto.run_command whereby '--param' is one, and its
'option string' is two.
follow-up to affa96dc81
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
correct spacing for [] if blocks and var quoting.
use json_get_vars to get user-defined scripts so the
setenv parameters are appended to the command line.
handle ovpnproto as a PROTO_STRING so it is monitored
and loaded.
follow-up to 337a449c03
and 647b67e18b
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
remove duplicate 'push' entry from string types.
push and other array values shall be "double quoted".
we also must 'eval' so that the double-quoted array values
don't get split on spaces.
Also quote file paths in case they contain spaces.
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
There is already the 'append' command, which assembles all parameters that
are called 'proto_run_command'. Let´s move also the last params to the
top. To ensure that the sequence is correct, the parameters must be added
at the beginning, so that user parameters can overwrite them.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
There is already the 'append' command, which assembles all parameters that
are called 'proto_run_command'. Let´s use that. To ensure that the
sequence is correct, the parameters must be added at the beginning, so that
user parameters can overwrite them.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The common pattern for global variable is, to write the variable name in
capital letters. This improves maintainability in shell scripts.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The variable 'auth_file' is not used in the following programm sequence.
It therefore only makes sense to add it as a call parameter via 'append'
when calling the the 'proto_run_commmand'.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This was forgotten during renameing of this option.
Fixes: e026ce0f ("openvpn: handle ovpnproto exclusively")
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
By moving the file to a subdirectory, it is easier to track where the file
is located on the target without having to check the Makefile every time.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
By moving the file to a subdirectory, it is easier to track where the file
is located on the target without having to check the Makefile every time.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Move the 'INSTALL_DIR' creation in the make install target to the location
where the files are also installed. This prevents directories that are no
longer needed from being forgotten during refactoring.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Since proto was migrated to ovpnproto to avoid collision
with netifd proto, this shall be handled separately.
Also avoid using uci commands to migrate the config which
requires knowing property types; use awk instead.
follow-up to 2607b76154
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
This plugin has not seen updates to keep it synchronised
with recent openvpn, nor any updates in the last several
years. It relies on the SHA1 algo which is deprecated,
and iptables. ovpn has its own management interface.
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
https://github.com/openwrt/packages/pull/28533
openvpn needs a proto handler. Here it is.
Removed all of the up/down scripts from the init handler
and made those entirely optional (with some ucode examples).
The config options have been updated to reflect v 2.6/2.7,
with a 'd' flag to denote deprecated. Deprecated flags are
gated behind an 'allow_deprecated' config flag, which must
be on to use them. Some flags will cease to work in the next
version.
Users should not be using compression. Openvpn has enough
security holes and pitfalls already without using
compression.
Updated the example configs (left in place as legacy
documentation) and removed older cryptos which do not exist
in ovpn any longer.
A migration script is included -x. /etc/config/openvpn
entries become interface entries in /etc/config/network
with proto='openvpn'. The source config is retained.
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
https://github.com/openwrt/packages/pull/28533
Erik Conijn