projects / project / luci.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
luci-app-openvpn: change Value to DynamicList for ciphers
[project/luci.git] / applications / luci-app-openvpn / luasrc / model / cbi / openvpn-advanced.lua
1 -- Copyright 2008 Steven Barth <steven@midlink.org>
2 -- Licensed to the public under the Apache License 2.0.
3
4 local fs = require("nixio.fs")
5
6 local knownParams = {
7 --
8 --Widget
9 -- ID
10 -- Display name
11 -- Default(s)
12 -- Description
13 -- Option(s)
14
15 { "service", translate("Service"), {
16 -- initialisation and daemon options
17 { ListValue,
18 "verb",
19 { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 },
20 translate("Set output verbosity") },
21 { Flag,
22 "mlock",
23 0,
24 translate("Disable Paging") },
25 { Flag,
26 "disable_occ",
27 0,
28 translate("Disable options consistency check") },
29 -- { Value,
30 -- "user",
31 -- "root",
32 -- translate("Set UID to user") },
33 -- { Value,
34 -- "group",
35 -- "root",
36 -- translate("Set GID to group") },
37 { Value,
38 "cd",
39 "/etc/openvpn",
40 translate("Change to directory before initialization") },
41 { Value,
42 "chroot",
43 "/var/run",
44 translate("Chroot to directory after initialization") },
45 -- { Value,
46 -- "daemon",
47 -- "Instance-Name",
48 -- translate("Daemonize after initialization") },
49 -- { Value,
50 -- "syslog",
51 -- "Instance-Name",
52 -- translate("Output to syslog and do not daemonize") },
53 { Flag,
54 "passtos",
55 0,
56 translate("TOS passthrough (applies to IPv4 only)") },
57 -- { Value,
58 -- "inetd",
59 -- "nowait Instance-Name",
60 -- translate("Run as an inetd or xinetd server") },
61 { Value,
62 "log",
63 "/var/log/openvpn.log",
64 translate("Write log to file") },
65 { Value,
66 "log_append",
67 "/var/log/openvpn.log",
68 translate("Append log to file") },
69 { Flag,
70 "suppress_timestamps",
71 0,
72 translate("Don't log timestamps") },
73 -- { Value,
74 -- "writepid",
75 -- "/var/run/openvpn.pid",
76 -- translate("Write process ID to file") },
77 { Value,
78 "nice",
79 0,
80 translate("Change process priority") },
81 { Flag,
82 "fast_io",
83 0,
84 translate("Optimize TUN/TAP/UDP writes") },
85 { Value,
86 "echo",
87 "some params echoed to log",
88 translate("Echo parameters to log") },
89 { ListValue,
90 "remap_usr1",
91 { "SIGHUP", "SIGTERM" },
92 translate("Remap SIGUSR1 signals") },
93 { Value,
94 "status",
95 "/var/run/openvpn.status 5",
96 translate("Write status to file every n seconds") },
97 { Value,
98 "status_version",
99 { 1, 2 },
100 translate("Status file format version") }, -- status
101 { Value,
102 "mute",
103 5,
104 translate("Limit repeated log messages") },
105 { Value,
106 "up",
107 "/usr/bin/ovpn-up",
108 translate("Shell cmd to execute after tun device open") },
109 { Value,
110 "up_delay",
111 5,
112 translate("Delay tun/tap open and up script execution") },
113 { Value,
114 "down",
115 "/usr/bin/ovpn-down",
116 translate("Shell cmd to run after tun device close") },
117 { Flag,
118 "down_pre",
119 0,
120 translate("Call down cmd/script before TUN/TAP close") },
121 { Flag,
122 "up_restart",
123 0,
124 translate("Run up/down scripts for all restarts") },
125 { Value,
126 "route_up",
127 "/usr/bin/ovpn-routeup",
128 translate("Execute shell cmd after routes are added") },
129 { Value,
130 "ipchange",
131 "/usr/bin/ovpn-ipchange",
132 translate("Execute shell command on remote IP change"),
133 { mode="p2p" } },
134 { DynamicList,
135 "setenv",
136 { "VAR1 value1", "VAR2 value2" },
137 translate("Pass environment variables to script") },
138 { Value,
139 "tls_verify",
140 "/usr/bin/ovpn-tlsverify",
141 translate("Shell command to verify X509 name") },
142 { Value,
143 "client_connect",
144 "/usr/bin/ovpn-clientconnect",
145 translate("Run script cmd on client connection") },
146 { Value,
147 "client_disconnect",
148 "/usr/bin/ovpn-clientdisconnect",
149 translate("Run script cmd on client disconnection") },
150 { Value,
151 "learn_address",
152 "/usr/bin/ovpn-learnaddress",
153 translate("Executed in server mode whenever an IPv4 address/route or MAC address is added to OpenVPN's internal routing table") },
154 { Value,
155 "auth_user_pass_verify",
156 "/usr/bin/ovpn-userpass via-env",
157 translate("Executed in server mode on new client connections, when the client is still untrusted") },
158 { ListValue,
159 "script_security",
160 { 0, 1, 2, 3 },
161 translate("Policy level over usage of external programs and scripts") },
162 { ListValue,
163 "compress",
164 { "frames_only", "lzo", "lz4", "stub-v2"},
165 translate("Security recommendation: It is recommended to not enable compression and set this parameter to `stub-v2`") },
166 } },
167
168 { "networking", translate("Networking"), {
169 -- socket config
170 { ListValue,
171 "mode",
172 { "p2p", "server" },
173 translate("Major mode") },
174 { Value,
175 "local",
176 "0.0.0.0",
177 translate("Local host name or IP address") },
178 { Value,
179 "port",
180 1194,
181 translate("TCP/UDP port # for both local and remote") },
182 { Value,
183 "lport",
184 1194,
185 translate("TCP/UDP port # for local (default=1194)") },
186 { Value,
187 "rport",
188 1194,
189 translate("TCP/UDP port # for remote (default=1194)") },
190 { ListValue,
191 "proto",
192 { "udp", "tcp-client", "tcp-server" },
193 translate("Use protocol") },
194 { Flag,
195 "float",
196 0,
197 translate("Allow remote to change its IP or port") },
198 { Flag,
199 "nobind",
200 0,
201 translate("Do not bind to local address and port") },
202 { Flag,
203 "multihome",
204 0,
205 translate("When you have more than one IP address (e.g. multiple interfaces, or secondary IP addresses), and do not use --local to force binding to one specific address only") },
206 { Value,
207 "dev",
208 "tun0",
209 translate("tun/tap device") },
210 { ListValue,
211 "dev_type",
212 { "tun", "tap" },
213 translate("Type of used device") },
214 { Value,
215 "dev_node",
216 "/dev/net/tun",
217 translate("Use tun/tap device node") },
218 { Value,
219 "ifconfig",
220 "10.200.200.3 10.200.200.1",
221 translate("Set tun/tap adapter parameters") },
222 { Flag,
223 "ifconfig_noexec",
224 0,
225 translate("Don't actually execute ifconfig") },
226 { Flag,
227 "ifconfig_nowarn",
228 0,
229 translate("Don't warn on ifconfig inconsistencies") },
230 { DynamicList,
231 "route",
232 "10.123.0.0 255.255.0.0",
233 translate("Add route after establishing connection") },
234 { Value,
235 "route_gateway",
236 "10.234.1.1",
237 translate("Specify a default gateway for routes") },
238 { Value,
239 "route_delay",
240 0,
241 translate("Delay n seconds after connection") },
242 { Flag,
243 "route_noexec",
244 0,
245 translate("Don't add routes automatically") },
246 { Flag,
247 "route_nopull",
248 0,
249 translate("Don't pull routes automatically") },
250 { Flag,
251 "allow_recursive_routing",
252 0,
253 translate("Don't drop incoming tun packets with same destination as host") },
254 { ListValue,
255 "mtu_disc",
256 { "yes", "maybe", "no" },
257 translate("Enable Path MTU discovery") },
258 { Flag,
259 "mtu_test",
260 0,
261 translate("Empirically measure MTU") },
262 { ListValue,
263 "comp_lzo",
264 { "yes", "no", "adaptive" },
265 translate("Security recommendation: It is recommended to not enable compression and set this parameter to `no`")},
266 { Flag,
267 "comp_noadapt",
268 0,
269 translate("Don't use adaptive lzo compression"),
270 { comp_lzo=1 } },
271 { Value,
272 "link_mtu",
273 1500,
274 translate("Set TCP/UDP MTU") },
275 { Value,
276 "tun_mtu",
277 1500,
278 translate("Set tun/tap device MTU") },
279 { Value,
280 "tun_mtu_extra",
281 1500,
282 translate("Set tun/tap device overhead") },
283 { Value,
284 "fragment",
285 1500,
286 translate("Enable internal datagram fragmentation"),
287 { proto="udp" } },
288 { Value,
289 "mssfix",
290 1450,
291 translate("Set upper bound on TCP MSS"),
292 { proto="udp" } },
293 { Value,
294 "sndbuf",
295 65536,
296 translate("Set the TCP/UDP send buffer size") },
297 { Value,
298 "rcvbuf",
299 65536,
300 translate("Set the TCP/UDP receive buffer size") },
301 { Value,
302 "txqueuelen",
303 100,
304 translate("Set tun/tap TX queue length") },
305 { Value,
306 "shaper",
307 10240,
308 translate("Shaping for peer bandwidth") },
309 { Value,
310 "inactive",
311 240,
312 translate("tun/tap inactivity timeout") },
313 { Value,
314 "keepalive",
315 "10 60",
316 translate("Helper directive to simplify the expression of --ping and --ping-restart in server mode configurations") },
317 { Value,
318 "ping",
319 30,
320 translate("Ping remote every n seconds over TCP/UDP port") },
321 { Value,
322 "ping_exit",
323 120,
324 translate("Remote ping timeout") },
325 { Value,
326 "ping_restart",
327 60,
328 translate("Restart after remote ping timeout") },
329 { Flag,
330 "ping_timer_rem",
331 0,
332 translate("Only process ping timeouts if routes exist") },
333 { Flag,
334 "persist_tun",
335 0,
336 translate("Keep tun/tap device open on restart") },
337 { Flag,
338 "persist_key",
339 0,
340 translate("Don't re-read key on restart") },
341 { Flag,
342 "persist_local_ip",
343 0,
344 translate("Keep local IP address on restart") },
345 { Flag,
346 "persist_remote_ip",
347 0,
348 translate("Keep remote IP address on restart") },
349 -- management channel
350 { Value,
351 "management",
352 "127.0.0.1 31194 /etc/openvpn/mngmt-pwds",
353 translate("Enable management interface on <em>IP</em> <em>port</em>") },
354 -- management
355 { Flag,
356 "management_query_passwords",
357 0,
358 translate("Query management channel for private key") },
359 -- management
360 { Flag,
361 "management_hold",
362 0,
363 translate("Start OpenVPN in a hibernating state") },
364 -- management
365 { Value,
366 "management_log_cache",
367 100,
368 translate("Number of lines for log file history") },
369 { ListValue,
370 "topology",
371 { "net30", "p2p", "subnet" },
372 translate("'net30', 'p2p', or 'subnet'"),
373 {dev_type="tun" } },
374 { Flag,
375 "disable_dco",
376 0,
377 translate("Disable Data Channel Offloading (DCO) support") },
378 } },
379
380 { "vpn", translate("VPN"), {
381 { Value,
382 "server",
383 "10.200.200.0 255.255.255.0",
384 translate("Configure server mode"),
385 { client="0" }, { client="" } },
386 { Value,
387 "server_bridge",
388 "10.200.200.1 255.255.255.0 10.200.200.200 10.200.200.250",
389 translate("Configure server bridge"),
390 { client="0" }, { client="" } },
391 { DynamicList,
392 "push",
393 { "redirect-gateway", "comp-lzo" },
394 translate("Push options to peer"),
395 { client="0" }, { client="" } },
396 { Flag,
397 "push_reset",
398 0,
399 translate("Don't inherit global push options"),
400 { client="0" }, { client="" } },
401 { Flag,
402 "disable",
403 0,
404 translate("Client is disabled"),
405 { client="0" }, { client="" } },
406 { Value,
407 "ifconfig_pool",
408 "10.200.200.100 10.200.200.150 255.255.255.0",
409 translate("Set aside a pool of subnets"),
410 { client="0" }, { client="" } },
411 { Value,
412 "ifconfig_pool_persist",
413 "/etc/openvpn/ipp.txt 600",
414 translate("Persist/unpersist ifconfig-pool"),
415 { client="0" }, { client="" } },
416 { Value,
417 "ifconfig_push",
418 "10.200.200.1 255.255.255.255",
419 translate("Push an ifconfig option to remote"),
420 { client="0" }, { client="" } },
421 { Value,
422 "iroute",
423 "10.200.200.0 255.255.255.0",
424 translate("Route subnet to client"),
425 { client="0" }, { client="" } },
426 { Flag,
427 "client_to_client",
428 0,
429 translate("Allow client-to-client traffic"),
430 { client="0" }, { client="" } },
431 { Flag,
432 "duplicate_cn",
433 0,
434 translate("Allow multiple clients with same certificate"),
435 { client="0" }, { client="" } },
436 { Value,
437 "client_config_dir",
438 "/etc/openvpn/ccd",
439 translate("Directory for custom client config files"),
440 { client="0" }, { client="" } },
441 { Flag,
442 "ccd_exclusive",
443 0,
444 translate("Refuse connection if no custom client config"),
445 { client="0" }, { client="" } },
446 { Value,
447 "tmp_dir",
448 "/var/run/openvpn",
449 translate("Temporary directory for client-connect return file"),
450 { client="0" }, { client="" } },
451 { Value,
452 "hash_size",
453 "256 256",
454 translate("Set size of real and virtual address hash tables"),
455 { client="0" }, { client="" } },
456 { Value,
457 "bcast_buffers",
458 256,
459 translate("Number of allocated broadcast buffers"),
460 { client="0" }, { client="" } },
461 { Value,
462 "tcp_queue_limit",
463 64,
464 translate("Maximum number of queued TCP output packets"),
465 { client="0" }, { client="" } },
466 { Value,
467 "max_clients",
468 10,
469 translate("Allowed maximum of connected clients"),
470 { client="0" }, { client="" } },
471 { Value,
472 "max_routes_per_client",
473 256,
474 translate("Allowed maximum of internal"),
475 { client="0" }, { client="" } },
476 { Value,
477 "connect_freq",
478 "3 10",
479 translate("Allowed maximum of new connections"),
480 { client="0" }, { client="" } },
481 { Flag,
482 "username_as_common_name",
483 0,
484 translate("Use username as common name"),
485 { client="0" }, { client="" } },
486 { Flag,
487 "client",
488 0,
489 translate("Configure client mode") },
490 { Flag,
491 "pull",
492 0,
493 translate("Accept options pushed from server"),
494 { client="1" } },
495 { FileUpload,
496 "auth_user_pass",
497 "/etc/openvpn/userpass.txt",
498 translate("Authenticate using username/password"),
499 { client="1" } },
500 { ListValue,
501 "auth_retry",
502 { "none", "nointeract", "interact" },
503 translate("Handling of authentication failures"),
504 { client="1" } },
505 { Value,
506 "explicit_exit_notify",
507 1,
508 translate("Send notification to peer on disconnect"),
509 { client="1" } },
510 { DynamicList,
511 "remote",
512 "1.2.3.4",
513 translate("Remote host name or IP address") },
514 { Flag,
515 "remote_random",
516 0,
517 translate("Randomly choose remote server"),
518 { client="1" } },
519 { Value,
520 "connect_retry",
521 5,
522 translate("Connection retry interval"),
523 { proto="tcp-client" }, { client="1" } },
524 { Value,
525 "http_proxy",
526 "192.168.1.100 8080",
527 translate("Connect to remote host through an HTTP proxy"),
528 { client="1" } },
529 { Flag,
530 "http_proxy_retry",
531 0,
532 translate("Retry indefinitely on HTTP proxy errors"),
533 { client="1" } },
534 { Value,
535 "http_proxy_timeout",
536 5,
537 translate("Proxy timeout in seconds"),
538 { client="1" } },
539 { DynamicList,
540 "http_proxy_option",
541 { "VERSION 1.0", "AGENT OpenVPN/2.0.9" },
542 translate("Set extended HTTP proxy options"),
543 { client="1" } },
544 { Value,
545 "socks_proxy",
546 "192.168.1.200 1080",
547 translate("Connect through Socks5 proxy"),
548 { client="1" } },
549 -- client && socks_proxy
550 { Value,
551 "socks_proxy_retry",
552 5,
553 translate("Retry indefinitely on Socks proxy errors"),
554 { client="1" } },
555 { Value,
556 "resolv_retry",
557 "infinite",
558 translate("If hostname resolve fails, retry"),
559 { client="1" } },
560 { ListValue,
561 "redirect_gateway",
562 { "", "local", "def1", "local def1" },
563 translate("Automatically redirect default route"),
564 { client="1" } },
565 { Value,
566 "verify_client_cert",
567 { "none", "optional", "require" },
568 translate("Specify whether the client is required to supply a valid certificate") },
569 } },
570
571 { "cryptography", translate("Cryptography"), {
572 { FileUpload,
573 "secret",
574 "/etc/openvpn/secret.key",
575 translate("Enable Static Key encryption mode (non-TLS)") },
576 -- parse
577 { Value,
578 "auth",
579 "SHA1",
580 translate("HMAC authentication for packets") },
581 -- parse
582 { Value,
583 "cipher",
584 {
585 "AES-128-CBC",
586 "AES-128-CFB",
587 "AES-128-CFB1",
588 "AES-128-CFB8",
589 "AES-128-GCM",
590 "AES-128-OFB",
591 "AES-192-CBC",
592 "AES-192-CFB",
593 "AES-192-CFB1",
594 "AES-192-CFB8",
595 "AES-192-GCM",
596 "AES-192-OFB",
597 "AES-256-CBC",
598 "AES-256-CFB",
599 "AES-256-CFB1",
600 "AES-256-CFB8",
601 "AES-256-GCM",
602 "AES-256-OFB",
603 "BF-CBC",
604 "BF-CFB",
605 "BF-OFB",
606 "CAST5-CBC",
607 "CAST5-CFB",
608 "CAST5-OFB",
609 "DES-CBC",
610 "DES-CFB",
611 "DES-CFB1",
612 "DES-CFB8",
613 "DES-EDE-CBC",
614 "DES-EDE-CFB",
615 "DES-EDE-OFB",
616 "DES-EDE3-CBC",
617 "DES-EDE3-CFB",
618 "DES-EDE3-CFB1",
619 "DES-EDE3-CFB8",
620 "DES-EDE3-OFB",
621 "DES-OFB",
622 "DESX-CBC",
623 "RC2-40-CBC",
624 "RC2-64-CBC",
625 "RC2-CBC",
626 "RC2-CFB",
627 "RC2-OFB"
628 },
629 translate("Encryption cipher for packets") },
630 -- parse
631 { Value,
632 "keysize",
633 1024,
634 translate("Size of cipher key") },
635 -- parse
636 { Value,
637 "engine",
638 "dynamic",
639 translate("Enable OpenSSL hardware crypto engines") },
640 { Value,
641 "replay_window",
642 "64 15",
643 translate("Replay protection sliding window size") },
644 { Flag,
645 "mute_replay_warnings",
646 0,
647 translate("Silence the output of replay warnings") },
648 { Value,
649 "replay_persist",
650 "/var/run/openvpn-replay-state",
651 translate("Persist replay-protection state") },
652 { Flag,
653 "tls_server",
654 0,
655 translate("Enable TLS and assume server role"),
656 { tls_client="" }, { tls_client="0" } },
657 { Flag,
658 "tls_client",
659 0,
660 translate("Enable TLS and assume client role"),
661 { tls_server="" }, { tls_server="0" } },
662 { FileUpload,
663 "ca",
664 "/etc/easy-rsa/keys/ca.crt",
665 translate("Certificate authority") },
666 { FileUpload,
667 "dh",
668 "/etc/easy-rsa/keys/dh1024.pem",
669 translate("Diffie-Hellman parameters") },
670 { FileUpload,
671 "cert",
672 "/etc/easy-rsa/keys/some-client.crt",
673 translate("Local certificate") },
674 { FileUpload,
675 "key",
676 "/etc/easy-rsa/keys/some-client.key",
677 translate("Local private key") },
678 { FileUpload,
679 "pkcs12",
680 "/etc/easy-rsa/keys/some-client.pk12",
681 translate("PKCS#12 file containing keys") },
682 { ListValue,
683 "key_method",
684 { 1, 2 },
685 translate("Enable TLS and assume client role") },
686 { DynamicList,
687 "tls_cipher",
688 {
689 "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384",
690 "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384",
691 "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384",
692 "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256",
693 "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
694 "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
695 "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256",
696 "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256",
697 "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256",
698 "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384",
699 "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384",
700 "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256",
701 "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256",
702 "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256",
703 "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256",
704 "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA",
705 "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA",
706 "TLS-DHE-RSA-WITH-AES-256-CBC-SHA",
707 "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA",
708 "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA",
709 "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"
710 },
711 translate("TLS cipher") },
712 { DynamicList,
713 "tls_ciphersuites",
714 {
715 "TLS_AES_256_GCM_SHA384",
716 "TLS_AES_128_GCM_SHA256",
717 "TLS_CHACHA20_POLY1305_SHA256"
718 },
719 translate("TLS 1.3 or newer cipher") },
720 { Value,
721 "tls_timeout",
722 2,
723 translate("Retransmit timeout on TLS control channel") },
724 { Value,
725 "reneg_bytes",
726 1024,
727 translate("Renegotiate data chan. key after bytes") },
728 { Value,
729 "reneg_pkts",
730 100,
731 translate("Renegotiate data chan. key after packets") },
732 { Value,
733 "reneg_sec",
734 3600,
735 translate("Renegotiate data chan. key after seconds") },
736 { Value,
737 "hand_window",
738 60,
739 translate("Timeframe for key exchange") },
740 { Value,
741 "tran_window",
742 3600,
743 translate("Key transition window") },
744 { Flag,
745 "single_session",
746 0,
747 translate("Allow only one session") },
748 { Flag,
749 "tls_exit",
750 0,
751 translate("Exit on TLS negotiation failure") },
752 { Value,
753 "tls_auth",
754 "/etc/openvpn/tlsauth.key",
755 translate("Additional authentication over TLS") },
756 { Value,
757 "tls_crypt",
758 "/etc/openvpn/tlscrypt.key",
759 translate("Encrypt and authenticate all control channel packets with the key") },
760 { Value,
761 "tls_crypt_v2",
762 "/etc/openvpn/servertlscryptv2.key",
763 translate("Encrypt and authenticate all control channel packets with the key, version 2.") },
764 -- { Value,
765 -- "askpass",
766 -- "[file]",
767 -- translate("Get PEM password from controlling tty before we daemonize") },
768 { Flag,
769 "auth_nocache",
770 0,
771 translate("Don't cache --askpass or --auth-user-pass passwords") },
772 { Value,
773 "tls_remote",
774 "remote_x509_name",
775 translate("Only accept connections from given X509 name") },
776 { ListValue,
777 "ns_cert_type",
778 { "client", "server" },
779 translate("Require explicit designation on certificate") },
780 { ListValue,
781 "remote_cert_tls",
782 { "client", "server" },
783 translate("Require explicit key usage on certificate") },
784 { Value,
785 "crl_verify",
786 "/etc/easy-rsa/keys/crl.pem",
787 translate("Check peer certificate against a CRL") },
788 { Value,
789 "tls_version_min",
790 "1.0",
791 translate("The lowest supported TLS version") },
792 { Value,
793 "tls_version_max",
794 "1.2",
795 translate("The highest supported TLS version") },
796 { ListValue,
797 "key_direction",
798 { 0, 1 },
799 translate("The key direction for 'tls-auth' and 'secret' options") },
800 { Flag,
801 "ncp_disable",
802 0,
803 translate("This completely disables cipher negotiation") },
804 { DynamicList,
805 "ncp_ciphers",
806 {
807 "AES-256-GCM",
808 "AES-128-GCM"
809 },
810 translate("Restrict the allowed ciphers to be negotiated") },
811 { DynamicList,
812 "data_ciphers",
813 {
814 "CHACHA20-POLY1305",
815 "AES-256-GCM",
816 "AES-128-GCM",
817 "AES-256-CBC"
818 },
819 translate("Restrict the allowed ciphers to be negotiated") },
820 } }
821 }
822
823
824 local cts = { }
825 local params = { }
826 local title = ""
827
828 local m = Map("openvpn")
829 m.redirect = luci.dispatcher.build_url("admin", "vpn", "openvpn")
830 m.apply_on_parse = true
831
832 local p = m:section( SimpleSection )
833 p.template = "openvpn/pageswitch"
834 p.mode = "advanced"
835 p.instance = arg[1]
836 p.category = arg[2] or knownParams[1][1]
837
838 for _, c in ipairs(knownParams) do
839 cts[#cts+1] = { id = c[1], title = c[2] }
840 if c[1] == p.category then
841 title = c[2]
842 params = c[3]
843 end
844 end
845
846 p.categories = cts
847
848
849 local s = m:section(
850 NamedSection, arg[1], "openvpn", title
851 )
852
853 s.addremove = false
854 s.anonymous = true
855
856
857 for _, option in ipairs(params) do
858 local o = s:option(
859 option[1], option[2],
860 option[2], option[4]
861 )
862
863 o.optional = true
864
865 if option[1] == DummyValue then
866 o.value = option[3]
867 elseif option[1] == FileUpload then
868
869 o.initial_directory = "/etc/openvpn"
870
871 function o.cfgvalue(self, section)
872 local cfg_val = AbstractValue.cfgvalue(self, section)
873
874 if cfg_val then
875 return cfg_val
876 end
877 end
878
879 function o.formvalue(self, section)
880 local sel_val = AbstractValue.formvalue(self, section)
881 local txt_val = luci.http.formvalue("cbid."..self.map.config.."."..section.."."..self.option..".textbox")
882
883 if sel_val and sel_val ~= "" then
884 return sel_val
885 end
886
887 if txt_val and txt_val ~= "" then
888 return txt_val
889 end
890 end
891
892 function o.remove(self, section)
893 local cfg_val = AbstractValue.cfgvalue(self, section)
894 local txt_val = luci.http.formvalue("cbid."..self.map.config.."."..section.."."..self.option..".textbox")
895
896 if cfg_val and fs.access(cfg_val) and txt_val == "" then
897 fs.unlink(cfg_val)
898 end
899 return AbstractValue.remove(self, section)
900 end
901 elseif option[1] == Flag then
902 o.default = nil
903 else
904 if option[1] == DynamicList then
905 function o.cfgvalue(...)
906 local val = AbstractValue.cfgvalue(...)
907 return ( val and type(val) ~= "table" ) and { val } or val
908 end
909 end
910
911 if type(option[3]) == "table" then
912 if o.optional then o:value("", "-- remove --") end
913 for _, v in ipairs(option[3]) do
914 v = tostring(v)
915 o:value(v)
916 end
917 o.default = tostring(option[3][1])
918 else
919 o.default = tostring(option[3])
920 end
921 end
922
923 for i=5,#option do
924 if type(option[i]) == "table" then
925 o:depends(option[i])
926 end
927 end
928 end
929
930 return m
Lua Configuration Interface (mirror)