1 -- Copyright 2008 Steven Barth <steven@midlink.org>
2 -- Licensed to the public under the Apache License 2.0.
4 local fs = require("nixio.fs")
15 { "service", translate("Service"), {
16 -- initialisation and daemon options
19 { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 },
20 translate("Set output verbosity") },
24 translate("Disable Paging") },
28 translate("Disable options consistency check") },
32 -- translate("Set UID to user") },
36 -- translate("Set GID to group") },
40 translate("Change to directory before initialization") },
44 translate("Chroot to directory after initialization") },
48 -- translate("Daemonize after initialization") },
52 -- translate("Output to syslog and do not daemonize") },
56 translate("TOS passthrough (applies to IPv4 only)") },
59 -- "nowait Instance-Name",
60 -- translate("Run as an inetd or xinetd server") },
63 "/var/log/openvpn.log",
64 translate("Write log to file") },
67 "/var/log/openvpn.log",
68 translate("Append log to file") },
70 "suppress_timestamps",
72 translate("Don't log timestamps") },
75 -- "/var/run/openvpn.pid",
76 -- translate("Write process ID to file") },
80 translate("Change process priority") },
84 translate("Optimize TUN/TAP/UDP writes") },
87 "some params echoed to log",
88 translate("Echo parameters to log") },
91 { "SIGHUP", "SIGTERM" },
92 translate("Remap SIGUSR1 signals") },
95 "/var/run/openvpn.status 5",
96 translate("Write status to file every n seconds") },
100 translate("Status file format version") }, -- status
104 translate("Limit repeated log messages") },
108 translate("Shell cmd to execute after tun device open") },
112 translate("Delay tun/tap open and up script execution") },
115 "/usr/bin/ovpn-down",
116 translate("Shell cmd to run after tun device close") },
120 translate("Call down cmd/script before TUN/TAP close") },
124 translate("Run up/down scripts for all restarts") },
127 "/usr/bin/ovpn-routeup",
128 translate("Execute shell cmd after routes are added") },
131 "/usr/bin/ovpn-ipchange",
132 translate("Execute shell command on remote IP change"),
136 { "VAR1 value1", "VAR2 value2" },
137 translate("Pass environment variables to script") },
140 "/usr/bin/ovpn-tlsverify",
141 translate("Shell command to verify X509 name") },
144 "/usr/bin/ovpn-clientconnect",
145 translate("Run script cmd on client connection") },
148 "/usr/bin/ovpn-clientdisconnect",
149 translate("Run script cmd on client disconnection") },
152 "/usr/bin/ovpn-learnaddress",
153 translate("Executed in server mode whenever an IPv4 address/route or MAC address is added to OpenVPN's internal routing table") },
155 "auth_user_pass_verify",
156 "/usr/bin/ovpn-userpass via-env",
157 translate("Executed in server mode on new client connections, when the client is still untrusted") },
161 translate("Policy level over usage of external programs and scripts") },
164 { "frames_only", "lzo", "lz4", "stub-v2"},
165 translate("Security recommendation: It is recommended to not enable compression and set this parameter to `stub-v2`") },
168 { "networking", translate("Networking"), {
173 translate("Major mode") },
177 translate("Local host name or IP address") },
181 translate("TCP/UDP port # for both local and remote") },
185 translate("TCP/UDP port # for local (default=1194)") },
189 translate("TCP/UDP port # for remote (default=1194)") },
192 { "udp", "tcp-client", "tcp-server" },
193 translate("Use protocol") },
197 translate("Allow remote to change its IP or port") },
201 translate("Do not bind to local address and port") },
205 translate("When you have more than one IP address (e.g. multiple interfaces, or secondary IP addresses), and do not use --local to force binding to one specific address only") },
209 translate("tun/tap device") },
213 translate("Type of used device") },
217 translate("Use tun/tap device node") },
220 "10.200.200.3 10.200.200.1",
221 translate("Set tun/tap adapter parameters") },
225 translate("Don't actually execute ifconfig") },
229 translate("Don't warn on ifconfig inconsistencies") },
232 "10.123.0.0 255.255.0.0",
233 translate("Add route after establishing connection") },
237 translate("Specify a default gateway for routes") },
241 translate("Delay n seconds after connection") },
245 translate("Don't add routes automatically") },
249 translate("Don't pull routes automatically") },
251 "allow_recursive_routing",
253 translate("Don't drop incoming tun packets with same destination as host") },
256 { "yes", "maybe", "no" },
257 translate("Enable Path MTU discovery") },
261 translate("Empirically measure MTU") },
264 { "yes", "no", "adaptive" },
265 translate("Security recommendation: It is recommended to not enable compression and set this parameter to `no`")},
269 translate("Don't use adaptive lzo compression"),
274 translate("Set TCP/UDP MTU") },
278 translate("Set tun/tap device MTU") },
282 translate("Set tun/tap device overhead") },
286 translate("Enable internal datagram fragmentation"),
291 translate("Set upper bound on TCP MSS"),
296 translate("Set the TCP/UDP send buffer size") },
300 translate("Set the TCP/UDP receive buffer size") },
304 translate("Set tun/tap TX queue length") },
308 translate("Shaping for peer bandwidth") },
312 translate("tun/tap inactivity timeout") },
316 translate("Helper directive to simplify the expression of --ping and --ping-restart in server mode configurations") },
320 translate("Ping remote every n seconds over TCP/UDP port") },
324 translate("Remote ping timeout") },
328 translate("Restart after remote ping timeout") },
332 translate("Only process ping timeouts if routes exist") },
336 translate("Keep tun/tap device open on restart") },
340 translate("Don't re-read key on restart") },
344 translate("Keep local IP address on restart") },
348 translate("Keep remote IP address on restart") },
349 -- management channel
352 "127.0.0.1 31194 /etc/openvpn/mngmt-pwds",
353 translate("Enable management interface on <em>IP</em> <em>port</em>") },
356 "management_query_passwords",
358 translate("Query management channel for private key") },
363 translate("Start OpenVPN in a hibernating state") },
366 "management_log_cache",
368 translate("Number of lines for log file history") },
371 { "net30", "p2p", "subnet" },
372 translate("'net30', 'p2p', or 'subnet'"),
377 translate("Disable Data Channel Offloading (DCO) support") },
380 { "vpn", translate("VPN"), {
383 "10.200.200.0 255.255.255.0",
384 translate("Configure server mode"),
385 { client="0" }, { client="" } },
388 "10.200.200.1 255.255.255.0 10.200.200.200 10.200.200.250",
389 translate("Configure server bridge"),
390 { client="0" }, { client="" } },
393 { "redirect-gateway", "comp-lzo" },
394 translate("Push options to peer"),
395 { client="0" }, { client="" } },
399 translate("Don't inherit global push options"),
400 { client="0" }, { client="" } },
404 translate("Client is disabled"),
405 { client="0" }, { client="" } },
408 "10.200.200.100 10.200.200.150 255.255.255.0",
409 translate("Set aside a pool of subnets"),
410 { client="0" }, { client="" } },
412 "ifconfig_pool_persist",
413 "/etc/openvpn/ipp.txt 600",
414 translate("Persist/unpersist ifconfig-pool"),
415 { client="0" }, { client="" } },
418 "10.200.200.1 255.255.255.255",
419 translate("Push an ifconfig option to remote"),
420 { client="0" }, { client="" } },
423 "10.200.200.0 255.255.255.0",
424 translate("Route subnet to client"),
425 { client="0" }, { client="" } },
429 translate("Allow client-to-client traffic"),
430 { client="0" }, { client="" } },
434 translate("Allow multiple clients with same certificate"),
435 { client="0" }, { client="" } },
439 translate("Directory for custom client config files"),
440 { client="0" }, { client="" } },
444 translate("Refuse connection if no custom client config"),
445 { client="0" }, { client="" } },
449 translate("Temporary directory for client-connect return file"),
450 { client="0" }, { client="" } },
454 translate("Set size of real and virtual address hash tables"),
455 { client="0" }, { client="" } },
459 translate("Number of allocated broadcast buffers"),
460 { client="0" }, { client="" } },
464 translate("Maximum number of queued TCP output packets"),
465 { client="0" }, { client="" } },
469 translate("Allowed maximum of connected clients"),
470 { client="0" }, { client="" } },
472 "max_routes_per_client",
474 translate("Allowed maximum of internal"),
475 { client="0" }, { client="" } },
479 translate("Allowed maximum of new connections"),
480 { client="0" }, { client="" } },
482 "username_as_common_name",
484 translate("Use username as common name"),
485 { client="0" }, { client="" } },
489 translate("Configure client mode") },
493 translate("Accept options pushed from server"),
497 "/etc/openvpn/userpass.txt",
498 translate("Authenticate using username/password"),
502 { "none", "nointeract", "interact" },
503 translate("Handling of authentication failures"),
506 "explicit_exit_notify",
508 translate("Send notification to peer on disconnect"),
513 translate("Remote host name or IP address") },
517 translate("Randomly choose remote server"),
522 translate("Connection retry interval"),
523 { proto="tcp-client" }, { client="1" } },
526 "192.168.1.100 8080",
527 translate("Connect to remote host through an HTTP proxy"),
532 translate("Retry indefinitely on HTTP proxy errors"),
535 "http_proxy_timeout",
537 translate("Proxy timeout in seconds"),
541 { "VERSION 1.0", "AGENT OpenVPN/2.0.9" },
542 translate("Set extended HTTP proxy options"),
546 "192.168.1.200 1080",
547 translate("Connect through Socks5 proxy"),
549 -- client && socks_proxy
553 translate("Retry indefinitely on Socks proxy errors"),
558 translate("If hostname resolve fails, retry"),
562 { "", "local", "def1", "local def1" },
563 translate("Automatically redirect default route"),
566 "verify_client_cert",
567 { "none", "optional", "require" },
568 translate("Specify whether the client is required to supply a valid certificate") },
571 { "cryptography", translate("Cryptography"), {
574 "/etc/openvpn/secret.key",
575 translate("Enable Static Key encryption mode (non-TLS)") },
580 translate("HMAC authentication for packets") },
629 translate("Encryption cipher for packets") },
634 translate("Size of cipher key") },
639 translate("Enable OpenSSL hardware crypto engines") },
643 translate("Replay protection sliding window size") },
645 "mute_replay_warnings",
647 translate("Silence the output of replay warnings") },
650 "/var/run/openvpn-replay-state",
651 translate("Persist replay-protection state") },
655 translate("Enable TLS and assume server role"),
656 { tls_client="" }, { tls_client="0" } },
660 translate("Enable TLS and assume client role"),
661 { tls_server="" }, { tls_server="0" } },
664 "/etc/easy-rsa/keys/ca.crt",
665 translate("Certificate authority") },
668 "/etc/easy-rsa/keys/dh1024.pem",
669 translate("Diffie-Hellman parameters") },
672 "/etc/easy-rsa/keys/some-client.crt",
673 translate("Local certificate") },
676 "/etc/easy-rsa/keys/some-client.key",
677 translate("Local private key") },
680 "/etc/easy-rsa/keys/some-client.pk12",
681 translate("PKCS#12 file containing keys") },
685 translate("Enable TLS and assume client role") },
689 "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384",
690 "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384",
691 "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384",
692 "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256",
693 "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
694 "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
695 "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256",
696 "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256",
697 "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256",
698 "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384",
699 "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384",
700 "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256",
701 "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256",
702 "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256",
703 "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256",
704 "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA",
705 "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA",
706 "TLS-DHE-RSA-WITH-AES-256-CBC-SHA",
707 "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA",
708 "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA",
709 "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"
711 translate("TLS cipher") },
715 "TLS_AES_256_GCM_SHA384",
716 "TLS_AES_128_GCM_SHA256",
717 "TLS_CHACHA20_POLY1305_SHA256"
719 translate("TLS 1.3 or newer cipher") },
723 translate("Retransmit timeout on TLS control channel") },
727 translate("Renegotiate data chan. key after bytes") },
731 translate("Renegotiate data chan. key after packets") },
735 translate("Renegotiate data chan. key after seconds") },
739 translate("Timeframe for key exchange") },
743 translate("Key transition window") },
747 translate("Allow only one session") },
751 translate("Exit on TLS negotiation failure") },
754 "/etc/openvpn/tlsauth.key",
755 translate("Additional authentication over TLS") },
758 "/etc/openvpn/tlscrypt.key",
759 translate("Encrypt and authenticate all control channel packets with the key") },
762 "/etc/openvpn/servertlscryptv2.key",
763 translate("Encrypt and authenticate all control channel packets with the key, version 2.") },
767 -- translate("Get PEM password from controlling tty before we daemonize") },
771 translate("Don't cache --askpass or --auth-user-pass passwords") },
775 translate("Only accept connections from given X509 name") },
778 { "client", "server" },
779 translate("Require explicit designation on certificate") },
782 { "client", "server" },
783 translate("Require explicit key usage on certificate") },
786 "/etc/easy-rsa/keys/crl.pem",
787 translate("Check peer certificate against a CRL") },
791 translate("The lowest supported TLS version") },
795 translate("The highest supported TLS version") },
799 translate("The key direction for 'tls-auth' and 'secret' options") },
803 translate("This completely disables cipher negotiation") },
806 "AES-256-GCM:AES-128-GCM",
807 translate("Restrict the allowed ciphers to be negotiated") },
810 "CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC",
811 translate("Restrict the allowed ciphers to be negotiated") },
820 local m = Map("openvpn")
821 m.redirect = luci.dispatcher.build_url("admin", "vpn", "openvpn")
822 m.apply_on_parse = true
824 local p = m:section( SimpleSection )
825 p.template = "openvpn/pageswitch"
828 p.category = arg[2] or knownParams[1][1]
830 for _, c in ipairs(knownParams) do
831 cts[#cts+1] = { id = c[1], title = c[2] }
832 if c[1] == p.category then
842 NamedSection, arg[1], "openvpn", title
849 for _, option in ipairs(params) do
851 option[1], option[2],
857 if option[1] == DummyValue then
859 elseif option[1] == FileUpload then
861 o.initial_directory = "/etc/openvpn"
863 function o.cfgvalue(self, section)
864 local cfg_val = AbstractValue.cfgvalue(self, section)
871 function o.formvalue(self, section)
872 local sel_val = AbstractValue.formvalue(self, section)
873 local txt_val = luci.http.formvalue("cbid."..self.map.config.."."..section.."."..self.option..".textbox")
875 if sel_val and sel_val ~= "" then
879 if txt_val and txt_val ~= "" then
884 function o.remove(self, section)
885 local cfg_val = AbstractValue.cfgvalue(self, section)
886 local txt_val = luci.http.formvalue("cbid."..self.map.config.."."..section.."."..self.option..".textbox")
888 if cfg_val and fs.access(cfg_val) and txt_val == "" then
891 return AbstractValue.remove(self, section)
893 elseif option[1] == Flag then
896 if option[1] == DynamicList then
897 function o.cfgvalue(...)
898 local val = AbstractValue.cfgvalue(...)
899 return ( val and type(val) ~= "table" ) and { val } or val
903 if type(option[3]) == "table" then
904 if o.optional then o:value("", "-- remove --") end
905 for _, v in ipairs(option[3]) do
909 o.default = tostring(option[3][1])
911 o.default = tostring(option[3])
916 if type(option[i]) == "table" then