diff --git a/plist b/plist
index e9254bd53..363dfbb29 100644
--- a/plist
+++ b/plist
@@ -136,6 +136,7 @@
/usr/local/etc/rc.syshook.d/start/25-syslog
/usr/local/etc/rc.syshook.d/start/90-carp
/usr/local/etc/rc.syshook.d/start/90-cron
+/usr/local/etc/rc.syshook.d/start/90-openvpn
/usr/local/etc/rc.syshook.d/start/90-sysctl
/usr/local/etc/rc.syshook.d/start/95-beep
/usr/local/etc/rc.syshook.d/stop/05-beep
diff --git a/src/etc/rc.syshook.d/start/90-openvpn b/src/etc/rc.syshook.d/start/90-openvpn
new file mode 100755
index 000000000..675a7a0ca
--- /dev/null
+++ b/src/etc/rc.syshook.d/start/90-openvpn
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+configctl -dq openvpn configure
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ServiceController.php b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ServiceController.php
index 82fd52bc1..444372bd3 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ServiceController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/Api/ServiceController.php
@@ -55,10 +55,12 @@ class ServiceController extends ApiControllerBase
}
}
foreach ((new OpenVPN())->Instances->Instance->iterateItems() as $node_uuid => $node) {
- $config_payload[$node_uuid] = [
- 'enabled' => (string)$node->enabled,
- 'description' => (string)$node->description
- ];
+ if ((string)$node->role == $role) {
+ $config_payload[$node_uuid] = [
+ 'enabled' => (string)$node->enabled,
+ 'description' => (string)$node->description
+ ];
+ }
}
return $config_payload;
}
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml
index e5d37b455..93e93bbad 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml
@@ -143,6 +143,7 @@
instance.crl
dropdown
+
Select a certificate revocation list to use for this service.
@@ -151,6 +152,13 @@
dropdown
Specify if the client is required to offer a certificate.
+
+ instance.cert_depth
+
+ dropdown
+
+ When a certificate-based client logs in, do not accept certificates below this depth. Useful for denying certificates made with intermediate CAs generated from the same CA as the server.
+
instance.tls_key
@@ -160,6 +168,15 @@
The prefixed mode determines if this measurement is only used for authentication (--tls-auth) or includes encryption (--tls-crypt).
+
+ instance.auth
+
+ true
+ dropdown
+
+ Authenticate data channel packets and (if enabled) tls-auth control channel packets with HMAC using message digest algorithm alg.
+
+
instance.data-ciphers
diff --git a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
index 9be8393c0..d2edf2c97 100644
--- a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
+++ b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php
@@ -276,6 +276,7 @@ class OpenVPN extends BaseModel
'tlsmode' => $this_mode,
'certref' => (string)$node->cert,
'caref' => $this_caref,
+ 'cert_depth' => (string)$node->cert_depth,
'description' => (string)$node->description
];
}
@@ -311,6 +312,7 @@ class OpenVPN extends BaseModel
'tlsmode' => (string)$item->tlsmode,
'certref' => (string)$item->certref,
'caref' => (string)$item->caref,
+ 'cert_depth' => (string)$item->cert_depth,
'description' => (string)$item->description,
// legacy only (backwards compatibility)
'compression' => (string)$item->compression,
@@ -482,8 +484,9 @@ class OpenVPN extends BaseModel
$options['verb'] = (string)$node->verb;
$options['verify-client-cert'] = (string)$node->verify_client_cert;
- foreach (
- ['reneg-sec', 'auth-gen-token', 'port', 'local', 'data-ciphers', 'data-ciphers-fallback'] as $opt
+ foreach ([
+ 'reneg-sec', 'auth-gen-token', 'port', 'local', 'data-ciphers', 'data-ciphers-fallback', 'auth'
+ ] as $opt
) {
if ((string)$node->$opt != '') {
$options[$opt] = str_replace(',', ':', (string)$node->$opt);
diff --git a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml
index a11dcec95..9fdc6996e 100644
--- a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml
@@ -197,6 +197,17 @@
None
Please select a valid certificate from the list
+
+ N
+ Do Not Check
+
+ One (Client+Server)
+ Two (Client+Intermediate+Server)
+ Three (Client+2xIntermediate+Server)
+ Four (Client+3xIntermediate+Server)
+ Five (Client+4xIntermediate+Server)
+
+
Y
require
@@ -205,6 +216,33 @@
required
+
+ N
+ SHA1
+
+ BLAKE2b512 (512-bit)
+ BLAKE2s256 (256-bit)
+ MD4 (128-bit)
+ MD5 (128-bit)
+ MD5-SHA1 (288-bit)
+ RIPEMD160 (160-bit)
+ SHA1 (160-bit)
+ SHA224 (224-bit)
+ SHA256 (256-bit)
+ SHA3-224 (224-bit)
+ SHA3-256 (256-bit)
+ SHA3-384 (384-bit)
+ SHA3-512 (512-bit)
+ SHA384 (384-bit)
+ SHA512 (512-bit)
+ SHA512-224 (224-bit)
+ SHA512-256 (256-bit)
+ SHAKE128 (128-bit)
+ SHAKE256 (256-bit)
+ whirlpool (512-bit)
+ None (No Authentication)
+
+
N
Y
diff --git a/src/opnsense/mvc/app/views/OPNsense/OpenVPN/status.volt b/src/opnsense/mvc/app/views/OPNsense/OpenVPN/status.volt
index f6dbf62d0..57cca9a33 100644
--- a/src/opnsense/mvc/app/views/OPNsense/OpenVPN/status.volt
+++ b/src/opnsense/mvc/app/views/OPNsense/OpenVPN/status.volt
@@ -34,7 +34,7 @@
selection: false,
formatters:{
bytes: function(column, row) {
- if (row[column.id]) {
+ if (row[column.id] && row[column.id] > 0) {
return byteFormat(row[column.id], 2);
}
return '';
diff --git a/src/opnsense/scripts/openvpn/ovpn_service_control.php b/src/opnsense/scripts/openvpn/ovpn_service_control.php
index ca15bbb6a..f0000d178 100755
--- a/src/opnsense/scripts/openvpn/ovpn_service_control.php
+++ b/src/opnsense/scripts/openvpn/ovpn_service_control.php
@@ -133,7 +133,7 @@ if (isset($opts['h']) || empty($args) || !in_array($args[0], ['start', 'stop', '
ovpn_start($node, $statHandle);
break;
case 'configure':
- if ($instance_stats['has_changed']) {
+ if ($instance_stats['has_changed'] || !isvalidpid($node->pidFilename)) {
ovpn_stop($node);
ovpn_start($node, $statHandle);
}
diff --git a/src/opnsense/scripts/openvpn/tls_verify.php b/src/opnsense/scripts/openvpn/tls_verify.php
index 2e21fa45b..ba02afa49 100755
--- a/src/opnsense/scripts/openvpn/tls_verify.php
+++ b/src/opnsense/scripts/openvpn/tls_verify.php
@@ -36,16 +36,7 @@ require_once("config.inc");
*/
function do_verify($serverid)
{
- global $config;
- $a_server = null;
- if (isset($config['openvpn']['openvpn-server'])) {
- foreach ($config['openvpn']['openvpn-server'] as $server) {
- if ($server['vpnid'] == $serverid) {
- $a_server = $server;
- break;
- }
- }
- }
+ $a_server = (new OPNsense\OpenVPN\OpenVPN())->getInstanceById($serverid, 'server');
if ($a_server === null) {
return "OpenVPN '$serverid' was not found. Denying authentication for user {$username}";
}