From 2178e59f0552a125611d897012394d0e5b4e1baf Mon Sep 17 00:00:00 2001 From: Marius Halden Date: Wed, 5 Mar 2025 20:03:42 +0100 Subject: [PATCH] OpenVPN: Add support for various options (#8396) Add support for auth-gen-token renawal time. Add support for auth-gen-token-secrets to allow failover between servers. Add support for pushing inactive to clients to have them disconnect after being idle for a set time. Add support for explicit-exit-notify and for pushing it. This will allow UDP connection to notify peers that they are going away. Add support for ifconfig-pool-persist, which will allow smoother roaming combined with auth-gen-token since client will keep their ip address. Add support from compress migrate. This option will conditionally use stub compression for clients announcing they have compression enabled while leaving it of for all other clients. --- .../OPNsense/OpenVPN/forms/dialogInstance.xml | 57 +++++++++++++++++++ .../app/models/OPNsense/OpenVPN/OpenVPN.php | 38 ++++++++++++- .../app/models/OPNsense/OpenVPN/OpenVPN.xml | 9 +++ 3 files changed, 101 insertions(+), 3 deletions(-) diff --git a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml index 3ae605a29..aa3beee68 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml +++ b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/dialogInstance.xml @@ -432,6 +432,28 @@ Set to 0 to disable, remember to change your client as well. false + + instance.auth-gen-token-renewal + + text + true + + How often the auth token will be renewed, token expire after 2 * renewal time. + + false + + + + instance.auth-gen-token-secret + + textbox + true + + Optional secret for use with auth-gen-token. This is useful to allow failover between multiple servers without user interaction. + + false + + instance.provision_exclusive @@ -497,6 +519,17 @@ Set to 0 to disable, remember to change your client as well. false + + instance.push_inactive + + + text + true + Push an inactivity timeout to client connecting. Number of seconds with inactivity before the client should exit. + + false + + instance.redirect_gateway @@ -611,4 +644,28 @@ Set to 0 to disable, remember to change your client as well. boolean + + instance.compress_migrate + + checkbox + true + Conditionally use stub compression for clients configured with compression. This functionality is deprecated in OpenVPN. + + false + boolean + boolean + + + + instance.ifconfig-pool-persist + + checkbox + true + Save ip address pool to disk + + false + boolean + boolean + + diff --git a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php index 64f284e1d..d696f598e 100644 --- a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php +++ b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.php @@ -144,6 +144,20 @@ class OpenVPN extends BaseModel $key . ".auth-gen-token" )); } + + if (!empty((string)$instance->{'auth-gen-token-renewal'}) && (string)$instance->{'auth-gen-token'} === '') { + $messages->appendMessage(new Message( + gettext('A token renewal requires a token lifetime.'), + $key . ".auth-gen-token-renewal" + )); + } + + if (!empty((string)$instance->{'auth-gen-token-secret'}) && (string)$instance->{'auth-gen-token'} === '') { + $messages->appendMessage(new Message( + gettext('A token secret requires a token lifetime.'), + $key . ".auth-gen-token-secret" + )); + } } if (!empty((string)$instance->cert)) { $tmp = Store::getCertificate((string)$instance->cert); @@ -643,11 +657,29 @@ class OpenVPN extends BaseModel $options['push'][] = "\"dhcp-option NTP {$opt}\""; } } - foreach (['auth-gen-token'] as $opt) { - if ((string)$node->$opt != '') { - $options[$opt] = str_replace(',', ':', (string)$node->$opt); + if (!empty((string)$node->push_inactive)) { + $options['push'][] = "\"inactive {$node->push_inactive}\""; + } + + if ((string)$node->{'auth-gen-token'} !== '') { + $options['auth-gen-token'] = $node->{'auth-gen-token'}; + + if ((string)$node->{'auth-gen-token-renewal'} !== '') { + $options['auth-gen-token'] .= ' ' . $node->{'auth-gen-token-renewal'}; } } + + if (!empty((string)$node->{'auth-gen-token-secret'})) { + $options[''] = $node->{'auth-gen-token-secret'}; + } + + if (!empty((string)$node->compress_migrate)) { + $options['compress'] = 'migrate'; + } + + if (!empty((string)$node->{'ifconfig-pool-persist'})) { + $options['ifconfig-pool-persist'] = "/var/etc/openvpn/instance-{$node_uuid}.pool"; + } } $options['persist-tun'] = null; $options['persist-key'] = null; diff --git a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml index 5875edd99..33a1ab125 100644 --- a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml +++ b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml @@ -280,6 +280,7 @@ remote-random route-noexec route-nopull + explicit-exit-notify @@ -287,8 +288,10 @@ push block-outside-dns push register-dns + explicit-exit-notify + 0 Y @@ -319,6 +322,10 @@ 0 + + 0 + + 0 Y @@ -373,6 +380,8 @@ mvc + +