1 -- Copyright 2008 Steven Barth <steven@midlink.org>
2 -- Licensed to the public under the Apache License 2.0.
4 local fs = require("nixio.fs")
15 -- initialisation and daemon options
18 { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 },
19 translate("Set output verbosity") },
23 translate("Disable Paging") },
27 translate("Disable options consistency check") },
31 -- translate("Set UID to user") },
35 -- translate("Set GID to group") },
39 translate("Change to directory before initialization") },
43 translate("Chroot to directory after initialization") },
47 -- translate("Daemonize after initialization") },
51 -- translate("Output to syslog and do not daemonize") },
55 translate("TOS passthrough (applies to IPv4 only)") },
58 -- "nowait Instance-Name",
59 -- translate("Run as an inetd or xinetd server") },
62 "/var/log/openvpn.log",
63 translate("Write log to file") },
66 "/var/log/openvpn.log",
67 translate("Append log to file") },
69 "suppress_timestamps",
71 translate("Don't log timestamps") },
74 -- "/var/run/openvpn.pid",
75 -- translate("Write process ID to file") },
79 translate("Change process priority") },
83 translate("Optimize TUN/TAP/UDP writes") },
86 "some params echoed to log",
87 translate("Echo parameters to log") },
90 { "SIGHUP", "SIGTERM" },
91 translate("Remap SIGUSR1 signals") },
94 "/var/run/openvpn.status 5",
95 translate("Write status to file every n seconds") },
99 translate("Status file format version") }, -- status
103 translate("Limit repeated log messages") },
107 translate("Shell cmd to execute after tun device open") },
111 translate("Delay tun/tap open and up script execution") },
114 "/usr/bin/ovpn-down",
115 translate("Shell cmd to run after tun device close") },
119 translate("Call down cmd/script before TUN/TAP close") },
123 translate("Run up/down scripts for all restarts") },
126 "/usr/bin/ovpn-routeup",
127 translate("Execute shell cmd after routes are added") },
130 "/usr/bin/ovpn-ipchange",
131 translate("Execute shell command on remote ip change"),
135 { "VAR1 value1", "VAR2 value2" },
136 translate("Pass environment variables to script") },
139 "/usr/bin/ovpn-tlsverify",
140 translate("Shell command to verify X509 name") },
143 "/usr/bin/ovpn-clientconnect",
144 translate("Run script cmd on client connection") },
148 translate("Run script cmd on client disconnection") },
151 "/usr/bin/ovpn-learnaddress",
152 translate("Executed in server mode whenever an IPv4 address/route or MAC address is added to OpenVPN's internal routing table") },
154 "auth_user_pass_verify",
155 "/usr/bin/ovpn-userpass via-env",
156 translate("Executed in server mode on new client connections, when the client is still untrusted") },
160 translate("Policy level over usage of external programs and scripts") },
163 "/etc/openvpn/ovpn-file.ovpn",
164 translate("Local OVPN configuration file") },
172 translate("Major mode") },
176 translate("Local host name or ip address") },
180 translate("TCP/UDP port # for both local and remote") },
184 translate("TCP/UDP port # for local (default=1194)") },
188 translate("TCP/UDP port # for remote (default=1194)") },
192 translate("Allow remote to change its IP or port") },
196 translate("Do not bind to local address and port") },
200 translate("tun/tap device") },
204 translate("Type of used device") },
208 translate("Use tun/tap device node") },
211 "10.200.200.3 10.200.200.1",
212 translate("Set tun/tap adapter parameters") },
216 translate("Don't actually execute ifconfig") },
220 translate("Don't warn on ifconfig inconsistencies") },
223 "10.123.0.0 255.255.0.0",
224 translate("Add route after establishing connection") },
228 translate("Specify a default gateway for routes") },
232 translate("Delay n seconds after connection") },
236 translate("Don't add routes automatically") },
240 translate("Don't pull routes automatically") },
243 { "yes", "maybe", "no" },
244 translate("Enable Path MTU discovery") },
248 translate("Empirically measure MTU") },
252 translate("Set TCP/UDP MTU") },
256 translate("Set tun/tap device MTU") },
260 translate("Set tun/tap device overhead") },
264 translate("Enable internal datagram fragmentation"),
269 translate("Set upper bound on TCP MSS"),
274 translate("Set the TCP/UDP send buffer size") },
278 translate("Set the TCP/UDP receive buffer size") },
282 translate("Set tun/tap TX queue length") },
286 translate("Shaping for peer bandwidth") },
290 translate("tun/tap inactivity timeout") },
294 translate("Helper directive to simplify the expression of --ping and --ping-restart in server mode configurations") },
298 translate("Ping remote every n seconds over TCP/UDP port") },
302 translate("Remote ping timeout") },
306 translate("Restart after remote ping timeout") },
310 translate("Only process ping timeouts if routes exist") },
314 translate("Keep tun/tap device open on restart") },
318 translate("Don't re-read key on restart") },
322 translate("Keep local IP address on restart") },
326 translate("Keep remote IP address on restart") },
327 -- management channel
330 "127.0.0.1 31194 /etc/openvpn/mngmt-pwds",
331 translate("Enable management interface on <em>IP</em> <em>port</em>") },
334 "management_query_passwords",
336 translate("Query management channel for private key") },
341 translate("Start OpenVPN in a hibernating state") },
344 "management_log_cache",
346 translate("Number of lines for log file history") },
349 { "net30", "p2p", "subnet" },
350 translate("'net30', 'p2p', or 'subnet'"),
357 "10.200.200.0 255.255.255.0",
358 translate("Configure server mode"),
359 { client="0" }, { client="" } },
362 "10.200.200.1 255.255.255.0 10.200.200.200 10.200.200.250",
363 translate("Configure server bridge"),
364 { client="0" }, { client="" } },
367 { "redirect-gateway" },
368 translate("Push options to peer"),
369 { client="0" }, { client="" } },
373 translate("Don't inherit global push options"),
374 { client="0" }, { client="" } },
378 translate("Client is disabled"),
379 { client="0" }, { client="" } },
382 "10.200.200.100 10.200.200.150 255.255.255.0",
383 translate("Set aside a pool of subnets"),
384 { client="0" }, { client="" } },
386 "ifconfig_pool_persist",
387 "/etc/openvpn/ipp.txt 600",
388 translate("Persist/unpersist ifconfig-pool"),
389 { client="0" }, { client="" } },
392 "10.200.200.1 255.255.255.255",
393 translate("Push an ifconfig option to remote"),
394 { client="0" }, { client="" } },
397 "10.200.200.0 255.255.255.0",
398 translate("Route subnet to client"),
399 { client="0" }, { client="" } },
403 translate("Allow client-to-client traffic"),
404 { client="0" }, { client="" } },
408 translate("Allow multiple clients with same certificate"),
409 { client="0" }, { client="" } },
413 translate("Directory for custom client config files"),
414 { client="0" }, { client="" } },
418 translate("Refuse connection if no custom client config"),
419 { client="0" }, { client="" } },
423 translate("Temporary directory for client-connect return file"),
424 { client="0" }, { client="" } },
428 translate("Set size of real and virtual address hash tables"),
429 { client="0" }, { client="" } },
433 translate("Number of allocated broadcast buffers"),
434 { client="0" }, { client="" } },
438 translate("Maximum number of queued TCP output packets"),
439 { client="0" }, { client="" } },
443 translate("Allowed maximum of connected clients"),
444 { client="0" }, { client="" } },
446 "max_routes_per_client",
448 translate("Allowed maximum of internal"),
449 { client="0" }, { client="" } },
453 translate("Allowed maximum of new connections"),
454 { client="0" }, { client="" } },
456 "username_as_common_name",
458 translate("Use username as common name"),
459 { client="0" }, { client="" } },
463 translate("Configure client mode") },
467 translate("Accept options pushed from server"),
471 "/etc/openvpn/userpass.txt",
472 translate("Authenticate using username/password"),
476 { "none", "nointeract", "interact" },
477 translate("Handling of authentication failures"),
480 "explicit_exit_notify",
482 translate("Send notification to peer on disconnect"),
487 translate("Remote host name or ip address"),
492 translate("Randomly choose remote server"),
496 { "udp", "tcp-client", "tcp-server" },
497 translate("Use protocol"),
502 translate("Connection retry interval"),
503 { proto="tcp-client" }, { client="1" } },
506 "192.168.1.100 8080",
507 translate("Connect to remote host through an HTTP proxy"),
512 translate("Retry indefinitely on HTTP proxy errors"),
515 "http_proxy_timeout",
517 translate("Proxy timeout in seconds"),
521 { "VERSION 1.0", "AGENT OpenVPN/2.0.9" },
522 translate("Set extended HTTP proxy options"),
526 "192.168.1.200 1080",
527 translate("Connect through Socks5 proxy"),
529 -- client && socks_proxy
533 translate("Retry indefinitely on Socks proxy errors"),
538 translate("If hostname resolve fails, retry"),
542 { "", "local", "def1", "local def1" },
543 translate("Automatically redirect default route"),
550 "/etc/openvpn/secret.key",
551 translate("Enable Static Key encryption mode (non-TLS)") },
556 translate("HMAC authentication for packets") },
561 translate("Encryption cipher for packets") },
566 translate("Size of cipher key") },
571 translate("Enable OpenSSL hardware crypto engines") },
575 translate("Replay protection sliding window size") },
577 "mute_replay_warnings",
579 translate("Silence the output of replay warnings") },
582 "/var/run/openvpn-replay-state",
583 translate("Persist replay-protection state") },
587 translate("Enable TLS and assume server role"),
588 { tls_client="" }, { tls_client="0" } },
592 translate("Enable TLS and assume client role"),
593 { tls_server="" }, { tls_server="0" } },
596 "/etc/easy-rsa/keys/ca.crt",
597 translate("Certificate authority") },
600 "/etc/easy-rsa/keys/dh1024.pem",
601 translate("Diffie Hellman parameters") },
604 "/etc/easy-rsa/keys/some-client.crt",
605 translate("Local certificate") },
608 "/etc/easy-rsa/keys/some-client.key",
609 translate("Local private key") },
612 "/etc/easy-rsa/keys/some-client.pk12",
613 translate("PKCS#12 file containing keys") },
617 translate("Enable TLS and assume client role") },
620 "DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5",
621 translate("TLS cipher") },
625 translate("Retransmit timeout on TLS control channel") },
629 translate("Renegotiate data chan. key after bytes") },
633 translate("Renegotiate data chan. key after packets") },
637 translate("Renegotiate data chan. key after seconds") },
641 translate("Timeframe for key exchange") },
645 translate("Key transition window") },
649 translate("Allow only one session") },
653 translate("Exit on TLS negotiation failure") },
656 "/etc/openvpn/tlsauth.key",
657 translate("Additional authentication over TLS") },
660 "/etc/openvpn/tlscrypt.key",
661 translate("Encrypt and authenticate all control channel packets with the key") },
665 -- translate("Get PEM password from controlling tty before we daemonize") },
669 translate("Don't cache --askpass or --auth-user-pass passwords") },
673 translate("Only accept connections from given X509 name") },
676 { "client", "server" },
677 translate("Require explicit designation on certificate") },
680 { "client", "server" },
681 translate("Require explicit key usage on certificate") },
684 "/etc/easy-rsa/keys/crl.pem",
685 translate("Check peer certificate against a CRL") },
689 translate("The lowest supported TLS version") },
693 translate("The highest supported TLS version") },
697 translate("The key direction for 'tls-auth' and 'secret' options") },
705 local m = Map("openvpn")
706 m.redirect = luci.dispatcher.build_url("admin", "services", "openvpn")
707 m.apply_on_parse = true
709 local p = m:section( SimpleSection )
710 p.template = "openvpn/pageswitch"
713 p.category = arg[2] or "Service"
715 for _, c in ipairs(knownParams) do
717 if c[1] == p.category then params = c[2] end
724 NamedSection, arg[1], "openvpn",
725 translate("%s" % arg[2])
728 s.title = translate("%s" % arg[2])
733 for _, option in ipairs(params) do
735 option[1], option[2],
741 if option[1] == DummyValue then
743 elseif option[1] == FileUpload then
745 function o.cfgvalue(self, section)
746 local cfg_val = AbstractValue.cfgvalue(self, section)
753 function o.formvalue(self, section)
754 local sel_val = AbstractValue.formvalue(self, section)
755 local txt_val = luci.http.formvalue("cbid."..self.map.config.."."..section.."."..self.option..".textbox")
757 if sel_val and sel_val ~= "" then
761 if txt_val and txt_val ~= "" then
766 function o.remove(self, section)
767 local cfg_val = AbstractValue.cfgvalue(self, section)
768 local txt_val = luci.http.formvalue("cbid."..self.map.config.."."..section.."."..self.option..".textbox")
770 if cfg_val and fs.access(cfg_val) and txt_val == "" then
773 return AbstractValue.remove(self, section)
775 elseif option[1] == Flag then
778 if option[1] == DynamicList then
779 function o.cfgvalue(...)
780 local val = AbstractValue.cfgvalue(...)
781 return ( val and type(val) ~= "table" ) and { val } or val
785 if type(option[3]) == "table" then
786 if o.optional then o:value("", "-- remove --") end
787 for _, v in ipairs(option[3]) do
791 o.default = tostring(option[3][1])
793 o.default = tostring(option[3])
798 if type(option[i]) == "table" then