1 -- Copyright 2008 Steven Barth <steven@midlink.org>
2 -- Licensed to the public under the Apache License 2.0.
5 require("luci.model.uci")
17 -- initialisation and daemon options
20 { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 },
21 translate("Set output verbosity") },
25 translate("Disable Paging") },
29 translate("Disable options consistency check") },
33 -- translate("Set UID to user") },
37 -- translate("Set GID to group") },
41 translate("Change to directory before initialization") },
45 translate("Chroot to directory after initialization") },
49 -- translate("Daemonize after initialization") },
53 -- translate("Output to syslog and do not daemonize") },
57 translate("TOS passthrough (applies to IPv4 only)") },
60 -- "nowait Instance-Name",
61 -- translate("Run as an inetd or xinetd server") },
64 "/var/log/openvpn.log",
65 translate("Write log to file") },
68 "/var/log/openvpn.log",
69 translate("Append log to file") },
71 "suppress_timestamps",
73 translate("Don't log timestamps") },
76 -- "/var/run/openvpn.pid",
77 -- translate("Write process ID to file") },
81 translate("Change process priority") },
85 translate("Optimize TUN/TAP/UDP writes") },
88 "some params echoed to log",
89 translate("Echo parameters to log") },
92 { "SIGHUP", "SIGTERM" },
93 translate("Remap SIGUSR1 signals") },
96 "/var/run/openvpn.status 5",
97 translate("Write status to file every n seconds") },
101 translate("Status file format version") }, -- status
105 translate("Limit repeated log messages") },
109 translate("Shell cmd to execute after tun device open") },
113 translate("Delay tun/tap open and up script execution") },
116 "/usr/bin/ovpn-down",
117 translate("Shell cmd to run after tun device close") },
121 translate("Call down cmd/script before TUN/TAP close") },
125 translate("Run up/down scripts for all restarts") },
128 "/usr/bin/ovpn-routeup",
129 translate("Execute shell cmd after routes are added") },
132 "/usr/bin/ovpn-ipchange",
133 translate("Execute shell command on remote ip change"),
137 { "VAR1 value1", "VAR2 value2" },
138 translate("Pass environment variables to script") },
141 "/usr/bin/ovpn-tlsverify",
142 translate("Shell command to verify X509 name") },
145 "/usr/bin/ovpn-clientconnect",
146 translate("Run script cmd on client connection") },
150 translate("Run script cmd on client disconnection") },
153 "/usr/bin/ovpn-learnaddress",
154 translate("Executed in server mode whenever an IPv4 address/route or MAC address is added to OpenVPN's internal routing table") },
156 "auth_user_pass_verify",
157 "/usr/bin/ovpn-userpass via-env",
158 translate("Executed in server mode on new client connections, when the client is still untrusted") },
162 translate("Policy level over usage of external programs and scripts") },
170 translate("Major mode") },
174 translate("Local host name or ip address") },
178 translate("TCP/UDP port # for both local and remote") },
182 translate("TCP/UDP port # for local (default=1194)") },
186 translate("TCP/UDP port # for remote (default=1194)") },
190 translate("Allow remote to change its IP or port") },
194 translate("Do not bind to local address and port") },
198 translate("tun/tap device") },
202 translate("Type of used device") },
206 translate("Use tun/tap device node") },
210 translate("Make tun device IPv6 capable") },
213 "10.200.200.3 10.200.200.1",
214 translate("Set tun/tap adapter parameters") },
218 translate("Don't actually execute ifconfig") },
222 translate("Don't warn on ifconfig inconsistencies") },
225 "10.123.0.0 255.255.0.0",
226 translate("Add route after establishing connection") },
230 translate("Specify a default gateway for routes") },
234 translate("Delay n seconds after connection") },
238 translate("Don't add routes automatically") },
242 translate("Don't pull routes automatically") },
245 { "yes", "maybe", "no" },
246 translate("Enable Path MTU discovery") },
250 translate("Empirically measure MTU") },
253 { "yes", "no", "adaptive" },
254 translate("Use fast LZO compression") },
258 translate("Don't use adaptive lzo compression"),
263 translate("Set TCP/UDP MTU") },
267 translate("Set tun/tap device MTU") },
271 translate("Set tun/tap device overhead") },
275 translate("Enable internal datagram fragmentation"),
280 translate("Set upper bound on TCP MSS"),
285 translate("Set the TCP/UDP send buffer size") },
289 translate("Set the TCP/UDP receive buffer size") },
293 translate("Set tun/tap TX queue length") },
297 translate("Shaping for peer bandwidth") },
301 translate("tun/tap inactivity timeout") },
305 translate("Helper directive to simplify the expression of --ping and --ping-restart in server mode configurations") },
309 translate("Ping remote every n seconds over TCP/UDP port") },
313 translate("Remote ping timeout") },
317 translate("Restart after remote ping timeout") },
321 translate("Only process ping timeouts if routes exist") },
325 translate("Keep tun/tap device open on restart") },
329 translate("Don't re-read key on restart") },
333 translate("Keep local IP address on restart") },
337 translate("Keep remote IP address on restart") },
338 -- management channel
341 "127.0.0.1 31194 /etc/openvpn/mngmt-pwds",
342 translate("Enable management interface on <em>IP</em> <em>port</em>") },
345 "management_query_passwords",
347 translate("Query management channel for private key") },
352 translate("Start OpenVPN in a hibernating state") },
355 "management_log_cache",
357 translate("Number of lines for log file history") },
360 { "net30", "p2p", "subnet" },
361 translate("'net30', 'p2p', or 'subnet'"),
368 "10.200.200.0 255.255.255.0",
369 translate("Configure server mode"),
370 { server_mode="1" } },
373 "10.200.200.1 255.255.255.0 10.200.200.200 10.200.200.250",
374 translate("Configure server bridge"),
375 { server_mode="1" } },
378 { "redirect-gateway", "comp-lzo" },
379 translate("Push options to peer"),
380 { server_mode="1" } },
384 translate("Don't inherit global push options"),
385 { server_mode="1" } },
389 translate("Client is disabled"),
390 { server_mode="1" } },
393 "10.200.200.100 10.200.200.150 255.255.255.0",
394 translate("Set aside a pool of subnets"),
395 { server_mode="1" } },
397 "ifconfig_pool_persist",
398 "/etc/openvpn/ipp.txt 600",
399 translate("Persist/unpersist ifconfig-pool"),
400 { server_mode="1" } },
401 -- deprecated and replaced by --topology p2p
403 -- "ifconfig_pool_linear",
405 -- translate("Use individual addresses rather than /30 subnets"),
406 -- { server_mode="1" } },
409 "10.200.200.1 255.255.255.255",
410 translate("Push an ifconfig option to remote"),
411 { server_mode="1" } },
414 "10.200.200.0 255.255.255.0",
415 translate("Route subnet to client"),
416 { server_mode="1" } },
420 translate("Allow client-to-client traffic"),
421 { server_mode="1" } },
425 translate("Allow multiple clients with same certificate"),
426 { server_mode="1" } },
430 translate("Directory for custom client config files"),
431 { server_mode="1" } },
435 translate("Refuse connection if no custom client config"),
436 { server_mode="1" } },
440 translate("Temporary directory for client-connect return file"),
441 { server_mode="1" } },
445 translate("Set size of real and virtual address hash tables"),
446 { server_mode="1" } },
450 translate("Number of allocated broadcast buffers"),
451 { server_mode="1" } },
455 translate("Maximum number of queued TCP output packets"),
456 { server_mode="1" } },
460 translate("Allowed maximum of connected clients"),
461 { server_mode="1" } },
463 "max_routes_per_client",
465 translate("Allowed maximum of internal"),
466 { server_mode="1" } },
470 translate("Allowed maximum of new connections"),
471 { server_mode="1" } },
473 "client_cert_not_required",
475 translate("Don't require client certificate"),
476 { server_mode="1" } },
478 "username_as_common_name",
480 translate("Use username as common name"),
481 { server_mode="1" } },
485 translate("Configure client mode"),
486 { server_mode="0" }, { server_mode="" } },
490 translate("Accept options pushed from server"),
494 "/etc/openvpn/userpass.txt",
495 translate("Authenticate using username/password"),
499 { "none", "nointeract", "interact" },
500 translate("Handling of authentication failures"),
503 "explicit_exit_notify",
505 translate("Send notification to peer on disconnect"),
510 translate("Remote host name or ip address"),
515 translate("Randomly choose remote server"),
519 { "udp", "tcp-client", "tcp-server" },
520 translate("Use protocol"),
525 translate("Connection retry interval"),
526 { proto="tcp-client" }, { client="1" } },
529 "192.168.1.100 8080",
530 translate("Connect to remote host through an HTTP proxy"),
535 translate("Retry indefinitely on HTTP proxy errors"),
538 "http_proxy_timeout",
540 translate("Proxy timeout in seconds"),
544 { "VERSION 1.0", "AGENT OpenVPN/2.0.9" },
545 translate("Set extended HTTP proxy options"),
549 "192.168.1.200 1080",
550 translate("Connect through Socks5 proxy"),
552 -- client && socks_proxy
556 translate("Retry indefinitely on Socks proxy errors"),
561 translate("If hostname resolve fails, retry"),
565 { "", "local", "def1", "local def1" },
566 translate("Automatically redirect default route"),
573 "/etc/openvpn/secret.key",
574 translate("Enable Static Key encryption mode (non-TLS)") },
579 translate("HMAC authentication for packets") },
584 translate("Encryption cipher for packets") },
589 translate("Size of cipher key") },
594 translate("Enable OpenSSL hardware crypto engines") },
598 translate("Disable replay protection") },
602 translate("Replay protection sliding window size") },
604 "mute_replay_warnings",
606 translate("Silence the output of replay warnings") },
609 "/var/run/openvpn-replay-state",
610 translate("Persist replay-protection state") },
614 translate("Disable cipher initialisation vector") },
618 translate("Enable TLS and assume server role"),
619 { tls_client="" }, { tls_client="0" } },
623 translate("Enable TLS and assume client role"),
624 { tls_server="" }, { tls_server="0" } },
627 "/etc/easy-rsa/keys/ca.crt",
628 translate("Certificate authority") },
631 "/etc/easy-rsa/keys/dh1024.pem",
632 translate("Diffie Hellman parameters") },
635 "/etc/easy-rsa/keys/some-client.crt",
636 translate("Local certificate") },
639 "/etc/easy-rsa/keys/some-client.key",
640 translate("Local private key") },
643 "/etc/easy-rsa/keys/some-client.pk12",
644 translate("PKCS#12 file containing keys") },
648 translate("Enable TLS and assume client role") },
651 "DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5",
652 translate("TLS cipher") },
656 translate("Retransmit timeout on TLS control channel") },
660 translate("Renegotiate data chan. key after bytes") },
664 translate("Renegotiate data chan. key after packets") },
668 translate("Renegotiate data chan. key after seconds") },
672 translate("Timeframe for key exchange") },
676 translate("Key transition window") },
680 translate("Allow only one session") },
684 translate("Exit on TLS negotiation failure") },
687 "/etc/openvpn/tlsauth.key",
688 translate("Additional authentication over TLS") },
692 -- translate("Get PEM password from controlling tty before we daemonize") },
696 translate("Don't cache --askpass or --auth-user-pass passwords") },
700 translate("Only accept connections from given X509 name") },
703 { "client", "server" },
704 translate("Require explicit designation on certificate") },
707 { "client", "server" },
708 translate("Require explicit key usage on certificate") },
711 "/etc/easy-rsa/keys/crl.pem",
712 translate("Check peer certificate against a CRL") },
716 translate("The lowest supported TLS version") },
720 translate("The highest supported TLS version") },
724 translate("The key direction for 'tls-auth' and 'secret' options") },
732 local m = Map("openvpn")
733 local p = m:section( SimpleSection )
735 p.template = "openvpn/pageswitch"
738 p.category = arg[2] or "Service"
740 for _, c in ipairs(knownParams) do
742 if c[1] == p.category then params = c[2] end
749 NamedSection, arg[1], "openvpn",
750 translate("%s" % arg[2])
753 s.title = translate("%s" % arg[2])
758 for _, option in ipairs(params) do
760 option[1], option[2],
764 if option[1] == DummyValue then
767 if option[1] == DynamicList then
768 function o.cfgvalue(...)
769 local val = AbstractValue.cfgvalue(...)
770 return ( val and type(val) ~= "table" ) and { val } or val
776 if type(option[3]) == "table" then
777 if o.optional then o:value("", "-- remove --") end
778 for _, v in ipairs(option[3]) do
782 o.default = tostring(option[3][1])
784 o.default = tostring(option[3])
789 if type(option[i]) == "table" then