projects / project / luci.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
luci-app-openvpn: update tls_cipher list
[project/luci.git] / applications / luci-app-openvpn / luasrc / model / cbi / openvpn-advanced.lua
1 -- Copyright 2008 Steven Barth <steven@midlink.org>
2 -- Licensed to the public under the Apache License 2.0.
3
4 local fs = require("nixio.fs")
5
6 local knownParams = {
7 --
8 --Widget
9 -- ID
10 -- Display name
11 -- Default(s)
12 -- Description
13 -- Option(s)
14
15 { "service", translate("Service"), {
16 -- initialisation and daemon options
17 { ListValue,
18 "verb",
19 { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 },
20 translate("Set output verbosity") },
21 { Flag,
22 "mlock",
23 0,
24 translate("Disable Paging") },
25 { Flag,
26 "disable_occ",
27 0,
28 translate("Disable options consistency check") },
29 -- { Value,
30 -- "user",
31 -- "root",
32 -- translate("Set UID to user") },
33 -- { Value,
34 -- "group",
35 -- "root",
36 -- translate("Set GID to group") },
37 { Value,
38 "cd",
39 "/etc/openvpn",
40 translate("Change to directory before initialization") },
41 { Value,
42 "chroot",
43 "/var/run",
44 translate("Chroot to directory after initialization") },
45 -- { Value,
46 -- "daemon",
47 -- "Instance-Name",
48 -- translate("Daemonize after initialization") },
49 -- { Value,
50 -- "syslog",
51 -- "Instance-Name",
52 -- translate("Output to syslog and do not daemonize") },
53 { Flag,
54 "passtos",
55 0,
56 translate("TOS passthrough (applies to IPv4 only)") },
57 -- { Value,
58 -- "inetd",
59 -- "nowait Instance-Name",
60 -- translate("Run as an inetd or xinetd server") },
61 { Value,
62 "log",
63 "/var/log/openvpn.log",
64 translate("Write log to file") },
65 { Value,
66 "log_append",
67 "/var/log/openvpn.log",
68 translate("Append log to file") },
69 { Flag,
70 "suppress_timestamps",
71 0,
72 translate("Don't log timestamps") },
73 -- { Value,
74 -- "writepid",
75 -- "/var/run/openvpn.pid",
76 -- translate("Write process ID to file") },
77 { Value,
78 "nice",
79 0,
80 translate("Change process priority") },
81 { Flag,
82 "fast_io",
83 0,
84 translate("Optimize TUN/TAP/UDP writes") },
85 { Value,
86 "echo",
87 "some params echoed to log",
88 translate("Echo parameters to log") },
89 { ListValue,
90 "remap_usr1",
91 { "SIGHUP", "SIGTERM" },
92 translate("Remap SIGUSR1 signals") },
93 { Value,
94 "status",
95 "/var/run/openvpn.status 5",
96 translate("Write status to file every n seconds") },
97 { Value,
98 "status_version",
99 { 1, 2 },
100 translate("Status file format version") }, -- status
101 { Value,
102 "mute",
103 5,
104 translate("Limit repeated log messages") },
105 { Value,
106 "up",
107 "/usr/bin/ovpn-up",
108 translate("Shell cmd to execute after tun device open") },
109 { Value,
110 "up_delay",
111 5,
112 translate("Delay tun/tap open and up script execution") },
113 { Value,
114 "down",
115 "/usr/bin/ovpn-down",
116 translate("Shell cmd to run after tun device close") },
117 { Flag,
118 "down_pre",
119 0,
120 translate("Call down cmd/script before TUN/TAP close") },
121 { Flag,
122 "up_restart",
123 0,
124 translate("Run up/down scripts for all restarts") },
125 { Value,
126 "route_up",
127 "/usr/bin/ovpn-routeup",
128 translate("Execute shell cmd after routes are added") },
129 { Value,
130 "ipchange",
131 "/usr/bin/ovpn-ipchange",
132 translate("Execute shell command on remote IP change"),
133 { mode="p2p" } },
134 { DynamicList,
135 "setenv",
136 { "VAR1 value1", "VAR2 value2" },
137 translate("Pass environment variables to script") },
138 { Value,
139 "tls_verify",
140 "/usr/bin/ovpn-tlsverify",
141 translate("Shell command to verify X509 name") },
142 { Value,
143 "client_connect",
144 "/usr/bin/ovpn-clientconnect",
145 translate("Run script cmd on client connection") },
146 { Value,
147 "client_disconnect",
148 "/usr/bin/ovpn-clientdisconnect",
149 translate("Run script cmd on client disconnection") },
150 { Value,
151 "learn_address",
152 "/usr/bin/ovpn-learnaddress",
153 translate("Executed in server mode whenever an IPv4 address/route or MAC address is added to OpenVPN's internal routing table") },
154 { Value,
155 "auth_user_pass_verify",
156 "/usr/bin/ovpn-userpass via-env",
157 translate("Executed in server mode on new client connections, when the client is still untrusted") },
158 { ListValue,
159 "script_security",
160 { 0, 1, 2, 3 },
161 translate("Policy level over usage of external programs and scripts") },
162 { ListValue,
163 "compress",
164 { "lzo", "lz4" },
165 translate("Enable a compression algorithm") },
166 } },
167
168 { "networking", translate("Networking"), {
169 -- socket config
170 { ListValue,
171 "mode",
172 { "p2p", "server" },
173 translate("Major mode") },
174 { Value,
175 "local",
176 "0.0.0.0",
177 translate("Local host name or IP address") },
178 { Value,
179 "port",
180 1194,
181 translate("TCP/UDP port # for both local and remote") },
182 { Value,
183 "lport",
184 1194,
185 translate("TCP/UDP port # for local (default=1194)") },
186 { Value,
187 "rport",
188 1194,
189 translate("TCP/UDP port # for remote (default=1194)") },
190 { Flag,
191 "float",
192 0,
193 translate("Allow remote to change its IP or port") },
194 { Flag,
195 "nobind",
196 0,
197 translate("Do not bind to local address and port") },
198 { Value,
199 "dev",
200 "tun0",
201 translate("tun/tap device") },
202 { ListValue,
203 "dev_type",
204 { "tun", "tap" },
205 translate("Type of used device") },
206 { Value,
207 "dev_node",
208 "/dev/net/tun",
209 translate("Use tun/tap device node") },
210 { Value,
211 "ifconfig",
212 "10.200.200.3 10.200.200.1",
213 translate("Set tun/tap adapter parameters") },
214 { Flag,
215 "ifconfig_noexec",
216 0,
217 translate("Don't actually execute ifconfig") },
218 { Flag,
219 "ifconfig_nowarn",
220 0,
221 translate("Don't warn on ifconfig inconsistencies") },
222 { DynamicList,
223 "route",
224 "10.123.0.0 255.255.0.0",
225 translate("Add route after establishing connection") },
226 { Value,
227 "route_gateway",
228 "10.234.1.1",
229 translate("Specify a default gateway for routes") },
230 { Value,
231 "route_delay",
232 0,
233 translate("Delay n seconds after connection") },
234 { Flag,
235 "route_noexec",
236 0,
237 translate("Don't add routes automatically") },
238 { Flag,
239 "route_nopull",
240 0,
241 translate("Don't pull routes automatically") },
242 { Flag,
243 "allow_recursive_routing",
244 0,
245 translate("Don't drop incoming tun packets with same destination as host") },
246 { ListValue,
247 "mtu_disc",
248 { "yes", "maybe", "no" },
249 translate("Enable Path MTU discovery") },
250 { Flag,
251 "mtu_test",
252 0,
253 translate("Empirically measure MTU") },
254 { ListValue,
255 "comp_lzo",
256 { "yes", "no", "adaptive" },
257 translate("Use fast LZO compression") },
258 { Flag,
259 "comp_noadapt",
260 0,
261 translate("Don't use adaptive lzo compression"),
262 { comp_lzo=1 } },
263 { Value,
264 "link_mtu",
265 1500,
266 translate("Set TCP/UDP MTU") },
267 { Value,
268 "tun_mtu",
269 1500,
270 translate("Set tun/tap device MTU") },
271 { Value,
272 "tun_mtu_extra",
273 1500,
274 translate("Set tun/tap device overhead") },
275 { Value,
276 "fragment",
277 1500,
278 translate("Enable internal datagram fragmentation"),
279 { proto="udp" } },
280 { Value,
281 "mssfix",
282 1500,
283 translate("Set upper bound on TCP MSS"),
284 { proto="udp" } },
285 { Value,
286 "sndbuf",
287 65536,
288 translate("Set the TCP/UDP send buffer size") },
289 { Value,
290 "rcvbuf",
291 65536,
292 translate("Set the TCP/UDP receive buffer size") },
293 { Value,
294 "txqueuelen",
295 100,
296 translate("Set tun/tap TX queue length") },
297 { Value,
298 "shaper",
299 10240,
300 translate("Shaping for peer bandwidth") },
301 { Value,
302 "inactive",
303 240,
304 translate("tun/tap inactivity timeout") },
305 { Value,
306 "keepalive",
307 "10 60",
308 translate("Helper directive to simplify the expression of --ping and --ping-restart in server mode configurations") },
309 { Value,
310 "ping",
311 30,
312 translate("Ping remote every n seconds over TCP/UDP port") },
313 { Value,
314 "ping_exit",
315 120,
316 translate("Remote ping timeout") },
317 { Value,
318 "ping_restart",
319 60,
320 translate("Restart after remote ping timeout") },
321 { Flag,
322 "ping_timer_rem",
323 0,
324 translate("Only process ping timeouts if routes exist") },
325 { Flag,
326 "persist_tun",
327 0,
328 translate("Keep tun/tap device open on restart") },
329 { Flag,
330 "persist_key",
331 0,
332 translate("Don't re-read key on restart") },
333 { Flag,
334 "persist_local_ip",
335 0,
336 translate("Keep local IP address on restart") },
337 { Flag,
338 "persist_remote_ip",
339 0,
340 translate("Keep remote IP address on restart") },
341 -- management channel
342 { Value,
343 "management",
344 "127.0.0.1 31194 /etc/openvpn/mngmt-pwds",
345 translate("Enable management interface on <em>IP</em> <em>port</em>") },
346 -- management
347 { Flag,
348 "management_query_passwords",
349 0,
350 translate("Query management channel for private key") },
351 -- management
352 { Flag,
353 "management_hold",
354 0,
355 translate("Start OpenVPN in a hibernating state") },
356 -- management
357 { Value,
358 "management_log_cache",
359 100,
360 translate("Number of lines for log file history") },
361 { ListValue,
362 "topology",
363 { "net30", "p2p", "subnet" },
364 translate("'net30', 'p2p', or 'subnet'"),
365 {dev_type="tun" } },
366 } },
367
368 { "vpn", translate("VPN"), {
369 { Value,
370 "server",
371 "10.200.200.0 255.255.255.0",
372 translate("Configure server mode"),
373 { client="0" }, { client="" } },
374 { Value,
375 "server_bridge",
376 "10.200.200.1 255.255.255.0 10.200.200.200 10.200.200.250",
377 translate("Configure server bridge"),
378 { client="0" }, { client="" } },
379 { DynamicList,
380 "push",
381 { "redirect-gateway", "comp-lzo" },
382 translate("Push options to peer"),
383 { client="0" }, { client="" } },
384 { Flag,
385 "push_reset",
386 0,
387 translate("Don't inherit global push options"),
388 { client="0" }, { client="" } },
389 { Flag,
390 "disable",
391 0,
392 translate("Client is disabled"),
393 { client="0" }, { client="" } },
394 { Value,
395 "ifconfig_pool",
396 "10.200.200.100 10.200.200.150 255.255.255.0",
397 translate("Set aside a pool of subnets"),
398 { client="0" }, { client="" } },
399 { Value,
400 "ifconfig_pool_persist",
401 "/etc/openvpn/ipp.txt 600",
402 translate("Persist/unpersist ifconfig-pool"),
403 { client="0" }, { client="" } },
404 { Value,
405 "ifconfig_push",
406 "10.200.200.1 255.255.255.255",
407 translate("Push an ifconfig option to remote"),
408 { client="0" }, { client="" } },
409 { Value,
410 "iroute",
411 "10.200.200.0 255.255.255.0",
412 translate("Route subnet to client"),
413 { client="0" }, { client="" } },
414 { Flag,
415 "client_to_client",
416 0,
417 translate("Allow client-to-client traffic"),
418 { client="0" }, { client="" } },
419 { Flag,
420 "duplicate_cn",
421 0,
422 translate("Allow multiple clients with same certificate"),
423 { client="0" }, { client="" } },
424 { Value,
425 "client_config_dir",
426 "/etc/openvpn/ccd",
427 translate("Directory for custom client config files"),
428 { client="0" }, { client="" } },
429 { Flag,
430 "ccd_exclusive",
431 0,
432 translate("Refuse connection if no custom client config"),
433 { client="0" }, { client="" } },
434 { Value,
435 "tmp_dir",
436 "/var/run/openvpn",
437 translate("Temporary directory for client-connect return file"),
438 { client="0" }, { client="" } },
439 { Value,
440 "hash_size",
441 "256 256",
442 translate("Set size of real and virtual address hash tables"),
443 { client="0" }, { client="" } },
444 { Value,
445 "bcast_buffers",
446 256,
447 translate("Number of allocated broadcast buffers"),
448 { client="0" }, { client="" } },
449 { Value,
450 "tcp_queue_limit",
451 64,
452 translate("Maximum number of queued TCP output packets"),
453 { client="0" }, { client="" } },
454 { Value,
455 "max_clients",
456 10,
457 translate("Allowed maximum of connected clients"),
458 { client="0" }, { client="" } },
459 { Value,
460 "max_routes_per_client",
461 256,
462 translate("Allowed maximum of internal"),
463 { client="0" }, { client="" } },
464 { Value,
465 "connect_freq",
466 "3 10",
467 translate("Allowed maximum of new connections"),
468 { client="0" }, { client="" } },
469 { Flag,
470 "username_as_common_name",
471 0,
472 translate("Use username as common name"),
473 { client="0" }, { client="" } },
474 { Flag,
475 "client",
476 0,
477 translate("Configure client mode") },
478 { Flag,
479 "pull",
480 0,
481 translate("Accept options pushed from server"),
482 { client="1" } },
483 { FileUpload,
484 "auth_user_pass",
485 "/etc/openvpn/userpass.txt",
486 translate("Authenticate using username/password"),
487 { client="1" } },
488 { ListValue,
489 "auth_retry",
490 { "none", "nointeract", "interact" },
491 translate("Handling of authentication failures"),
492 { client="1" } },
493 { Value,
494 "explicit_exit_notify",
495 1,
496 translate("Send notification to peer on disconnect"),
497 { client="1" } },
498 { DynamicList,
499 "remote",
500 "1.2.3.4",
501 translate("Remote host name or IP address") },
502 { Flag,
503 "remote_random",
504 0,
505 translate("Randomly choose remote server"),
506 { client="1" } },
507 { ListValue,
508 "proto",
509 { "udp", "tcp-client", "tcp-server" },
510 translate("Use protocol"),
511 { client="1" } },
512 { Value,
513 "connect_retry",
514 5,
515 translate("Connection retry interval"),
516 { proto="tcp-client" }, { client="1" } },
517 { Value,
518 "http_proxy",
519 "192.168.1.100 8080",
520 translate("Connect to remote host through an HTTP proxy"),
521 { client="1" } },
522 { Flag,
523 "http_proxy_retry",
524 0,
525 translate("Retry indefinitely on HTTP proxy errors"),
526 { client="1" } },
527 { Value,
528 "http_proxy_timeout",
529 5,
530 translate("Proxy timeout in seconds"),
531 { client="1" } },
532 { DynamicList,
533 "http_proxy_option",
534 { "VERSION 1.0", "AGENT OpenVPN/2.0.9" },
535 translate("Set extended HTTP proxy options"),
536 { client="1" } },
537 { Value,
538 "socks_proxy",
539 "192.168.1.200 1080",
540 translate("Connect through Socks5 proxy"),
541 { client="1" } },
542 -- client && socks_proxy
543 { Value,
544 "socks_proxy_retry",
545 5,
546 translate("Retry indefinitely on Socks proxy errors"),
547 { client="1" } },
548 { Value,
549 "resolv_retry",
550 "infinite",
551 translate("If hostname resolve fails, retry"),
552 { client="1" } },
553 { ListValue,
554 "redirect_gateway",
555 { "", "local", "def1", "local def1" },
556 translate("Automatically redirect default route"),
557 { client="1" } },
558 { Value,
559 "verify_client_cert",
560 { "none", "optional", "require" },
561 translate("Specify whether the client is required to supply a valid certificate") },
562 } },
563
564 { "cryptography", translate("Cryptography"), {
565 { FileUpload,
566 "secret",
567 "/etc/openvpn/secret.key",
568 translate("Enable Static Key encryption mode (non-TLS)") },
569 -- parse
570 { Value,
571 "auth",
572 "SHA1",
573 translate("HMAC authentication for packets") },
574 -- parse
575 { Value,
576 "cipher",
577 {
578 "AES-128-CBC",
579 "AES-128-CFB",
580 "AES-128-CFB1",
581 "AES-128-CFB8",
582 "AES-128-GCM",
583 "AES-128-OFB",
584 "AES-192-CBC",
585 "AES-192-CFB",
586 "AES-192-CFB1",
587 "AES-192-CFB8",
588 "AES-192-GCM",
589 "AES-192-OFB",
590 "AES-256-CBC",
591 "AES-256-CFB",
592 "AES-256-CFB1",
593 "AES-256-CFB8",
594 "AES-256-GCM",
595 "AES-256-OFB",
596 "BF-CBC",
597 "BF-CFB",
598 "BF-OFB",
599 "CAST5-CBC",
600 "CAST5-CFB",
601 "CAST5-OFB",
602 "DES-CBC",
603 "DES-CFB",
604 "DES-CFB1",
605 "DES-CFB8",
606 "DES-EDE-CBC",
607 "DES-EDE-CFB",
608 "DES-EDE-OFB",
609 "DES-EDE3-CBC",
610 "DES-EDE3-CFB",
611 "DES-EDE3-CFB1",
612 "DES-EDE3-CFB8",
613 "DES-EDE3-OFB",
614 "DES-OFB",
615 "DESX-CBC",
616 "RC2-40-CBC",
617 "RC2-64-CBC",
618 "RC2-CBC",
619 "RC2-CFB",
620 "RC2-OFB"
621 },
622 translate("Encryption cipher for packets") },
623 -- parse
624 { Value,
625 "keysize",
626 1024,
627 translate("Size of cipher key") },
628 -- parse
629 { Value,
630 "engine",
631 "dynamic",
632 translate("Enable OpenSSL hardware crypto engines") },
633 { Value,
634 "replay_window",
635 "64 15",
636 translate("Replay protection sliding window size") },
637 { Flag,
638 "mute_replay_warnings",
639 0,
640 translate("Silence the output of replay warnings") },
641 { Value,
642 "replay_persist",
643 "/var/run/openvpn-replay-state",
644 translate("Persist replay-protection state") },
645 { Flag,
646 "tls_server",
647 0,
648 translate("Enable TLS and assume server role"),
649 { tls_client="" }, { tls_client="0" } },
650 { Flag,
651 "tls_client",
652 0,
653 translate("Enable TLS and assume client role"),
654 { tls_server="" }, { tls_server="0" } },
655 { FileUpload,
656 "ca",
657 "/etc/easy-rsa/keys/ca.crt",
658 translate("Certificate authority") },
659 { FileUpload,
660 "dh",
661 "/etc/easy-rsa/keys/dh1024.pem",
662 translate("Diffie-Hellman parameters") },
663 { FileUpload,
664 "cert",
665 "/etc/easy-rsa/keys/some-client.crt",
666 translate("Local certificate") },
667 { FileUpload,
668 "key",
669 "/etc/easy-rsa/keys/some-client.key",
670 translate("Local private key") },
671 { FileUpload,
672 "pkcs12",
673 "/etc/easy-rsa/keys/some-client.pk12",
674 translate("PKCS#12 file containing keys") },
675 { ListValue,
676 "key_method",
677 { 1, 2 },
678 translate("Enable TLS and assume client role") },
679 { DynamicList,
680 "tls_cipher",
681 {
682 "TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384",
683 "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384",
684 "TLS-DHE-RSA-WITH-AES-256-GCM-SHA384",
685 "TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256",
686 "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
687 "TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256",
688 "TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256",
689 "TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256",
690 "TLS-DHE-RSA-WITH-AES-128-GCM-SHA256",
691 "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384",
692 "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384",
693 "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256",
694 "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256",
695 "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256",
696 "TLS-DHE-RSA-WITH-AES-128-CBC-SHA256",
697 "TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA",
698 "TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA",
699 "TLS-DHE-RSA-WITH-AES-256-CBC-SHA",
700 "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA",
701 "TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA",
702 "TLS-DHE-RSA-WITH-AES-128-CBC-SHA"
703 },
704 translate("TLS cipher") },
705 { DynamicList,
706 "tls_ciphersuites",
707 {
708 "TLS_AES_256_GCM_SHA384",
709 "TLS_AES_128_GCM_SHA256",
710 "TLS_CHACHA20_POLY1305_SHA256"
711 },
712 translate("TLS 1.3 or newer cipher") },
713 { Value,
714 "tls_timeout",
715 2,
716 translate("Retransmit timeout on TLS control channel") },
717 { Value,
718 "reneg_bytes",
719 1024,
720 translate("Renegotiate data chan. key after bytes") },
721 { Value,
722 "reneg_pkts",
723 100,
724 translate("Renegotiate data chan. key after packets") },
725 { Value,
726 "reneg_sec",
727 3600,
728 translate("Renegotiate data chan. key after seconds") },
729 { Value,
730 "hand_window",
731 60,
732 translate("Timeframe for key exchange") },
733 { Value,
734 "tran_window",
735 3600,
736 translate("Key transition window") },
737 { Flag,
738 "single_session",
739 0,
740 translate("Allow only one session") },
741 { Flag,
742 "tls_exit",
743 0,
744 translate("Exit on TLS negotiation failure") },
745 { Value,
746 "tls_auth",
747 "/etc/openvpn/tlsauth.key",
748 translate("Additional authentication over TLS") },
749 { Value,
750 "tls_crypt",
751 "/etc/openvpn/tlscrypt.key",
752 translate("Encrypt and authenticate all control channel packets with the key") },
753 -- { Value,
754 -- "askpass",
755 -- "[file]",
756 -- translate("Get PEM password from controlling tty before we daemonize") },
757 { Flag,
758 "auth_nocache",
759 0,
760 translate("Don't cache --askpass or --auth-user-pass passwords") },
761 { Value,
762 "tls_remote",
763 "remote_x509_name",
764 translate("Only accept connections from given X509 name") },
765 { ListValue,
766 "ns_cert_type",
767 { "client", "server" },
768 translate("Require explicit designation on certificate") },
769 { ListValue,
770 "remote_cert_tls",
771 { "client", "server" },
772 translate("Require explicit key usage on certificate") },
773 { Value,
774 "crl_verify",
775 "/etc/easy-rsa/keys/crl.pem",
776 translate("Check peer certificate against a CRL") },
777 { Value,
778 "tls_version_min",
779 "1.0",
780 translate("The lowest supported TLS version") },
781 { Value,
782 "tls_version_max",
783 "1.2",
784 translate("The highest supported TLS version") },
785 { ListValue,
786 "key_direction",
787 { 0, 1 },
788 translate("The key direction for 'tls-auth' and 'secret' options") },
789 { Flag,
790 "ncp_disable",
791 0,
792 translate("This completely disables cipher negotiation") },
793 { Value,
794 "ncp_ciphers",
795 "AES-256-GCM:AES-128-GCM",
796 translate("Restrict the allowed ciphers to be negotiated") },
797 } }
798 }
799
800
801 local cts = { }
802 local params = { }
803 local title = ""
804
805 local m = Map("openvpn")
806 m.redirect = luci.dispatcher.build_url("admin", "vpn", "openvpn")
807 m.apply_on_parse = true
808
809 local p = m:section( SimpleSection )
810 p.template = "openvpn/pageswitch"
811 p.mode = "advanced"
812 p.instance = arg[1]
813 p.category = arg[2] or knownParams[1][1]
814
815 for _, c in ipairs(knownParams) do
816 cts[#cts+1] = { id = c[1], title = c[2] }
817 if c[1] == p.category then
818 title = c[2]
819 params = c[3]
820 end
821 end
822
823 p.categories = cts
824
825
826 local s = m:section(
827 NamedSection, arg[1], "openvpn", title
828 )
829
830 s.addremove = false
831 s.anonymous = true
832
833
834 for _, option in ipairs(params) do
835 local o = s:option(
836 option[1], option[2],
837 option[2], option[4]
838 )
839
840 o.optional = true
841
842 if option[1] == DummyValue then
843 o.value = option[3]
844 elseif option[1] == FileUpload then
845
846 o.initial_directory = "/etc/openvpn"
847
848 function o.cfgvalue(self, section)
849 local cfg_val = AbstractValue.cfgvalue(self, section)
850
851 if cfg_val then
852 return cfg_val
853 end
854 end
855
856 function o.formvalue(self, section)
857 local sel_val = AbstractValue.formvalue(self, section)
858 local txt_val = luci.http.formvalue("cbid."..self.map.config.."."..section.."."..self.option..".textbox")
859
860 if sel_val and sel_val ~= "" then
861 return sel_val
862 end
863
864 if txt_val and txt_val ~= "" then
865 return txt_val
866 end
867 end
868
869 function o.remove(self, section)
870 local cfg_val = AbstractValue.cfgvalue(self, section)
871 local txt_val = luci.http.formvalue("cbid."..self.map.config.."."..section.."."..self.option..".textbox")
872
873 if cfg_val and fs.access(cfg_val) and txt_val == "" then
874 fs.unlink(cfg_val)
875 end
876 return AbstractValue.remove(self, section)
877 end
878 elseif option[1] == Flag then
879 o.default = nil
880 else
881 if option[1] == DynamicList then
882 function o.cfgvalue(...)
883 local val = AbstractValue.cfgvalue(...)
884 return ( val and type(val) ~= "table" ) and { val } or val
885 end
886 end
887
888 if type(option[3]) == "table" then
889 if o.optional then o:value("", "-- remove --") end
890 for _, v in ipairs(option[3]) do
891 v = tostring(v)
892 o:value(v)
893 end
894 o.default = tostring(option[3][1])
895 else
896 o.default = tostring(option[3])
897 end
898 end
899
900 for i=5,#option do
901 if type(option[i]) == "table" then
902 o:depends(option[i])
903 end
904 end
905 end
906
907 return m
Lua Configuration Interface (mirror)