projects / project / luci.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
[luci-app-openvpn] Fixed ivalid checks for parameters in VPN tab.
[project/luci.git] / applications / luci-app-openvpn / luasrc / model / cbi / openvpn-advanced.lua
1 -- Copyright 2008 Steven Barth <steven@midlink.org>
2 -- Licensed to the public under the Apache License 2.0.
3
4 require("luci.ip")
5 require("luci.model.uci")
6
7
8 local knownParams = {
9 --
10 --Widget
11 -- Name
12 -- Default(s)
13 -- Description
14 -- Option(s)
15
16 { "Service", {
17 -- initialisation and daemon options
18 { ListValue,
19 "verb",
20 { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 },
21 translate("Set output verbosity") },
22 { Flag,
23 "mlock",
24 0,
25 translate("Disable Paging") },
26 { Flag,
27 "disable_occ",
28 0,
29 translate("Disable options consistency check") },
30 -- { Value,
31 -- "user",
32 -- "root",
33 -- translate("Set UID to user") },
34 -- { Value,
35 -- "group",
36 -- "root",
37 -- translate("Set GID to group") },
38 { Value,
39 "cd",
40 "/etc/openvpn",
41 translate("Change to directory before initialization") },
42 { Value,
43 "chroot",
44 "/var/run",
45 translate("Chroot to directory after initialization") },
46 -- { Value,
47 -- "daemon",
48 -- "Instance-Name",
49 -- translate("Daemonize after initialization") },
50 -- { Value,
51 -- "syslog",
52 -- "Instance-Name",
53 -- translate("Output to syslog and do not daemonize") },
54 { Flag,
55 "passtos",
56 0,
57 translate("TOS passthrough (applies to IPv4 only)") },
58 -- { Value,
59 -- "inetd",
60 -- "nowait Instance-Name",
61 -- translate("Run as an inetd or xinetd server") },
62 { Value,
63 "log",
64 "/var/log/openvpn.log",
65 translate("Write log to file") },
66 { Value,
67 "log_append",
68 "/var/log/openvpn.log",
69 translate("Append log to file") },
70 { Flag,
71 "suppress_timestamps",
72 0,
73 translate("Don't log timestamps") },
74 -- { Value,
75 -- "writepid",
76 -- "/var/run/openvpn.pid",
77 -- translate("Write process ID to file") },
78 { Value,
79 "nice",
80 0,
81 translate("Change process priority") },
82 { Flag,
83 "fast_io",
84 0,
85 translate("Optimize TUN/TAP/UDP writes") },
86 { Value,
87 "echo",
88 "some params echoed to log",
89 translate("Echo parameters to log") },
90 { ListValue,
91 "remap_usr1",
92 { "SIGHUP", "SIGTERM" },
93 translate("Remap SIGUSR1 signals") },
94 { Value,
95 "status",
96 "/var/run/openvpn.status 5",
97 translate("Write status to file every n seconds") },
98 { Value,
99 "status_version",
100 { 1, 2 },
101 translate("Status file format version") }, -- status
102 { Value,
103 "mute",
104 5,
105 translate("Limit repeated log messages") },
106 { Value,
107 "up",
108 "/usr/bin/ovpn-up",
109 translate("Shell cmd to execute after tun device open") },
110 { Value,
111 "up_delay",
112 5,
113 translate("Delay tun/tap open and up script execution") },
114 { Value,
115 "down",
116 "/usr/bin/ovpn-down",
117 translate("Shell cmd to run after tun device close") },
118 { Flag,
119 "down_pre",
120 0,
121 translate("Call down cmd/script before TUN/TAP close") },
122 { Flag,
123 "up_restart",
124 0,
125 translate("Run up/down scripts for all restarts") },
126 { Value,
127 "route_up",
128 "/usr/bin/ovpn-routeup",
129 translate("Execute shell cmd after routes are added") },
130 { Value,
131 "ipchange",
132 "/usr/bin/ovpn-ipchange",
133 translate("Execute shell command on remote ip change"),
134 { mode="p2p" } },
135 { DynamicList,
136 "setenv",
137 { "VAR1 value1", "VAR2 value2" },
138 translate("Pass environment variables to script") },
139 { Value,
140 "tls_verify",
141 "/usr/bin/ovpn-tlsverify",
142 translate("Shell command to verify X509 name") },
143 { Value,
144 "client_connect",
145 "/usr/bin/ovpn-clientconnect",
146 translate("Run script cmd on client connection") },
147 { Flag,
148 "client_disconnect",
149 0,
150 translate("Run script cmd on client disconnection") },
151 { Value,
152 "learn_address",
153 "/usr/bin/ovpn-learnaddress",
154 translate("Executed in server mode whenever an IPv4 address/route or MAC address is added to OpenVPN's internal routing table") },
155 { Value,
156 "auth_user_pass_verify",
157 "/usr/bin/ovpn-userpass via-env",
158 translate("Executed in server mode on new client connections, when the client is still untrusted") },
159 { ListValue,
160 "script_security",
161 { 0, 1, 2, 3 },
162 translate("Policy level over usage of external programs and scripts") },
163 } },
164
165 { "Networking", {
166 -- socket config
167 { ListValue,
168 "mode",
169 { "p2p", "server" },
170 translate("Major mode") },
171 { Value,
172 "local",
173 "0.0.0.0",
174 translate("Local host name or ip address") },
175 { Value,
176 "port",
177 1194,
178 translate("TCP/UDP port # for both local and remote") },
179 { Value,
180 "lport",
181 1194,
182 translate("TCP/UDP port # for local (default=1194)") },
183 { Value,
184 "rport",
185 1194,
186 translate("TCP/UDP port # for remote (default=1194)") },
187 { Flag,
188 "float",
189 0,
190 translate("Allow remote to change its IP or port") },
191 { Flag,
192 "nobind",
193 0,
194 translate("Do not bind to local address and port") },
195 { Value,
196 "dev",
197 "tun0",
198 translate("tun/tap device") },
199 { ListValue,
200 "dev_type",
201 { "tun", "tap" },
202 translate("Type of used device") },
203 { Value,
204 "dev_node",
205 "/dev/net/tun",
206 translate("Use tun/tap device node") },
207 { Flag,
208 "tun_ipv6",
209 0,
210 translate("Make tun device IPv6 capable") },
211 { Value,
212 "ifconfig",
213 "10.200.200.3 10.200.200.1",
214 translate("Set tun/tap adapter parameters") },
215 { Flag,
216 "ifconfig_noexec",
217 0,
218 translate("Don't actually execute ifconfig") },
219 { Flag,
220 "ifconfig_nowarn",
221 0,
222 translate("Don't warn on ifconfig inconsistencies") },
223 { DynamicList,
224 "route",
225 "10.123.0.0 255.255.0.0",
226 translate("Add route after establishing connection") },
227 { Value,
228 "route_gateway",
229 "10.234.1.1",
230 translate("Specify a default gateway for routes") },
231 { Value,
232 "route_delay",
233 0,
234 translate("Delay n seconds after connection") },
235 { Flag,
236 "route_noexec",
237 0,
238 translate("Don't add routes automatically") },
239 { Flag,
240 "route_nopull",
241 0,
242 translate("Don't pull routes automatically") },
243 { ListValue,
244 "mtu_disc",
245 { "yes", "maybe", "no" },
246 translate("Enable Path MTU discovery") },
247 { Flag,
248 "mtu_test",
249 0,
250 translate("Empirically measure MTU") },
251 { ListValue,
252 "comp_lzo",
253 { "yes", "no", "adaptive" },
254 translate("Use fast LZO compression") },
255 { Flag,
256 "comp_noadapt",
257 0,
258 translate("Don't use adaptive lzo compression"),
259 { comp_lzo=1 } },
260 { Value,
261 "link_mtu",
262 1500,
263 translate("Set TCP/UDP MTU") },
264 { Value,
265 "tun_mtu",
266 1500,
267 translate("Set tun/tap device MTU") },
268 { Value,
269 "tun_mtu_extra",
270 1500,
271 translate("Set tun/tap device overhead") },
272 { Value,
273 "fragment",
274 1500,
275 translate("Enable internal datagram fragmentation"),
276 { proto="udp" } },
277 { Value,
278 "mssfix",
279 1500,
280 translate("Set upper bound on TCP MSS"),
281 { proto="udp" } },
282 { Value,
283 "sndbuf",
284 65536,
285 translate("Set the TCP/UDP send buffer size") },
286 { Value,
287 "rcvbuf",
288 65536,
289 translate("Set the TCP/UDP receive buffer size") },
290 { Value,
291 "txqueuelen",
292 100,
293 translate("Set tun/tap TX queue length") },
294 { Value,
295 "shaper",
296 10240,
297 translate("Shaping for peer bandwidth") },
298 { Value,
299 "inactive",
300 240,
301 translate("tun/tap inactivity timeout") },
302 { Value,
303 "keepalive",
304 "10 60",
305 translate("Helper directive to simplify the expression of --ping and --ping-restart in server mode configurations") },
306 { Value,
307 "ping",
308 30,
309 translate("Ping remote every n seconds over TCP/UDP port") },
310 { Value,
311 "ping_exit",
312 120,
313 translate("Remote ping timeout") },
314 { Value,
315 "ping_restart",
316 60,
317 translate("Restart after remote ping timeout") },
318 { Flag,
319 "ping_timer_rem",
320 0,
321 translate("Only process ping timeouts if routes exist") },
322 { Flag,
323 "persist_tun",
324 0,
325 translate("Keep tun/tap device open on restart") },
326 { Flag,
327 "persist_key",
328 0,
329 translate("Don't re-read key on restart") },
330 { Flag,
331 "persist_local_ip",
332 0,
333 translate("Keep local IP address on restart") },
334 { Flag,
335 "persist_remote_ip",
336 0,
337 translate("Keep remote IP address on restart") },
338 -- management channel
339 { Value,
340 "management",
341 "127.0.0.1 31194 /etc/openvpn/mngmt-pwds",
342 translate("Enable management interface on <em>IP</em> <em>port</em>") },
343 -- management
344 { Flag,
345 "management_query_passwords",
346 0,
347 translate("Query management channel for private key") },
348 -- management
349 { Flag,
350 "management_hold",
351 0,
352 translate("Start OpenVPN in a hibernating state") },
353 -- management
354 { Value,
355 "management_log_cache",
356 100,
357 translate("Number of lines for log file history") },
358 { ListValue,
359 "topology",
360 { "net30", "p2p", "subnet" },
361 translate("'net30', 'p2p', or 'subnet'"),
362 {dev_type="tun" } },
363 } },
364
365 { "VPN", {
366 { Value,
367 "server",
368 "10.200.200.0 255.255.255.0",
369 translate("Configure server mode"),
370 { client="0" }, { client="" } },
371 { Value,
372 "server_bridge",
373 "10.200.200.1 255.255.255.0 10.200.200.200 10.200.200.250",
374 translate("Configure server bridge"),
375 { client="0" }, { client="" } },
376 { DynamicList,
377 "push",
378 { "redirect-gateway", "comp-lzo" },
379 translate("Push options to peer"),
380 { client="0" }, { client="" } },
381 { Flag,
382 "push_reset",
383 0,
384 translate("Don't inherit global push options"),
385 { client="0" }, { client="" } },
386 { Flag,
387 "disable",
388 0,
389 translate("Client is disabled"),
390 { client="0" }, { client="" } },
391 { Value,
392 "ifconfig_pool",
393 "10.200.200.100 10.200.200.150 255.255.255.0",
394 translate("Set aside a pool of subnets"),
395 { client="0" }, { client="" } },
396 { Value,
397 "ifconfig_pool_persist",
398 "/etc/openvpn/ipp.txt 600",
399 translate("Persist/unpersist ifconfig-pool"),
400 { client="0" }, { client="" } },
401 -- deprecated and replaced by --topology p2p
402 -- { Flag,
403 -- "ifconfig_pool_linear",
404 -- 0,
405 -- translate("Use individual addresses rather than /30 subnets"),
406 -- { client="0" }, { client="" } },
407 { Value,
408 "ifconfig_push",
409 "10.200.200.1 255.255.255.255",
410 translate("Push an ifconfig option to remote"),
411 { client="0" }, { client="" } },
412 { Value,
413 "iroute",
414 "10.200.200.0 255.255.255.0",
415 translate("Route subnet to client"),
416 { client="0" }, { client="" } },
417 { Flag,
418 "client_to_client",
419 0,
420 translate("Allow client-to-client traffic"),
421 { client="0" }, { client="" } },
422 { Flag,
423 "duplicate_cn",
424 0,
425 translate("Allow multiple clients with same certificate"),
426 { client="0" }, { client="" } },
427 { Value,
428 "client_config_dir",
429 "/etc/openvpn/ccd",
430 translate("Directory for custom client config files"),
431 { client="0" }, { client="" } },
432 { Flag,
433 "ccd_exclusive",
434 0,
435 translate("Refuse connection if no custom client config"),
436 { client="0" }, { client="" } },
437 { Value,
438 "tmp_dir",
439 "/var/run/openvpn",
440 translate("Temporary directory for client-connect return file"),
441 { client="0" }, { client="" } },
442 { Value,
443 "hash_size",
444 "256 256",
445 translate("Set size of real and virtual address hash tables"),
446 { client="0" }, { client="" } },
447 { Value,
448 "bcast_buffers",
449 256,
450 translate("Number of allocated broadcast buffers"),
451 { client="0" }, { client="" } },
452 { Value,
453 "tcp_queue_limit",
454 64,
455 translate("Maximum number of queued TCP output packets"),
456 { client="0" }, { client="" } },
457 { Value,
458 "max_clients",
459 10,
460 translate("Allowed maximum of connected clients"),
461 { client="0" }, { client="" } },
462 { Value,
463 "max_routes_per_client",
464 256,
465 translate("Allowed maximum of internal"),
466 { client="0" }, { client="" } },
467 { Value,
468 "connect_freq",
469 "3 10",
470 translate("Allowed maximum of new connections"),
471 { client="0" }, { client="" } },
472 { Flag,
473 "client_cert_not_required",
474 0,
475 translate("Don't require client certificate"),
476 { client="0" }, { client="" } },
477 { Flag,
478 "username_as_common_name",
479 0,
480 translate("Use username as common name"),
481 { client="0" }, { client="" } },
482 { Flag,
483 "client",
484 0,
485 translate("Configure client mode") },
486 { Flag,
487 "pull",
488 0,
489 translate("Accept options pushed from server"),
490 { client="1" } },
491 { Value,
492 "auth_user_pass",
493 "/etc/openvpn/userpass.txt",
494 translate("Authenticate using username/password"),
495 { client="1" } },
496 { ListValue,
497 "auth_retry",
498 { "none", "nointeract", "interact" },
499 translate("Handling of authentication failures"),
500 { client="1" } },
501 { Value,
502 "explicit_exit_notify",
503 1,
504 translate("Send notification to peer on disconnect"),
505 { client="1" } },
506 { DynamicList,
507 "remote",
508 "1.2.3.4",
509 translate("Remote host name or ip address"),
510 { client="1" } },
511 { Flag,
512 "remote_random",
513 0,
514 translate("Randomly choose remote server"),
515 { client="1" } },
516 { ListValue,
517 "proto",
518 { "udp", "tcp-client", "tcp-server" },
519 translate("Use protocol"),
520 { client="1" } },
521 { Value,
522 "connect_retry",
523 5,
524 translate("Connection retry interval"),
525 { proto="tcp-client" }, { client="1" } },
526 { Value,
527 "http_proxy",
528 "192.168.1.100 8080",
529 translate("Connect to remote host through an HTTP proxy"),
530 { client="1" } },
531 { Flag,
532 "http_proxy_retry",
533 0,
534 translate("Retry indefinitely on HTTP proxy errors"),
535 { client="1" } },
536 { Value,
537 "http_proxy_timeout",
538 5,
539 translate("Proxy timeout in seconds"),
540 { client="1" } },
541 { DynamicList,
542 "http_proxy_option",
543 { "VERSION 1.0", "AGENT OpenVPN/2.0.9" },
544 translate("Set extended HTTP proxy options"),
545 { client="1" } },
546 { Value,
547 "socks_proxy",
548 "192.168.1.200 1080",
549 translate("Connect through Socks5 proxy"),
550 { client="1" } },
551 -- client && socks_proxy
552 { Value,
553 "socks_proxy_retry",
554 5,
555 translate("Retry indefinitely on Socks proxy errors"),
556 { client="1" } },
557 { Value,
558 "resolv_retry",
559 "infinite",
560 translate("If hostname resolve fails, retry"),
561 { client="1" } },
562 { ListValue,
563 "redirect_gateway",
564 { "", "local", "def1", "local def1" },
565 translate("Automatically redirect default route"),
566 { client="1" } },
567 } },
568
569 { "Cryptography", {
570 { FileUpload,
571 "secret",
572 "/etc/openvpn/secret.key",
573 translate("Enable Static Key encryption mode (non-TLS)") },
574 -- parse
575 { Value,
576 "auth",
577 "SHA1",
578 translate("HMAC authentication for packets") },
579 -- parse
580 { Value,
581 "cipher",
582 "BF-CBC",
583 translate("Encryption cipher for packets") },
584 -- parse
585 { Value,
586 "keysize",
587 1024,
588 translate("Size of cipher key") },
589 -- parse
590 { Value,
591 "engine",
592 "dynamic",
593 translate("Enable OpenSSL hardware crypto engines") },
594 { Flag,
595 "no_replay",
596 0,
597 translate("Disable replay protection") },
598 { Value,
599 "replay_window",
600 "64 15",
601 translate("Replay protection sliding window size") },
602 { Flag,
603 "mute_replay_warnings",
604 0,
605 translate("Silence the output of replay warnings") },
606 { Value,
607 "replay_persist",
608 "/var/run/openvpn-replay-state",
609 translate("Persist replay-protection state") },
610 { Flag,
611 "no_iv",
612 0,
613 translate("Disable cipher initialisation vector") },
614 { Flag,
615 "tls_server",
616 0,
617 translate("Enable TLS and assume server role"),
618 { tls_client="" }, { tls_client="0" } },
619 { Flag,
620 "tls_client",
621 0,
622 translate("Enable TLS and assume client role"),
623 { tls_server="" }, { tls_server="0" } },
624 { FileUpload,
625 "ca",
626 "/etc/easy-rsa/keys/ca.crt",
627 translate("Certificate authority") },
628 { FileUpload,
629 "dh",
630 "/etc/easy-rsa/keys/dh1024.pem",
631 translate("Diffie Hellman parameters") },
632 { FileUpload,
633 "cert",
634 "/etc/easy-rsa/keys/some-client.crt",
635 translate("Local certificate") },
636 { FileUpload,
637 "key",
638 "/etc/easy-rsa/keys/some-client.key",
639 translate("Local private key") },
640 { FileUpload,
641 "pkcs12",
642 "/etc/easy-rsa/keys/some-client.pk12",
643 translate("PKCS#12 file containing keys") },
644 { ListValue,
645 "key_method",
646 { 1, 2 },
647 translate("Enable TLS and assume client role") },
648 { Value,
649 "tls_cipher",
650 "DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5",
651 translate("TLS cipher") },
652 { Value,
653 "tls_timeout",
654 2,
655 translate("Retransmit timeout on TLS control channel") },
656 { Value,
657 "reneg_bytes",
658 1024,
659 translate("Renegotiate data chan. key after bytes") },
660 { Value,
661 "reneg_pkts",
662 100,
663 translate("Renegotiate data chan. key after packets") },
664 { Value,
665 "reneg_sec",
666 3600,
667 translate("Renegotiate data chan. key after seconds") },
668 { Value,
669 "hand_window",
670 60,
671 translate("Timeframe for key exchange") },
672 { Value,
673 "tran_window",
674 3600,
675 translate("Key transition window") },
676 { Flag,
677 "single_session",
678 0,
679 translate("Allow only one session") },
680 { Flag,
681 "tls_exit",
682 0,
683 translate("Exit on TLS negotiation failure") },
684 { Value,
685 "tls_auth",
686 "/etc/openvpn/tlsauth.key",
687 translate("Additional authentication over TLS") },
688 -- { Value,
689 -- "askpass",
690 -- "[file]",
691 -- translate("Get PEM password from controlling tty before we daemonize") },
692 { Flag,
693 "auth_nocache",
694 0,
695 translate("Don't cache --askpass or --auth-user-pass passwords") },
696 { Value,
697 "tls_remote",
698 "remote_x509_name",
699 translate("Only accept connections from given X509 name") },
700 { ListValue,
701 "ns_cert_type",
702 { "client", "server" },
703 translate("Require explicit designation on certificate") },
704 { ListValue,
705 "remote_cert_tls",
706 { "client", "server" },
707 translate("Require explicit key usage on certificate") },
708 { Value,
709 "crl_verify",
710 "/etc/easy-rsa/keys/crl.pem",
711 translate("Check peer certificate against a CRL") },
712 { Value,
713 "tls_version_min",
714 "1.0",
715 translate("The lowest supported TLS version") },
716 { Value,
717 "tls_version_max",
718 "1.2",
719 translate("The highest supported TLS version") },
720 { Value,
721 "key_direction",
722 "1",
723 translate("The key direction for 'tls-auth' and 'secret' options") },
724 } }
725 }
726
727
728 local cts = { }
729 local params = { }
730
731 local m = Map("openvpn")
732 local p = m:section( SimpleSection )
733
734 p.template = "openvpn/pageswitch"
735 p.mode = "advanced"
736 p.instance = arg[1]
737 p.category = arg[2] or "Service"
738
739 for _, c in ipairs(knownParams) do
740 cts[#cts+1] = c[1]
741 if c[1] == p.category then params = c[2] end
742 end
743
744 p.categories = cts
745
746
747 local s = m:section(
748 NamedSection, arg[1], "openvpn",
749 translate("%s" % arg[2])
750 )
751
752 s.title = translate("%s" % arg[2])
753 s.addremove = false
754 s.anonymous = true
755
756
757 for _, option in ipairs(params) do
758 local o = s:option(
759 option[1], option[2],
760 option[2], option[4]
761 )
762
763 if option[1] == DummyValue then
764 o.value = option[3]
765 else
766 if option[1] == DynamicList then
767 function o.cfgvalue(...)
768 local val = AbstractValue.cfgvalue(...)
769 return ( val and type(val) ~= "table" ) and { val } or val
770 end
771 end
772
773 o.optional = true
774
775 if type(option[3]) == "table" then
776 if o.optional then o:value("", "-- remove --") end
777 for _, v in ipairs(option[3]) do
778 v = tostring(v)
779 o:value(v)
780 end
781 o.default = tostring(option[3][1])
782 else
783 o.default = tostring(option[3])
784 end
785 end
786
787 for i=5,#option do
788 if type(option[i]) == "table" then
789 o:depends(option[i])
790 end
791 end
792 end
793
794 return m
Lua Configuration Interface (mirror)