projects / project / luci.git / blob
? search:


b44ac2b943a8909580c98b0423e06b3cf4798d13
[project/luci.git] / applications / luci-openvpn / luasrc / model / cbi / openvpn-advanced.lua
1 --[[
2 LuCI - Lua Configuration Interface
3
4 Copyright 2008 Steven Barth <steven@midlink.org>
5
6 Licensed under the Apache License, Version 2.0 (the "License");
7 you may not use this file except in compliance with the License.
8 You may obtain a copy of the License at
9
10 http://www.apache.org/licenses/LICENSE-2.0
11
12 $Id$
13 ]]--
14
15 require("luci.ip")
16 require("luci.model.uci")
17
18
19 local knownParams = {
20 --
21 -- Widget Name Default(s) Option(s) Description
22 --
23
24 { "Service", {
25 -- initialisation and daemon options
26 { ListValue, "verb", { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11 }, translate("Set output verbosity") },
27 { Flag, "mlock", 0, translate("Disable Paging") },
28 { Flag, "disable_occ", 0, translate("Disable options consistency check") },
29 -- { Value, "user", "root", translate("Set UID to user") },
30 -- { Value, "group", "root", translate("Set GID to group") },
31 { Value, "cd", "/etc/openvpn", translate("Change to directory before initialization") },
32 { Value, "chroot", "/var/run", translate("Chroot to directory after initialization") },
33 -- { Value, "daemon", "Instance-Name", translate("Daemonize after initialization") },
34 -- { Value, "syslog", "Instance-Name", translate("Output to syslog and do not daemonize") },
35 { Flag, "passtos", 0, translate("TOS passthrough (applies to IPv4 only)") },
36 -- { Value, "inetd", "nowait Instance-Name", translate("Run as an inetd or xinetd server") },
37 { Value, "log", "/var/log/openvpn.log", translate("Write log to file") },
38 { Value, "log_append", "/var/log/openvpn.log", translate("Append log to file") },
39 { Flag, "suppress_timestamps", 0, translate("Don't log timestamps") },
40 -- { Value, "writepid", "/var/run/openvpn.pid", translate("Write process ID to file") },
41 { Value, "nice", 0, translate("Change process priority") },
42 { Flag, "fast_io", 0, translate("Optimize TUN/TAP/UDP writes") },
43 { Value, "echo", "some params echoed to log", translate("Echo parameters to log") },
44 { ListValue, "remap_usr1", { "SIGHUP", "SIGTERM" }, translate("Remap SIGUSR1 signals") },
45 { Value, "status", "/var/run/openvpn.status 5", translate("Write status to file every n seconds") },
46 { Value, "status_version", { 1, 2 }, translate("Status file format version") }, -- status
47 { Value, "mute", 5, translate("Limit repeated log messages") },
48
49 { Value, "up", "/usr/bin/ovpn-up", translate("Shell cmd to execute after tun device open") },
50 { Value, "up_delay", 5, translate("Delay tun/tap open and up script execution") },
51 { Value, "down", "/usr/bin/ovpn-down", translate("Shell cmd to run after tun device close") },
52 { Flag, "down_pre", 0, translate("Call down cmd/script before TUN/TAP close") },
53 { Flag, "up_restart", 0, translate("Run up/down scripts for all restarts") },
54 { Value, "route_up", "/usr/bin/ovpn-routeup", translate("Execute shell cmd after routes are added") },
55 { Value, "ipchange", "/usr/bin/ovpn-ipchange", { mode="p2p" }, translate("Execute shell command on remote ip change") },
56 { DynamicList, "setenv", { "VAR1 value1", "VAR2 value2" }, translate("Pass environment variables to script") },
57 { Value, "tls_verify", "/usr/bin/ovpn-tlsverify", translate("Shell command to verify X509 name") },
58 { Value, "client_connect", "/usr/bin/ovpn-clientconnect", translate("Run script cmd on client connection") },
59 { Flag, "client_disconnect", 0, translate("Run script cmd on client disconnection") },
60 { Value, "learn_address", "/usr/bin/ovpn-learnaddress", translate("Executed in server mode whenever an IPv4 address/route or MAC address is added to OpenVPN's internal routing table") },
61 { Value, "auth_user_pass_verify", "/usr/bin/ovpn-userpass via-env", translate("Executed in server mode on new client connections, when the client is still untrusted") },
62 { ListValue, "script_security", { 0, 1, 2, 3 }, {mode="server" }, translate("Policy level over usage of external programs and scripts") },
63 } },
64
65 { "Networking", {
66 -- socket config
67 { ListValue, "mode", { "p2p", "server" }, translate("Major mode") },
68 { Value, "local", "0.0.0.0", translate("Local host name or ip address") },
69 { Value, "port", 1194, translate("TCP/UDP port # for both local and remote") },
70 { Value, "lport", 1194, translate("TCP/UDP port # for local (default=1194)") },
71 { Value, "rport", 1194, translate("TCP/UDP port # for remote (default=1194)") },
72 { Flag, "float", 0, translate("Allow remote to change its IP or port") },
73 { Flag, "nobind", 0, translate("Do not bind to local address and port") },
74
75 { Value, "dev", "tun0", translate("tun/tap device") },
76 { ListValue, "dev_type", { "tun", "tap" }, translate("Type of used device") },
77 { Value, "dev_node", "/dev/net/tun", translate("Use tun/tap device node") },
78 { Flag, "tun_ipv6", 0, translate("Make tun device IPv6 capable") },
79
80 { Value, "ifconfig", "10.200.200.3 10.200.200.1", translate("Set tun/tap adapter parameters") },
81 { Flag, "ifconfig_noexec", 0, translate("Don't actually execute ifconfig") },
82 { Flag, "ifconfig_nowarn", 0, translate("Don't warn on ifconfig inconsistencies") },
83
84 { DynamicList, "route", "10.123.0.0 255.255.0.0", translate("Add route after establishing connection") },
85 { Value, "route_gateway", "10.234.1.1", translate("Specify a default gateway for routes") },
86 { Value, "route_delay", 0, translate("Delay n seconds after connection") },
87 { Flag, "route_noexec", 0, translate("Don't add routes automatically") },
88
89 { ListValue, "mtu_disc", { "yes", "maybe", "no" }, translate("Enable Path MTU discovery") },
90 { Flag, "mtu_test", 0, translate("Empirically measure MTU") },
91 { Flag, "comp_lzo", 0, translate("Use fast LZO compression") },
92 { Flag, "comp_noadapt", 0, { comp_lzo=1 }, translate("Don't use adaptive lzo compression") },
93 { Value, "link_mtu", 1500, translate("Set TCP/UDP MTU") },
94 { Value, "tun_mtu", 1500, translate("Set tun/tap device MTU") },
95 { Value, "tun_mtu_extra", 1500, translate("Set tun/tap device overhead") },
96 { Value, "fragment", 1500, { proto="udp" }, translate("Enable internal datagram fragmentation") },
97 { Value, "mssfix", 1500, { proto="udp" }, translate("Set upper bound on TCP MSS") },
98 { Value, "sndbuf", 65536, translate("Set the TCP/UDP send buffer size") },
99 { Value, "rcvbuf", 65536, translate("Set the TCP/UDP receive buffer size") },
100 { Value, "txqueuelen", 100, translate("Set tun/tap TX queue length") },
101 { Value, "shaper", 10240, translate("Shaping for peer bandwidth") },
102
103 { Value, "inactive", 240, translate("tun/tap inactivity timeout") },
104 { Value, "keepalive", "10 60", translate("Helper directive to simplify the expression of --ping and --ping-restart in server mode configurations") },
105 { Value, "ping", 30, translate("Ping remote every n seconds over TCP/UDP port") },
106 { Value, "ping_exit", 120, translate("Remote ping timeout") },
107 { Value, "ping_restart", 60, translate("Restart after remote ping timeout") },
108 { Flag, "ping_timer_rem", 0, translate("Only process ping timeouts if routes exist") },
109
110 { Flag, "persist_tun", 0, translate("Keep tun/tap device open on restart") },
111 { Flag, "persist_key", 0, translate("Don't re-read key on restart") },
112 { Flag, "persist_local_ip", 0, translate("Keep local IP address on restart") },
113 { Flag, "persist_remote_ip", 0, translate("Keep remote IP address on restart") },
114
115 -- management channel
116 { Value, "management", "127.0.0.1 31194 /etc/openvpn/mngmt-pwds", translate("Enable management interface on <em>IP</em> <em>port</em>") },
117 { Flag, "management_query_passwords", 0, translate("Query management channel for private key") }, -- management
118 { Flag, "management_hold", 0, translate("Start OpenVPN in a hibernating state") }, -- management
119 { Value, "management_log_cache", 100, translate("Number of lines for log file history") }, -- management
120 { ListValue, "topology", { "net30", "p2p", "subnet" }, {dev_type="tun" }, translate("'net30', 'p2p', or 'subnet'") },
121 } },
122
123 { "VPN", {
124 { Value, "server", "10.200.200.0 255.255.255.0", { server_mode="1" }, translate("Configure server mode") },
125 { Value, "server_bridge", "10.200.200.1 255.255.255.0 10.200.200.200 10.200.200.250", { server_mode="1" }, translate("Configure server bridge") },
126 { DynamicList, "push", { "redirect-gateway", "comp-lzo" }, { server_mode="1" }, translate("Push options to peer") },
127 { Flag, "push_reset", 0, { server_mode="1" }, translate("Don't inherit global push options") },
128 { Flag, "disable", 0, { server_mode="1" }, translate("Client is disabled") },
129 { Value, "ifconfig_pool", "10.200.200.100 10.200.200.150 255.255.255.0", { server_mode="1" }, translate("Set aside a pool of subnets") },
130 { Value, "ifconfig_pool_persist", "/etc/openvpn/ipp.txt 600", { server_mode="1" }, translate("Persist/unpersist ifconfig-pool") },
131 -- { Flag, "ifconfig_pool_linear", 0, { server_mode="1" }, translate("Use individual addresses rather than /30 subnets") }, -- deprecated and replaced by --topology p2p
132 { Value, "ifconfig_push", "10.200.200.1 255.255.255.255", { server_mode="1" }, translate("Push an ifconfig option to remote") },
133 { Value, "iroute", "10.200.200.0 255.255.255.0", { server_mode="1" }, translate("Route subnet to client") },
134 { Flag, "client_to_client", 0, { server_mode="1" }, translate("Allow client-to-client traffic") },
135 { Flag, "duplicate_cn", 0, { server_mode="1" }, translate("Allow multiple clients with same certificate") },
136 { Value, "client_config_dir", "/etc/openvpn/ccd", { server_mode="1" }, translate("Directory for custom client config files") },
137 { Flag, "ccd_exclusive", 0, { server_mode="1" }, translate("Refuse connection if no custom client config") },
138 { Value, "tmp_dir", "/var/run/openvpn", { server_mode="1" }, translate("Temporary directory for client-connect return file") },
139 { Value, "hash_size", "256 256", { server_mode="1" }, translate("Set size of real and virtual address hash tables") },
140 { Value, "bcast_buffers", 256, { server_mode="1" }, translate("Number of allocated broadcast buffers") },
141 { Value, "tcp_queue_limit", 64, { server_mode="1" }, translate("Maximum number of queued TCP output packets") },
142 { Value, "max_clients", 10, { server_mode="1" }, translate("Allowed maximum of connected clients") },
143 { Value, "max_routes_per_client", 256, { server_mode="1" }, translate("Allowed maximum of internal") },
144 { Value, "connect_freq", "3 10", { server_mode="1" }, translate("Allowed maximum of new connections") },
145 { Flag, "client_cert_not_required", 0, { server_mode="1" }, translate("Don't require client certificate") },
146 { Flag, "username_as_common_name", 0, { server_mode="1" }, translate("Use username as common name") },
147 { Flag, "client", 0, { server_mode="0" }, { server_mode="" }, translate("Configure client mode") },
148 { Flag, "pull", 0, { client="1" }, translate("Accept options pushed from server") },
149 { Value, "auth_user_pass", "/etc/openvpn/userpass.txt", { client="1" }, translate("Authenticate using username/password") },
150 { ListValue, "auth_retry", { "none", "nointeract", "interact" }, { client="1" }, translate("Handling of authentication failures") },
151 { Value, "explicit_exit_notify", 1, { client="1" }, translate("Send notification to peer on disconnect") },
152 { DynamicList, "remote", "1.2.3.4", { client="1" }, translate("Remote host name or ip address") }, -- client
153 { Flag, "remote_random", 1, { client="1" }, translate("Randomly choose remote server") }, -- client
154 { ListValue, "proto", { "udp", "tcp-client", "tcp-server" }, { client="1" }, translate("Use protocol") },
155 { Value, "connect_retry", 5, { proto="tcp-client" }, { client="1" }, translate("Connection retry interval") }, -- client && proto=tcp-client
156 { Value, "http_proxy", "192.168.1.100 8080", { client="1" }, translate("Connect to remote host through an HTTP proxy") }, -- client
157 { Flag, "http_proxy_retry", 0, { client="1" }, translate("Retry indefinitely on HTTP proxy errors") }, -- client && http_proxy
158 { Value, "http_proxy_timeout", 5, { client="1" }, translate("Proxy timeout in seconds") }, -- client && http_proxy
159 { DynamicList, "http_proxy_option", { "VERSION 1.0", "AGENT OpenVPN/2.0.9" }, { client="1" }, translate("Set extended HTTP proxy options") }, -- client && http_proxy
160 { Value, "socks_proxy", "192.168.1.200 1080", { client="1" }, translate("Connect through Socks5 proxy") }, -- client
161 { Value, "socks_proxy_retry", 5, { client="1" }, translate("Retry indefinitely on Socks proxy errors") }, -- client && socks_proxy
162 { Value, "resolv_retry", "infinite", { client="1" }, translate("If hostname resolve fails, retry") }, -- client
163 { ListValue, "redirect_gateway", { "", "local", "def1", "local def1" }, { client="1" }, translate("Automatically redirect default route") }, -- client
164 } },
165
166 { "Cryptography", {
167 { Value, "secret", "/etc/openvpn/secret.key 1", translate("Enable Static Key encryption mode (non-TLS)") },
168 { Value, "auth", "SHA1", translate("HMAC authentication for packets") }, -- parse
169 { Value, "cipher", "BF-CBC", translate("Encryption cipher for packets") }, -- parse
170 { Value, "keysize", 1024, translate("Size of cipher key") }, -- parse
171 { Value, "engine", "dynamic", translate("Enable OpenSSL hardware crypto engines") }, -- parse
172 { Flag, "no_replay", 0, translate("Disable replay protection") },
173 { Value, "replay_window", "64 15", translate("Replay protection sliding window size") },
174 { Flag, "mute_replay_warnings", 0, translate("Silence the output of replay warnings") },
175 { Value, "replay_persist", "/var/run/openvpn-replay-state", translate("Persist replay-protection state") },
176 { Flag, "no_iv", 0, translate("Disable cipher initialisation vector") },
177 { Flag, "tls_server", 0, { tls_client="" }, { tls_client="0" }, translate("Enable TLS and assume server role") },
178 { Flag, "tls_client", 0, { tls_server="" }, { tls_server="0" }, translate("Enable TLS and assume client role") },
179 { FileUpload, "ca", "/etc/easy-rsa/keys/ca.crt", translate("Certificate authority") },
180 { FileUpload, "dh", "/etc/easy-rsa/keys/dh1024.pem", translate("Diffie Hellman parameters") },
181 { FileUpload, "cert", "/etc/easy-rsa/keys/some-client.crt", translate("Local certificate") },
182 { FileUpload, "key", "/etc/easy-rsa/keys/some-client.key", translate("Local private key") },
183 { FileUpload, "pkcs12", "/etc/easy-rsa/keys/some-client.pk12", translate("PKCS#12 file containing keys") },
184 { ListValue, "key_method", { 1, 2 }, translate("Enable TLS and assume client role") },
185 { Value, "tls_cipher", "DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5", translate("TLS cipher") },
186 { Value, "tls_timeout", 2, translate("Retransmit timeout on TLS control channel") },
187 { Value, "reneg_bytes", 1024, translate("Renegotiate data chan. key after bytes") },
188 { Value, "reneg_pkts", 100, translate("Renegotiate data chan. key after packets") },
189 { Value, "reneg_sec", 3600, translate("Renegotiate data chan. key after seconds") },
190 { Value, "hand_window", 60, translate("Timeframe for key exchange") },
191 { Value, "tran_window", 3600, translate("Key transition window") },
192 { Flag, "single_session", 0, translate("Allow only one session") },
193 { Flag, "tls_exit", 0, translate("Exit on TLS negotiation failure") },
194 { Value, "tls_auth", "/etc/openvpn/tlsauth.key 1", translate("Additional authentication over TLS") },
195 --{ Value, "askpass", "[file]", translate("Get PEM password from controlling tty before we daemonize") },
196 { Flag, "auth_nocache", 0, translate("Don't cache --askpass or --auth-user-pass passwords") },
197 { Value, "tls_remote", "remote_x509_name", translate("Only accept connections from given X509 name") },
198 { ListValue, "ns_cert_type", { "client", "server" }, translate("Require explicit designation on certificate") },
199 { ListValue, "remote_cert_tls", { "client", "server" }, translate("Require explicit key usage on certificate") },
200 { Value, "crl_verify", "/etc/easy-rsa/keys/crl.pem", translate("Check peer certificate against a CRL") },
201 } }
202 }
203
204
205 local cts = { }
206 local params = { }
207
208 local m = Map("openvpn")
209 local p = m:section( SimpleSection )
210
211 p.template = "openvpn/pageswitch"
212 p.mode = "advanced"
213 p.instance = arg[1]
214 p.category = arg[2] or "Service"
215
216 for _, c in ipairs(knownParams) do
217 cts[#cts+1] = c[1]
218 if c[1] == p.category then params = c[2] end
219 end
220
221 p.categories = cts
222
223
224 local s = m:section(
225 NamedSection, arg[1], "openvpn",
226 translate("%s" % arg[2])
227 )
228
229 s.title = translate("%s" % arg[2])
230 s.addremove = false
231 s.anonymous = true
232
233
234 for _, option in ipairs(params) do
235 local o = s:option(
236 option[1], option[2],
237 option[2], option[4]
238 )
239
240 if option[1] == DummyValue then
241 o.value = option[3]
242 else
243 if option[1] == DynamicList then
244 o.cast = nil
245 function o.cfgvalue(...)
246 local val = AbstractValue.cfgvalue(...)
247 return ( val and type(val) ~= "table" ) and { val } or val
248 end
249 end
250
251 o.optional = true
252
253 if type(option[3]) == "table" then
254 if o.optional then o:value("", "-- remove --") end
255 for _, v in ipairs(option[3]) do
256 v = tostring(v)
257 o:value(v)
258 end
259 o.default = tostring(option[3][1])
260 else
261 o.default = tostring(option[3])
262 end
263 end
264
265 for i=5,#option do
266 if type(option[i]) == "table" then
267 o:depends(option[i])
268 end
269 end
270 end
271
272 return m
Lua Configuration Interface (mirror)