Age | Commit message (Collapse) | Author |
|
Commit bb9f998 introduced a bug where openvpn fails to start if
'local-host' is an IPv4 address due to 'proto' wanting a IPv6 socket.
This adds a conditional check and uses normal proto if it's IPv4.
|
|
|
|
Bug introduced in commit b36e6e6 ("openvpn: T2273: migrate from SysVinit to
systemd") as not all relevant configuration files have been re-rendered
into /run/openvpn.
|
|
Bug introduced in commit b36e6e6 ("openvpn: T2273: migrate from SysVinit to
systemd") as not all relevant configuration files have been re-rendered
into /run/openvpn
|
|
|
|
|
|
|
|
|
|
implementations
|
|
|
|
|
|
When only defining a timeout limit the generated config will look like:
[connlimit]
limit=
burst=
timeout=5
This will trigger a "Floating point exception" on startup of Accel-PPP and it
can be re-surrected anymore until service is completely deleted and re-added.
|
|
Instead of having "dns-server server-1|server-2" nodes and the same for IPv6
all DNS nameservers are migrated to a common name-servers node.
|
|
|
|
Yet, VyOS knows these two encryption schemes for WiFi:
1. CCMP = AES in Counter mode with CBC-MAC (CCMP-128)
2. TKIP = Temporal Key Integrity Protocol
These encryption schemes are new and especially the Galois counter mode
cipher suites are very desirable!
1. CCMP-256 = AES in Counter mode with CBC-MAC with 256-bit key
2. GCMP = Galois/counter mode protocol (GCMP-128)
3. GCMP-256 = Galois/counter mode protocol with 256-bit key
CCMP is supported by all WPA2 compatible NICs, so this remains the
default cipher for bidirectional and group packets while using WPA2.
Use 'iw list' to figure out which cipher suites your cards support
prior to configuring other cipher suites than CCMP. AP NICs and
STA NICs must both support at least one common cipher in a given
list in order to associate successfully.
|
|
openvpn: T149: IPv6 support
|
|
ipoe: T2294: Fix templates and migrate to systemd
|
|
|
|
- allow configuring IPv6 server addresses and push options
- add IPv6 server client IP pool
- add IPv6 push dhcp-option DNS6
- allow configuring IPv6 server client addresses
- allow configuring IPv6 site-to-site addresses
- validate all IPv6 options and addresses
- use protos that explicitely open an IPv6 listening socket
(tcp6-server, tcp6-client, udp6) as the default on Linux listens on
IPv4 only (https://community.openvpn.net/openvpn/ticket/360)
- add validator for any IPv6 address, host or network (used by pool)
|
|
|
|
|
|
openvpn: T2235: add custom server pool handling
|
|
- add config options and logic for server client-ip-pool
- add function for determining default IPs for the server in different
configurations
- verify for pool IPs and maximum subnet prefix length
- move remote netmask logic for client ifconfig-push to use new function
- add topology 'net30' , set it as default (as it already was)
- replace generic ip_* with IPv4* where necessary
- print warning to console when server client IP is in server pool
- fix server subnet help field
|
|
openvpn: T2283: move ccd to /run/openvpn
|
|
|
|
Commit a457c9d2 moved the config directory to /run/openvpn but didn't move
the client-config-dir in the template.
|
|
|
|
|
|
|
|
Commit 13510cac5a4a ("vpn: sstp: T2008: migrate from SysVinit -> systemd")
added a variable name of the chap-secrets file - but it was the wrong one.
|
|
|
|
|
|
wireless: T2213: bugfix: Use ieee80211n and ieee80211ac if require_vht not set
|
|
* 't2264-l2tp' of github.com:c-po/vyos-1x: (25 commits)
vpn: l2tp: sstp: T2264: create config dir on demand
vpn: l2tp: T2264: migrate IPv6 prefix node to common CLI style
vpn: l2tp: T2264: simplify IPv6 config dictionary elements
vpn: sstp: T2008: migrate from SysVinit -> systemd
vpn: sstp: T2008: bugfix KeyError 'client_gateway'
vpn: l2tp: T2264: migrate from SysVinit -> systemd
vpn: l2tp: T2264: remove debug pprint
vpn: l2tp: T2264: proper set PPP default values to ease Jinja2 template
vpn: l2tp: T2110: re-use RADIUS XML include file
vpn: l2tp: T2264: remove RADIUS req-limit node
vpn: l2tp: T2264: migrate to new dictionary keys for radius auth
vpn: sstp: T2008: set accell default values in config dict
vpn: l2tp: T2264: use "with open()" when writing config
vpn: l2tp: T2264: migrate to new dictionary keys for local auth
vpn: sstp: T2008: improve error message for non existent local-users
vpn: l2tp: T2264: cleanup thread_cnt generation
vpn: sstp: T2008: cleanup thread_cnt generation
vpn: l2tp: T2264: combine WINS CLI syntax
vpn: l2tp: T2264: combine IPv4/IPv6 name-server CLI syntax
vpn: sstp: T2008: adjust DNS error message
...
|
|
Use WiFi modes ieee80211ac and ieee80211n if VHT capabilities are optional.
ieee80211n = 1
ieee80211ac = 1
Use only ieee80211ac if VHT capabilities are required (ieee80211n=0).
ieee80211ac = 1
ieee80211n = 0
require_vht = 1
In order to make this decision, the desired WiFi operation mode needs to be
known. Therefore, we must require users to set the WiFi mode.
mode = (a|b|g|n|ac)
|
|
dhcp: T2265: refactor DHCP class
|
|
Combining multiple options into a single CLI node is considered bad practice.
IPv6 prefixes consited of the prefix itself and a mask send to the client in
one node only.
The following CLI parts have been migrated from
client-ipv6-pool {
delegate-prefix fc00:0:1::/48,64
prefix 2001:db8::/64,64
}
to
client-ipv6-pool {
delegate fc00:0:1::/48 {
delegation-prefix 48
}
prefix 2001:db8::/48 {
mask 64
}
}
Thus regular validation steps from the VyOS CLI can be used when a prefix is
configured.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
There is no reason to distinguish between WINS servers in terms of priority.
This is solely a task which can be done in the underlaying Python scripts.
|
|
There is no reason to distinguish between an IPv4 and IPv6 name-server node
on the CLI - this can be done in the underlaying Python scripts.
|
|
|
|
As PPP can be used to establish a connection on-demand it manages the Kernel
default route. This can not be used when using VRFs which are managed by
the ip-up.d and ip-down.d scripts - thus those options are now mutially
exclusive.
The best fix would be adding support for VRFs into PPP.
|
|
Commit ef27cef0 mistakenly removed client-config-dir from the
server template.
|
|
|
|
- rearranged options to put them in logical groups separated by blank
lines
- removed unnecessary blank lines (whitespace)
- fixed encryption if-else comparison logic that caused 3des to be
ignored
- set tls if tls-version-min is set
|