Re: [PATCH] ovpnmain.cgi: Apply default settings when neccessary

Mon, 25 Aug 2025 01:51:35 -0700 

Hi Stefan,

On 23/08/2025 14:55, Adolf Belka wrote:

Hi Stefan,

I tried out the CU197 Testing update with this patch in place. It works fine 
for a new install, where there is no existing settings file but for updates or 
when a restore from an old backup is being done then a settings file already 
exists and then the default settings are not applied and this results in the 
settings file having no CIPHERS entry but having a fallback DCIPHER entry.

In the update where the OpenVPN RW server is stopped before updating and 
started again afterwards this causes the server to fail to start as there is no 
CIPHER entry. When a restore from backup is done then the same thing happens 
with no CIPHERS entry, just a DCIPHER one but as the server is running when the 
restore is done, it stays running with the old settings but if the Save button 
is pressed then it Stops because the settings file now has no CIPHERS entry.

Not sure how to fix this at the moment. Maybe it needs to be if the settings 
file exists and it contains a CIPHERS entry but I am not sure that is the right 
approach or not.


Figured out how to fix this. Your patch in ovpnmain.cgi stays the same. I just 
needed to add in some additional lines into backup.pl and the CU197 update.sh 
file.

I just check if ncp-disable is present in server.conf and if it is then delete 
it and then add in the default 
DATACIPHERS=AES-256-GCM|AES-128-GCM|CHACHA20-POLY1305 into the settings file.

If ncp-disable is in the server.conf then the restore is from prior to 
openvpn-2.6 and there will be no DATACIPHERS entry.

I have tested this out with the backup.pl changes and your patch in place and 
everything works correctly again. I will submit patches for these additional 
changes.

Regards,

Adolf.




Regards,

Adolf.

On 19/08/2025 20:39, Stefan Schantl wrote:

Only apply the default settings in case nothing has been configured yet,
otherwise existing settings may get overwritten.

Signed-off-by: Stefan Schantl <stefan.scha...@ipfire.org>
---
  html/cgi-bin/ovpnmain.cgi | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 83f9fdc02..a2f95dc9a 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -132,7 +132,7 @@ my $col="";
      "MAX_CLIENTS"  => 100,
      "MSSFIX"       => "off",
      "TLSAUTH"      => "on",
-});
+}) unless (%vpnsettings);
  # Load CGI parameters
  &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});

Reply via email to