Hello Adolf,
Hmm, maybe Stefan’s patch is not providing the full solution.
I created a new function some time ago which is called “set_defaults” and the
idea is that it would populate any fields that have not been initialized. That
way, if we add anything new, there should always be a good default.
I understand why Stefan is turning of that initialisation, but this does seem
to create some more consequences.
We should never have any server configurations left with ncp-disable, because
that will not work any more. I thought regenerating the configuration files
through the CGI should take care of this.
Maybe we need to rethink how we can make set_defaults() work so that we don’t
have to add more and more hacks?!
Best,
-Michael
> On 25 Aug 2025, at 09:51, Adolf Belka <adolf.be...@ipfire.org> wrote:
>
> Hi Stefan,
>
> On 23/08/2025 14:55, Adolf Belka wrote:
>> Hi Stefan,
>> I tried out the CU197 Testing update with this patch in place. It works fine
>> for a new install, where there is no existing settings file but for updates
>> or when a restore from an old backup is being done then a settings file
>> already exists and then the default settings are not applied and this
>> results in the settings file having no CIPHERS entry but having a fallback
>> DCIPHER entry.
>> In the update where the OpenVPN RW server is stopped before updating and
>> started again afterwards this causes the server to fail to start as there is
>> no CIPHER entry. When a restore from backup is done then the same thing
>> happens with no CIPHERS entry, just a DCIPHER one but as the server is
>> running when the restore is done, it stays running with the old settings but
>> if the Save button is pressed then it Stops because the settings file now
>> has no CIPHERS entry.
>> Not sure how to fix this at the moment. Maybe it needs to be if the settings
>> file exists and it contains a CIPHERS entry but I am not sure that is the
>> right approach or not.
>
> Figured out how to fix this. Your patch in ovpnmain.cgi stays the same. I
> just needed to add in some additional lines into backup.pl and the CU197
> update.sh file.
>
> I just check if ncp-disable is present in server.conf and if it is then
> delete it and then add in the default
> DATACIPHERS=AES-256-GCM|AES-128-GCM|CHACHA20-POLY1305 into the settings file.
>
> If ncp-disable is in the server.conf then the restore is from prior to
> openvpn-2.6 and there will be no DATACIPHERS entry.
>
> I have tested this out with the backup.pl changes and your patch in place and
> everything works correctly again. I will submit patches for these additional
> changes.
>
> Regards,
>
> Adolf.
>
>
>> Regards,
>> Adolf.
>> On 19/08/2025 20:39, Stefan Schantl wrote:
>>> Only apply the default settings in case nothing has been configured yet,
>>> otherwise existing settings may get overwritten.
>>>
>>> Signed-off-by: Stefan Schantl <stefan.scha...@ipfire.org>
>>> ---
>>> html/cgi-bin/ovpnmain.cgi | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
>>> index 83f9fdc02..a2f95dc9a 100644
>>> --- a/html/cgi-bin/ovpnmain.cgi
>>> +++ b/html/cgi-bin/ovpnmain.cgi
>>> @@ -132,7 +132,7 @@ my $col="";
>>> "MAX_CLIENTS" => 100,
>>> "MSSFIX" => "off",
>>> "TLSAUTH" => "on",
>>> -});
>>> +}) unless (%vpnsettings);
>>> # Load CGI parameters
>>> &Header::getcgihash(\%cgiparams, {'wantfile' => 1, 'filevar' => 'FH'});
>
>
