Hello Community,
finally, we are releasing the long-awaited IPFire 2.19 – Core Update 115 which brings the shiny new Captive Portal and various security and performance improvements as well as fixing security vulnerabilities.
This is a large Core Update with a huge number of changes and to support our efforts to develop new features and maintain the existing system as well as constantly improving it, we would like to ask you to donate!
Captive Portal
The new IPFire Captive Portal comes pre-installed on every IPFire system and allows easy access control for wireless and even wired networks. It is simple and very easy to set with only a few configuration options. That makes it versatile for many adminstrators and also very simple for all users.
It comes with two configuration modes: The default mode asks the user to accept terms and conditions. After doing so, access to the network is granted for a configurable time. After the time has expired, Internet access is blocked again immediately.
Optionally you can generate coupons that allow access for one device for a set time. Those coupons can also be exported as a PDF document and being printed so that they can be handed out easily at a hotel reception for example.
Although, Germany has just abolished the controversial law that made the subscriber of on Internet connection liable for everything anyone does over that connection (Störerhaftung), this is still a great feature for 2017 where WiFi networks in hotels, cafes and everywhere else are a must. It allows to only give access to the people who booked a room in your hotel, or bought a cup of coffee in your cafe. That will keep the WiFi from being overloaded and it will be fast for everyone.
The full documentation can be found on our wiki.
Thanks go to all the people of our community who have worked on this for a very long time.
Security Improvements
The web user interface has been hardened by a series of patches from Peter Müller:
- When establishing a new TLS connection, ECDSA is now preferred over RSA which makes the TLS handshake much faster and uses less resources on the client and server. It is also considered to be stronger to brute-force.
- An additional ECDSA key is now generated in addition to the existing RSA key which improves security of any TLS connections to the web user interface.
- Previously, some attacks were possible to make the web browser submit login credentials via HTTP without encryption. The apache configuration has been changed to never ask for login without establishing a TLS connection before.
- A smaller information leak has also been fixed where anyone could access the
credits.cgipage which revealed the version information of the installed system.
These changes require to restart the web server that runs the web user interface. This happens automatically during the installation of this Core Update but might render the web user interface unavailable for a short moment.
OpenVPN Configuration Updates
The OpenVPN project has deprecated some configuration options. This has been updated in IPFire as well which will now generate new configuration files when ever a new certificate has been issued. The old configuration files and certificates will remain but won’t be compatible with OpenVPN 2.5 any more. There is no need for action right now, but old connections might not work with clients that run a newer version of OpenVPN in the future. New connections will work fine with any recent and future version of OpenVPN.
Thanks for Erik for sending in a patch for this.
Misc
- The WiFi access point add-on has already been patched against the KRACK attacks on the day those were announced. The
wpa_supplicantpackage which implements the WiFi client feature of IPFire has been patched in this release against those attacks. - IPsec VPNs that use Curve25519 would not want to come up after installing the previous Core Update. This has been fixed now.
- Updated packages:
logrotate3.13.0,openvpn2.3.18,unbound1.6.7 - Some files that have been unused for a very long time have been cleaned up.
- All downloads of the project’s ISO files are now done over HTTPS.
Updated Add-Ons
tor3.1.7