Dump the per-configuration dh parameters data. It make no sense to keep

this information in the configuration as its not specific to the server.
It only contains the parameters ( a safe large prime number ) that is
used during a DH key exchange. Instead, we now use a system wide dh file
that is generated when the /var/etc/openvpn directory is setup. This
shaves 10 to 30 seconds off of the server config creation process. Also
correct a bug in the hack I added to work around carp related issues
that prevented filter re-configuration from working properly.

1 files changed, 11 insertions, 2 deletions

diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc
index efea035..1225f40 100644
--- a/etc/inc/openvpn.inc
+++ b/etc/inc/openvpn.inc
@@ -342,8 +342,11 @@ EOD;
 		openvpn_add_keyfile($cert['crt'], $conf, $mode_id, "cert");
 		openvpn_add_keyfile($cert['prv'], $conf, $mode_id, "key");
 
-		if ($mode == 'server')
-			openvpn_add_keyfile($settings['dh_params'], $conf, $mode_id, "dh");
+		if ($mode == 'server') {
+			$path_ovdh = $g['varetc_path']."/openvpn/dh-parameters";
+			$conf .= "dh {$path_ovdh}\n";
+		}
+
 		if ($settings['crl'])
 			openvpn_add_keyfile($settings['crl'], $conf, $mode_id, "crl-verify");
 		if ($settings['tls']) 
@@ -465,6 +468,12 @@ function openvpn_resync_all() {
 	chown($path_ovpn, 'nobody');
 	chgrp($path_ovpn, 'nobody');
 
+	$path_ovdh = $g['varetc_path']."/openvpn/dh-parameters";
+	if (!file_exists($path_ovdh)) {
+		echo "Setting up OpenVPN environment ...\n";
+		exec("/usr/bin/openssl dhparam -out {$path_ovdh} 1024");
+	}
+
 	$path_csc = $g['varetc_path']."/openvpn_csc";
 	safe_mkdir($path_csc);