setHelp and gettext format vpn*

5 files changed, 102 insertions, 93 deletions

diff --git a/src/usr/local/www/vpn_ipsec_settings.php b/src/usr/local/www/vpn_ipsec_settings.php
index 05a3f3a..2aa2e7e 100644
--- a/src/usr/local/www/vpn_ipsec_settings.php
+++ b/src/usr/local/www/vpn_ipsec_settings.php
@@ -250,10 +250,11 @@ $section->addInput(new Form_Select(
 	'Whether a particular participant ID should be kept unique, with any new IKE_SA using an ID ' .
 	'deemed to replace all old ones using that ID. Participant IDs normally are unique, so a new ' .
 	'IKE_SA using the same ID is almost invariably intended to replace an old one. ' .
-	'The difference between <b>no</b> and <b>never</b> is that the old IKE_SAs will be replaced when receiving an ' .
-	'INITIAL_CONTACT notify if the option is no but will ignore these notifies if <b>never</b> is configured. ' .
-	'The daemon also accepts the value <b>keep</b> to reject ' .
-	'new IKE_SA setups and keep the duplicate established earlier. Defaults to Yes.'
+	'The difference between %1$sno%2$s and %1$snever%2$s is that the old IKE_SAs will be replaced when receiving an ' .
+	'INITIAL_CONTACT notify if the option is no but will ignore these notifies if %1$snever%2$s is configured. ' .
+	'The daemon also accepts the value %1$skeep%2$s to reject ' .
+	'new IKE_SA setups and keep the duplicate established earlier. Defaults to Yes.',
+	'<b>', '</b>'
 );
 
 $section->addInput(new Form_Checkbox(
diff --git a/src/usr/local/www/vpn_l2tp.php b/src/usr/local/www/vpn_l2tp.php
index cb4a0f2..67b1ba1 100644
--- a/src/usr/local/www/vpn_l2tp.php
+++ b/src/usr/local/www/vpn_l2tp.php
@@ -218,9 +218,9 @@ $section->addInput(new Form_Input(
 	'*Server address',
 	'text',
 	$pconfig['localip']
-))->setHelp('Enter the IP address the L2TP server should give to clients for use as their "gateway". ' . '<br />' .
-			'Typically this is set to an unused IP just outside of the client range.' . '<br /><br />' .
-			'NOTE: This should NOT be set to any IP address currently in use on this firewall.');
+))->setHelp('Enter the IP address the L2TP server should give to clients for use as their "gateway". %1$s' .
+			'Typically this is set to an unused IP just outside of the client range.%1$s%1$s' .
+			'NOTE: This should NOT be set to any IP address currently in use on this firewall.', '<br />');
 
 $section->addInput(new Form_IpAddress(
 	'remoteip',
diff --git a/src/usr/local/www/vpn_openvpn_client.php b/src/usr/local/www/vpn_openvpn_client.php
index d51dc46..97389d3 100644
--- a/src/usr/local/www/vpn_openvpn_client.php
+++ b/src/usr/local/www/vpn_openvpn_client.php
@@ -509,8 +509,8 @@ if ($act=="new" || $act=="edit"):
 		'*Device mode',
 		empty($pconfig['dev_mode']) ? 'tun':$pconfig['dev_mode'],
 		$openvpn_dev_mode
-		))->setHelp("\"tun\" mode carries IPv4 and IPv6 (OSI layer 3) and is the most common and compatible mode across all platforms." .
-		    "<br/>\"tap\" mode is capable of carrying 802.3 (OSI Layer 2.)");
+		))->setHelp('"tun" mode carries IPv4 and IPv6 (OSI layer 3) and is the most common and compatible mode across all platforms.%1$s' .
+		    '"tap" mode is capable of carrying 802.3 (OSI Layer 2.)', '<br/>');
 
 	$section->addInput(new Form_Select(
 		'interface',
@@ -554,8 +554,8 @@ if ($act=="new" || $act=="edit"):
 		'Proxy host or address',
 		'text',
 		$pconfig['proxy_addr']
-	))->setHelp("The address for an HTTP Proxy this client can use to connect to a remote server." .
-	    "<br/>TCP must be used for the client and server protocol.");
+	))->setHelp('The address for an HTTP Proxy this client can use to connect to a remote server.%1$s' .
+	    'TCP must be used for the client and server protocol.', '<br/>');
 
 	$section->addInput(new Form_Input(
 		'proxy_port',
@@ -636,18 +636,16 @@ if ($act=="new" || $act=="edit"):
 		'tls',
 		'*TLS Key',
 		$pconfig['tls']
-	))->setHelp("Paste the TLS key here." .
-	    "<br/>" .
-	    "This key is used to sign control channel packets with an HMAC signature for authentication when establishing the tunnel. ");
+	))->setHelp('Paste the TLS key here.%1$s' .
+	    'This key is used to sign control channel packets with an HMAC signature for authentication when establishing the tunnel. ', '<br/>');
 
 	$section->addInput(new Form_Select(
 		'tls_type',
 		'*TLS Key Usage Mode',
 		empty($pconfig['tls_type']) ? 'auth':$pconfig['tls_type'],
 		$openvpn_tls_modes
-		))->setHelp("In Authentication mode the TLS key is used only as HMAC authentication for the control channel, protecting the peers from unauthorized connections. " .
-		    "<br/>" .
-		    "Encryption and Authentication mode also encrypts control channel communication, providing more privacy and traffic control channel obfuscation.");
+		))->setHelp('In Authentication mode the TLS key is used only as HMAC authentication for the control channel, protecting the peers from unauthorized connections. %1$s' .
+		    'Encryption and Authentication mode also encrypts control channel communication, providing more privacy and traffic control channel obfuscation.', '<br/>');
 
 	if (count($a_ca)) {
 		$list = array();
@@ -716,10 +714,13 @@ if ($act=="new" || $act=="edit"):
 		'Enable NCP',
 		'Enable Negotiable Cryptographic Parameters',
 		($pconfig['ncp_enable'] == "enabled")
-	))->setHelp(		'Check this option to allow OpenVPN clients and servers to negotiate a compatible set of acceptable cryptographic ' .
+	))->setHelp('Check this option to allow OpenVPN clients and servers to negotiate a compatible set of acceptable cryptographic ' .
 				'Encryption Algorithms from those selected in the NCP Algorithms list below.' .
-				'<div class="infoblock">' . sprint_info_box('When both peers support NCP and have it enabled, NCP overrides the Encryption Algorithm above.' . '<br />' .
-				'When disabled, only the selected Encryption Algorithm is allowed.', 'info', false) . '</div>');
+				'%1$s%2$s%3$s',
+				'<div class="infoblock">',
+				sprint_info_box(gettext('When both peers support NCP and have it enabled, NCP overrides the Encryption Algorithm above.') . '<br />' .
+					gettext('When disabled, only the selected Encryption Algorithm is allowedz.'), 'info', false),
+				'</div>');
 
 	foreach (explode(",", $pconfig['ncp-ciphers']) as $cipher) {
 		$ncp_ciphers_list[$cipher] = $cipher;
@@ -733,7 +734,7 @@ if ($act=="new" || $act=="edit"):
 		openvpn_get_cipherlist(),
 		true
 	))->setAttribute('size', '10')
-	  ->setHelp('Available NCP Encryption Algorithms<br />Click to add or remove an algorithm from the list');
+	  ->setHelp('Available NCP Encryption Algorithms%1$sClick to add or remove an algorithm from the list', '<br />');
 
 	$group->add(new Form_Select(
 		'ncp-ciphers',
@@ -746,9 +747,10 @@ if ($act=="new" || $act=="edit"):
 	  ->setHelp('Allowed NCP Encryption Algorithms. Click an algorithm name to remove it from the list');
 
 	$group->setHelp('The order of the selected NCP Encryption Algorithms is respected by OpenVPN.' .
-					'<div class="infoblock">' . sprint_info_box(
-					'For backward compatibility, when an older peer connects that does not support NCP, OpenVPN will use the Encryption Algorithm ' .
-					'requested by the peer so long as it is selected in this list or chosen as the Encryption Algorithm.', 'info', false) .
+					'%1$s%2$s%3$s',
+					'<div class="infoblock">',
+					sprint_info_box(gettext('For backward compatibility, when an older peer connects that does not support NCP, OpenVPN will use the Encryption Algorithm ' .
+						'requested by the peer so long as it is selected in this list or chosen as the Encryption Algorithm.'), 'info', false),
 					'</div>');
 
 	$section->add($group);
@@ -758,11 +760,9 @@ if ($act=="new" || $act=="edit"):
 		'*Auth digest algorithm',
 		$pconfig['digest'],
 		openvpn_get_digestlist()
-		))->setHelp('The algorithm used to authenticate data channel packets, and control channel packets if a TLS Key is present.' .
-		    '<br />' .
-		    'When an AEAD Encryption Algorithm mode is used, such as AES-GCM, this digest is used for the control channel only, not the data channel.' .
-		    '<br />' .
-		    'Leave this set to SHA1 unless the server uses a different value. SHA1 is the default for OpenVPN. ');
+		))->setHelp('The algorithm used to authenticate data channel packets, and control channel packets if a TLS Key is present.%1$s' .
+		    'When an AEAD Encryption Algorithm mode is used, such as AES-GCM, this digest is used for the control channel only, not the data channel.%1$s' .
+		    'Leave this set to SHA1 unless the server uses a different value. SHA1 is the default for OpenVPN. ', '<br />');
 
 	$section->addInput(new Form_Select(
 		'engine',
@@ -824,7 +824,7 @@ if ($act=="new" || $act=="edit"):
 		'Compression',
 		$pconfig['compression'],
 		$openvpn_compression_modes
-		))->setHelp('Compress tunnel packets using the LZO algorithm. Adaptive compression will dynamically disable compression for a period of time if OpenVPN detects that the data in the packets is not being compressed efficiently.');
+	))->setHelp('Compress tunnel packets using the LZO algorithm. Adaptive compression will dynamically disable compression for a period of time if OpenVPN detects that the data in the packets is not being compressed efficiently.');
 
 	$section->addInput(new Form_Select(
 		'topology',
@@ -870,11 +870,11 @@ if ($act=="new" || $act=="edit"):
 		'Verbosity level',
 		$pconfig['verbosity_level'],
 		$openvpn_verbosity_level
-		))->setHelp('Each level shows all info from the previous levels. Level 3 is recommended for a good summary of what\'s happening without being swamped by output.' . '<br /><br />' .
-					'None: Only fatal errors' . '<br />' .
-					'Default through 4: Normal usage range' . '<br />' .
-					'5: Output R and W characters to the console for each packet read and write. Uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.' .'<br />' .
-					'6-11: Debug info range');
+		))->setHelp('Each level shows all info from the previous levels. Level 3 is recommended for a good summary of what\'s happening without being swamped by output.%1$s%1$s' .
+					'None: Only fatal errors%1$s' .
+					'Default through 4: Normal usage range%1$s' .
+					'5: Output R and W characters to the console for each packet read and write. Uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.%1$s' .
+					'6-11: Debug info range', '<br />');
 
 	$section->addInput(new Form_Input(
 		'act',
diff --git a/src/usr/local/www/vpn_openvpn_csc.php b/src/usr/local/www/vpn_openvpn_csc.php
index 01a399b..3223beb 100644
--- a/src/usr/local/www/vpn_openvpn_csc.php
+++ b/src/usr/local/www/vpn_openvpn_csc.php
@@ -367,36 +367,37 @@ if ($act == "new" || $act == "edit"):
 		'IPv4 Tunnel Network',
 		'text',
 		$pconfig['tunnel_network']
-	))->setHelp('The virtual IPv4 network used for private communications between this client and the server expressed using CIDR (e.g. 10.0.8.5/24). ' .
-		    '<br />' .
-		    'With subnet topology, enter the client IP address and the subnet mask must match the IPv4 Tunnel Network on the server. ' .
-		    '<br />' .
-		    'With net30 topology, the first network address of the /30 is assumed to be the server address and the second network address will be assigned to the client.');
+	))->setHelp('The virtual IPv4 network used for private communications between this client and the server expressed using CIDR (e.g. 10.0.8.5/24). %1$s' .
+		    'With subnet topology, enter the client IP address and the subnet mask must match the IPv4 Tunnel Network on the server. %1$s' .
+		    'With net30 topology, the first network address of the /30 is assumed to be the server address and the second network address will be assigned to the client.',
+			'<br />');
 
 	$section->addInput(new Form_Input(
 		'tunnel_networkv6',
 		'IPv6 Tunnel Network',
 		'text',
 		$pconfig['tunnel_networkv6']
-	))->setHelp('The virtual IPv6 network used for private communications between this client and the server expressed using prefix (e.g. 2001:db9:1:1::100/64). ' .
-		    '<br />' .
-		    'Enter the client IPv6 address and prefix. The prefix must match the IPv6 Tunnel Network prefix on the server. ');
+	))->setHelp('The virtual IPv6 network used for private communications between this client and the server expressed using prefix (e.g. 2001:db9:1:1::100/64). %1$s' .
+		    'Enter the client IPv6 address and prefix. The prefix must match the IPv6 Tunnel Network prefix on the server. ',
+			'<br />');
 
 	$section->addInput(new Form_Input(
 		'local_network',
 		'IPv4 Local Network/s',
 		'text',
 		$pconfig['local_network']
-	))->setHelp('These are the IPv4 server-side networks that will be accessible from this particular client. Expressed as a comma-separated list of one or more CIDR networks. ' . '<br />' .
-		    'NOTE: Networks do not need to be specified here if they have already been defined on the main server configuration.');
+	))->setHelp('These are the IPv4 server-side networks that will be accessible from this particular client. Expressed as a comma-separated list of one or more CIDR networks. %1$s' .
+		    'NOTE: Networks do not need to be specified here if they have already been defined on the main server configuration.',
+			'<br />');
 
 	$section->addInput(new Form_Input(
 		'local_networkv6',
 		'IPv6 Local Network/s',
 		'text',
 		$pconfig['local_networkv6']
-	))->setHelp('These are the IPv6 server-side networks that will be accessible from this particular client. Expressed as a comma-separated list of one or more IP/PREFIX networks.' . '<br />' .
-		    'NOTE: Networks do not need to be specified here if they have already been defined on the main server configuration.');
+	))->setHelp('These are the IPv6 server-side networks that will be accessible from this particular client. Expressed as a comma-separated list of one or more IP/PREFIX networks.%1$s' .
+		    'NOTE: Networks do not need to be specified here if they have already been defined on the main server configuration.',
+			'<br />');
 
 	$section->addInput(new Form_Input(
 		'remote_network',
@@ -404,8 +405,9 @@ if ($act == "new" || $act == "edit"):
 		'text',
 		$pconfig['remote_network']
 	))->setHelp('These are the IPv4 client-side networks that will be routed to this client specifically using iroute, so that a site-to-site VPN can be established. ' .
-		    'Expressed as a comma-separated list of one or more CIDR ranges. May be left blank if there are no client-side networks to be routed.' . '<br />' .
-		    'NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings.');
+		    'Expressed as a comma-separated list of one or more CIDR ranges. May be left blank if there are no client-side networks to be routed.%1$s' .
+		    'NOTE: Remember to add these subnets to the IPv4 Remote Networks list on the corresponding OpenVPN server settings.',
+			'<br />');
 
 	$section->addInput(new Form_Input(
 		'remote_networkv6',
@@ -413,8 +415,9 @@ if ($act == "new" || $act == "edit"):
 		'text',
 		$pconfig['remote_networkv6']
 	))->setHelp('These are the IPv6 client-side networks that will be routed to this client specifically using iroute, so that a site-to-site VPN can be established. ' .
-		    'Expressed as a comma-separated list of one or more IP/PREFIX networks. May be left blank if there are no client-side networks to be routed.' . '<br />' .
-		    'NOTE: Remember to add these subnets to the IPv6 Remote Networks list on the corresponding OpenVPN server settings.');
+		    'Expressed as a comma-separated list of one or more IP/PREFIX networks. May be left blank if there are no client-side networks to be routed.%1$s' .
+		    'NOTE: Remember to add these subnets to the IPv6 Remote Networks list on the corresponding OpenVPN server settings.',
+			'<br />');
 
 	$section->addInput(new Form_Checkbox(
 		'gwredir',
@@ -578,8 +581,9 @@ if ($act == "new" || $act == "edit"):
 		'custom_options',
 		'Advanced',
 		$pconfig['custom_options']
-	))->setHelp('Enter any additional options to add for this client specific override, separated by a semicolon. ' . '<br />' .
-				'EXAMPLE: push "route 10.0.0.0 255.255.255.0"; ');
+	))->setHelp('Enter any additional options to add for this client specific override, separated by a semicolon. %1$s' .
+				'EXAMPLE: push "route 10.0.0.0 255.255.255.0"; ',
+				'<br />');
 
 	// The hidden fields
 	$section->addInput(new Form_Input(
diff --git a/src/usr/local/www/vpn_openvpn_server.php b/src/usr/local/www/vpn_openvpn_server.php
index f767d66..28a2e7f 100644
--- a/src/usr/local/www/vpn_openvpn_server.php
+++ b/src/usr/local/www/vpn_openvpn_server.php
@@ -721,8 +721,8 @@ if ($act=="new" || $act=="edit"):
 		'*Device mode',
 		empty($pconfig['dev_mode']) ? 'tun':$pconfig['dev_mode'],
 		$openvpn_dev_mode
-		))->setHelp("\"tun\" mode carries IPv4 and IPv6 (OSI layer 3) and is the most common and compatible mode across all platforms." .
-		    "<br/>\"tap\" mode is capable of carrying 802.3 (OSI Layer 2.)");
+		))->setHelp('"tun" mode carries IPv4 and IPv6 (OSI layer 3) and is the most common and compatible mode across all platforms.%1$s' .
+		    '"tap" mode is capable of carrying 802.3 (OSI Layer 2.)', '<br/>');
 
 	$section->addInput(new Form_Select(
 		'interface',
@@ -772,18 +772,18 @@ if ($act=="new" || $act=="edit"):
 		'tls',
 		'*TLS Key',
 		$pconfig['tls']
-	))->setHelp("Paste the TLS key here." .
-	    "<br/>" .
-	    "This key is used to sign control channel packets with an HMAC signature for authentication when establishing the tunnel. ");
+	))->setHelp('Paste the TLS key here.%1$s' .
+	    'This key is used to sign control channel packets with an HMAC signature for authentication when establishing the tunnel. ',
+		'<br/>');
 
 	$section->addInput(new Form_Select(
 		'tls_type',
 		'*TLS Key Usage Mode',
 		empty($pconfig['tls_type']) ? 'auth':$pconfig['tls_type'],
 		$openvpn_tls_modes
-		))->setHelp("In Authentication mode the TLS key is used only as HMAC authentication for the control channel, protecting the peers from unauthorized connections. " .
-		    "<br/>" .
-		    "Encryption and Authentication mode also encrypts control channel communication, providing more privacy and traffic control channel obfuscation.");
+		))->setHelp('In Authentication mode the TLS key is used only as HMAC authentication for the control channel, protecting the peers from unauthorized connections. %1$s' .
+		    'Encryption and Authentication mode also encrypts control channel communication, providing more privacy and traffic control channel obfuscation.',
+			'<br/>');
 
 	if (count($a_ca)) {
 
@@ -849,13 +849,15 @@ if ($act=="new" || $act=="edit"):
 		'*DH Parameter Length',
 		$pconfig['dh_length'],
 		$openvpn_dh_lengths
-		))->setHelp('Diffie-Hellman (DH) parameter set used for key exchange.' .
-		    '<div class="infoblock">' .
-		    sprint_info_box('Only DH parameter sets which exist in /etc/ are shown. ' .
+		))->setHelp('Diffie-Hellman (DH) parameter set used for key exchange.%1$s%2$s%3$s',
+		    '<div class="infoblock">',
+		    sprint_info_box(gettext('Only DH parameter sets which exist in /etc/ are shown.') .
 		        '<br/>' .
-		        'Generating new or stronger DH parameters is CPU-intensive and must be performed manually. ' .
-		        'Consult <a href="https://doc.pfsense.org/index.php/DH_Parameters">the doc wiki article on DH Parameters</a> ' .
-		        'for information on generating new or stronger paramater sets.', 'info', false) .
+		        gettext('Generating new or stronger DH parameters is CPU-intensive and must be performed manually.') . ' ' .
+		        sprintf(gettext('Consult %1$sthe doc wiki article on DH Parameters%2$sfor information on generating new or stronger paramater sets.'),
+					'<a href="https://doc.pfsense.org/index.php/DH_Parameters">',
+					'</a> '),
+				'info', false),
 		    '</div>');
 
 	$section->addInput(new Form_Select(
@@ -863,10 +865,10 @@ if ($act=="new" || $act=="edit"):
 		'ECDH Curve',
 		$pconfig['ecdh_curve'],
 		openvpn_get_curvelist()
-		))->setHelp('The Elliptic Curve to use for key exchange. ' .
-		    '<br/>' .
+		))->setHelp('The Elliptic Curve to use for key exchange. %1$s' .
 		    'The curve from the server certificate is used by default when the server uses an ECDSA certificate. ' .
-		    'Otherwise, secp384r1 is used as a fallback.');
+		    'Otherwise, secp384r1 is used as a fallback.',
+			'<br/>');
 
 	if (!$pconfig['shared_key']) {
 		$section->addInput(new Form_Checkbox(
@@ -895,10 +897,12 @@ if ($act=="new" || $act=="edit"):
 		'Enable NCP',
 		'Enable Negotiable Cryptographic Parameters',
 		($pconfig['ncp_enable'] == "enabled")
-	))->setHelp(		'Check this option to allow OpenVPN clients and servers to negotiate a compatible set of acceptable cryptographic ' .
-				'Encryption Algorithms from those selected in the NCP Algorithms list below.' .
-				'<div class="infoblock">' . sprint_info_box('When both peers support NCP and have it enabled, NCP overrides the Encryption Algorithm above.' . '<br />' .
-				'When disabled, only the selected Encryption Algorithm is allowed.', 'info', false) . '</div>');
+	))->setHelp('Check this option to allow OpenVPN clients and servers to negotiate a compatible set of acceptable cryptographic ' .
+				'Encryption Algorithms from those selected in the NCP Algorithms list below.%1$s%2$s%3$s',
+				'<div class="infoblock">',
+				sprint_info_box(gettext('When both peers support NCP and have it enabled, NCP overrides the Encryption Algorithm above.') . '<br />' .
+					gettext('When disabled, only the selected Encryption Algorithm is allowed.'), 'info', false),
+				'</div>');
 
 	$group = new Form_Group('NCP Algorithms');
 
@@ -909,7 +913,7 @@ if ($act=="new" || $act=="edit"):
 		openvpn_get_cipherlist(),
 		true
 	))->setAttribute('size', '10')
-	  ->setHelp('Available NCP Encryption Algorithms<br />Click to add or remove an algorithm from the list');
+	  ->setHelp('Available NCP Encryption Algorithms%1$sClick to add or remove an algorithm from the list', '<br />');
 
 	$group->add(new Form_Select(
 		'ncp-ciphers',
@@ -921,10 +925,11 @@ if ($act=="new" || $act=="edit"):
 	  ->setAttribute('size', '10')
 	  ->setHelp('Allowed NCP Encryption Algorithms. Click an algorithm name to remove it from the list');
 
-	$group->setHelp('The order of the selected NCP Encryption Algorithms is respected by OpenVPN.' .
-					'<div class="infoblock">' . sprint_info_box(
-					'For backward compatibility, when an older peer connects that does not support NCP, OpenVPN will use the Encryption Algorithm ' .
-					'requested by the peer so long as it is selected in this list or chosen as the Encryption Algorithm.', 'info', false) .
+	$group->setHelp('The order of the selected NCP Encryption Algorithms is respected by OpenVPN.%1$s%2$s%3$s',
+					'<div class="infoblock">',
+					sprint_info_box(
+						gettext('For backward compatibility, when an older peer connects that does not support NCP, OpenVPN will use the Encryption Algorithm ' .
+							'requested by the peer so long as it is selected in this list or chosen as the Encryption Algorithm.'), 'info', false),
 					'</div>');
 
 	$section->add($group);
@@ -934,11 +939,10 @@ if ($act=="new" || $act=="edit"):
 		'*Auth digest algorithm',
 		$pconfig['digest'],
 		openvpn_get_digestlist()
-		))->setHelp('The algorithm used to authenticate data channel packets, and control channel packets if a TLS Key is present.' .
-		    '<br />' .
-		    'When an AEAD Encryption Algorithm mode is used, such as AES-GCM, this digest is used for the control channel only, not the data channel.' .
-		    '<br />' .
-		    'Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN. ');
+		))->setHelp('The algorithm used to authenticate data channel packets, and control channel packets if a TLS Key is present.%1$s' .
+		    'When an AEAD Encryption Algorithm mode is used, such as AES-GCM, this digest is used for the control channel only, not the data channel.%1$s' .
+		    'Leave this set to SHA1 unless all clients are set to match. SHA1 is the default for OpenVPN. ',
+			'<br />');
 
 	$section->addInput(new Form_Select(
 		'engine',
@@ -1130,9 +1134,9 @@ if ($act=="new" || $act=="edit"):
 		'Topology',
 		$pconfig['topology'],
 		$openvpn_topologies
-	))->setHelp('Specifies the method used to supply a virtual adapter IP address to clients when using TUN mode on IPv4.' . '<br />' .
+	))->setHelp('Specifies the method used to supply a virtual adapter IP address to clients when using TUN mode on IPv4.%1$s' .
 				'Some clients may require this be set to "subnet" even for IPv6, such as OpenVPN Connect (iOS/Android). ' .
-				'Older versions of OpenVPN (before 2.0.9) or clients such as Yealink phones may require "net30".');
+				'Older versions of OpenVPN (before 2.0.9) or clients such as Yealink phones may require "net30".', '<br />');
 
 	$form->add($section);
 
@@ -1291,19 +1295,19 @@ if ($act=="new" || $act=="edit"):
 		'custom_options',
 		'Custom options',
 		$pconfig['custom_options']
-	))->setHelp('Enter any additional options to add to the OpenVPN server configuration here, separated by semicolon.' . '<br />' .
-				'EXAMPLE: push "route 10.0.0.0 255.255.255.0"');
+	))->setHelp('Enter any additional options to add to the OpenVPN server configuration here, separated by semicolon.%1$s' .
+				'EXAMPLE: push "route 10.0.0.0 255.255.255.0"', '<br />');
 
 	$section->addInput(new Form_Select(
 		'verbosity_level',
 		'Verbosity level',
 		$pconfig['verbosity_level'],
 		$openvpn_verbosity_level
-		))->setHelp('Each level shows all info from the previous levels. Level 3 is recommended for a good summary of what\'s happening without being swamped by output.' . '<br /><br />' .
-					'None: Only fatal errors' . '<br />' .
-					'Default through 4: Normal usage range' . '<br />' .
-					'5: Output R and W characters to the console for each packet read and write. Uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.' .'<br />' .
-					'6-11: Debug info range');
+		))->setHelp('Each level shows all info from the previous levels. Level 3 is recommended for a good summary of what\'s happening without being swamped by output.%1$s%1$s' .
+					'None: Only fatal errors%1$s' .
+					'Default through 4: Normal usage range%1$s' .
+					'5: Output R and W characters to the console for each packet read and write. Uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets.%1$s' .
+					'6-11: Debug info range', '<br />');
 
 	$section->addInput(new Form_Input(
 		'act',