summaryrefslogtreecommitdiff
path: root/interface-definitions/interfaces_openvpn.xml.in
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-01-01 11:00:27 +0100
committerGitHub <noreply@github.com>2024-01-01 11:00:27 +0100
commit13fddcfef2f9c13dd6e789fa9e8050011241e2b5 (patch)
treeaeccfda0a305cf6aca41630900e75bd32961a911 /interface-definitions/interfaces_openvpn.xml.in
parent2078253176046ea4d07e69caeb7932ea439b5614 (diff)
parentc9eaafd9f808aba8d29be73054e11d37577e539a (diff)
downloadvyos-1x-13fddcfef2f9c13dd6e789fa9e8050011241e2b5.tar.gz
vyos-1x-13fddcfef2f9c13dd6e789fa9e8050011241e2b5.zip
Merge pull request #2730 from vyos/mergify/bp/sagitta/pr-2729
T5474: establish common file name pattern for XML conf mode commands (backport #2729)
Diffstat (limited to 'interface-definitions/interfaces_openvpn.xml.in')
-rw-r--r--interface-definitions/interfaces_openvpn.xml.in825
1 files changed, 825 insertions, 0 deletions
diff --git a/interface-definitions/interfaces_openvpn.xml.in b/interface-definitions/interfaces_openvpn.xml.in
new file mode 100644
index 000000000..dadf5cb48
--- /dev/null
+++ b/interface-definitions/interfaces_openvpn.xml.in
@@ -0,0 +1,825 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="interfaces">
+ <children>
+ <tagNode name="openvpn" owner="${vyos_conf_scripts_dir}/interfaces_openvpn.py">
+ <properties>
+ <help>OpenVPN Tunnel Interface</help>
+ <priority>460</priority>
+ <constraint>
+ <regex>vtun[0-9]+</regex>
+ </constraint>
+ <constraintErrorMessage>OpenVPN tunnel interface must be named vtunN</constraintErrorMessage>
+ <valueHelp>
+ <format>vtunN</format>
+ <description>OpenVPN interface name</description>
+ </valueHelp>
+ </properties>
+ <children>
+ #include <include/interface/authentication.xml.i>
+ #include <include/generic-description.xml.i>
+ <leafNode name="device-type">
+ <properties>
+ <help>OpenVPN interface device-type</help>
+ <completionHelp>
+ <list>tun tap</list>
+ </completionHelp>
+ <valueHelp>
+ <format>tun</format>
+ <description>TUN device, required for OSI layer 3</description>
+ </valueHelp>
+ <valueHelp>
+ <format>tap</format>
+ <description>TAP device, required for OSI layer 2</description>
+ </valueHelp>
+ <constraint>
+ <regex>(tun|tap)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>tun</defaultValue>
+ </leafNode>
+ #include <include/interface/disable.xml.i>
+ <node name="encryption">
+ <properties>
+ <help>Data Encryption settings</help>
+ </properties>
+ <children>
+ <leafNode name="cipher">
+ <properties>
+ <help>Standard Data Encryption Algorithm</help>
+ <completionHelp>
+ <list>none des 3des bf128 bf256 aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm</list>
+ </completionHelp>
+ <valueHelp>
+ <format>none</format>
+ <description>Disable encryption</description>
+ </valueHelp>
+ <valueHelp>
+ <format>des</format>
+ <description>DES algorithm</description>
+ </valueHelp>
+ <valueHelp>
+ <format>3des</format>
+ <description>DES algorithm with triple encryption</description>
+ </valueHelp>
+ <valueHelp>
+ <format>bf128</format>
+ <description>Blowfish algorithm with 128-bit key</description>
+ </valueHelp>
+ <valueHelp>
+ <format>bf256</format>
+ <description>Blowfish algorithm with 256-bit key</description>
+ </valueHelp>
+ <valueHelp>
+ <format>aes128</format>
+ <description>AES algorithm with 128-bit key CBC</description>
+ </valueHelp>
+ <valueHelp>
+ <format>aes128gcm</format>
+ <description>AES algorithm with 128-bit key GCM</description>
+ </valueHelp>
+ <valueHelp>
+ <format>aes192</format>
+ <description>AES algorithm with 192-bit key CBC</description>
+ </valueHelp>
+ <valueHelp>
+ <format>aes192gcm</format>
+ <description>AES algorithm with 192-bit key GCM</description>
+ </valueHelp>
+ <valueHelp>
+ <format>aes256</format>
+ <description>AES algorithm with 256-bit key CBC</description>
+ </valueHelp>
+ <valueHelp>
+ <format>aes256gcm</format>
+ <description>AES algorithm with 256-bit key GCM</description>
+ </valueHelp>
+ <constraint>
+ <regex>(none|des|3des|bf128|bf256|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="ncp-ciphers">
+ <properties>
+ <help>Cipher negotiation list for use in server or client mode</help>
+ <completionHelp>
+ <list>none des 3des aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm</list>
+ </completionHelp>
+ <valueHelp>
+ <format>none</format>
+ <description>Disable encryption</description>
+ </valueHelp>
+ <valueHelp>
+ <format>des</format>
+ <description>DES algorithm</description>
+ </valueHelp>
+ <valueHelp>
+ <format>3des</format>
+ <description>DES algorithm with triple encryption</description>
+ </valueHelp>
+ <valueHelp>
+ <format>aes128</format>
+ <description>AES algorithm with 128-bit key CBC</description>
+ </valueHelp>
+ <valueHelp>
+ <format>aes128gcm</format>
+ <description>AES algorithm with 128-bit key GCM</description>
+ </valueHelp>
+ <valueHelp>
+ <format>aes192</format>
+ <description>AES algorithm with 192-bit key CBC</description>
+ </valueHelp>
+ <valueHelp>
+ <format>aes192gcm</format>
+ <description>AES algorithm with 192-bit key GCM</description>
+ </valueHelp>
+ <valueHelp>
+ <format>aes256</format>
+ <description>AES algorithm with 256-bit key CBC</description>
+ </valueHelp>
+ <valueHelp>
+ <format>aes256gcm</format>
+ <description>AES algorithm with 256-bit key GCM</description>
+ </valueHelp>
+ <constraint>
+ <regex>(none|des|3des|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm)</regex>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ #include <include/interface/ipv4-options.xml.i>
+ #include <include/interface/ipv6-options.xml.i>
+ #include <include/interface/mirror.xml.i>
+ <leafNode name="hash">
+ <properties>
+ <help>Hashing Algorithm</help>
+ <completionHelp>
+ <list>md5 sha1 sha256 sha384 sha512</list>
+ </completionHelp>
+ <valueHelp>
+ <format>md5</format>
+ <description>MD5 algorithm</description>
+ </valueHelp>
+ <valueHelp>
+ <format>sha1</format>
+ <description>SHA-1 algorithm</description>
+ </valueHelp>
+ <valueHelp>
+ <format>sha256</format>
+ <description>SHA-256 algorithm</description>
+ </valueHelp>
+ <valueHelp>
+ <format>sha384</format>
+ <description>SHA-384 algorithm</description>
+ </valueHelp>
+ <valueHelp>
+ <format>sha512</format>
+ <description>SHA-512 algorithm</description>
+ </valueHelp>
+ <constraint>
+ <regex>(md5|sha1|sha256|sha384|sha512)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <node name="keep-alive">
+ <properties>
+ <help>Keepalive helper options</help>
+ </properties>
+ <children>
+ <leafNode name="failure-count">
+ <properties>
+ <help>Maximum number of keepalive packet failures</help>
+ <valueHelp>
+ <format>u32:0-1000</format>
+ <description>Maximum number of keepalive packet failures</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-1000"/>
+ </constraint>
+ </properties>
+ <defaultValue>60</defaultValue>
+ </leafNode>
+ <leafNode name="interval">
+ <properties>
+ <help>Keepalive packet interval in seconds</help>
+ <valueHelp>
+ <format>u32:0-600</format>
+ <description>Keepalive packet interval (seconds)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-600"/>
+ </constraint>
+ </properties>
+ <defaultValue>10</defaultValue>
+ </leafNode>
+ </children>
+ </node>
+ <tagNode name="local-address">
+ <properties>
+ <help>Local IP address of tunnel (IPv4 or IPv6)</help>
+ <constraint>
+ <validator name="ip-address"/>
+ </constraint>
+ </properties>
+ <children>
+ <leafNode name="subnet-mask">
+ <properties>
+ <help>Subnet-mask for local IP address of tunnel (IPv4 only)</help>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ <leafNode name="local-host">
+ <properties>
+ <help>Local IP address to accept connections (all if not set)</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Local IPv4 address</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>Local IPv6 address</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-address"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="local-port">
+ <properties>
+ <help>Local port number to accept connections</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Numeric IP port</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="mode">
+ <properties>
+ <help>OpenVPN mode of operation</help>
+ <completionHelp>
+ <list>site-to-site client server</list>
+ </completionHelp>
+ <valueHelp>
+ <format>site-to-site</format>
+ <description>Site-to-site mode</description>
+ </valueHelp>
+ <valueHelp>
+ <format>client</format>
+ <description>Client in client-server mode</description>
+ </valueHelp>
+ <valueHelp>
+ <format>server</format>
+ <description>Server in client-server mode</description>
+ </valueHelp>
+ <constraint>
+ <regex>(site-to-site|client|server)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <node name="offload">
+ <properties>
+ <help>Configurable offload options</help>
+ </properties>
+ <children>
+ <leafNode name="dco">
+ <properties>
+ <help>Enable data channel offload on this interface</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <leafNode name="openvpn-option">
+ <properties>
+ <help>Additional OpenVPN options. You must use the syntax of openvpn.conf in this text-field. Using this without proper knowledge may result in a crashed OpenVPN server. Check system log to look for errors.</help>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="persistent-tunnel">
+ <properties>
+ <help>Do not close and reopen interface (TUN/TAP device) on client restarts</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="protocol">
+ <properties>
+ <help>OpenVPN communication protocol</help>
+ <completionHelp>
+ <list>udp tcp-passive tcp-active</list>
+ </completionHelp>
+ <valueHelp>
+ <format>udp</format>
+ <description>UDP</description>
+ </valueHelp>
+ <valueHelp>
+ <format>tcp-passive</format>
+ <description>TCP and accepts connections passively</description>
+ </valueHelp>
+ <valueHelp>
+ <format>tcp-active</format>
+ <description>TCP and initiates connections actively</description>
+ </valueHelp>
+ <constraint>
+ <regex>(udp|tcp-passive|tcp-active)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>udp</defaultValue>
+ </leafNode>
+ <leafNode name="remote-address">
+ <properties>
+ <help>IP address of remote end of tunnel</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Remote end IPv4 address</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>Remote end IPv6 address</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-address"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="remote-host">
+ <properties>
+ <help>Remote host to connect to (dynamic if not set)</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IPv4 address of remote host</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>IPv6 address of remote host</description>
+ </valueHelp>
+ <valueHelp>
+ <format>txt</format>
+ <description>Hostname of remote host</description>
+ </valueHelp>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="remote-port">
+ <properties>
+ <help>Remote port number to connect to</help>
+ <valueHelp>
+ <format>u32:1-65535</format>
+ <description>Numeric IP port</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <node name="replace-default-route">
+ <properties>
+ <help>OpenVPN tunnel to be used as the default route</help>
+ </properties>
+ <children>
+ <leafNode name="local">
+ <properties>
+ <help>Tunnel endpoints are on the same subnet</help>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <node name="server">
+ <properties>
+ <help>Server-mode options</help>
+ </properties>
+ <children>
+ <tagNode name="client">
+ <properties>
+ <help>Client-specific settings</help>
+ <valueHelp>
+ <format>name</format>
+ <description>Client common-name in the certificate</description>
+ </valueHelp>
+ </properties>
+ <children>
+ #include <include/generic-disable-node.xml.i>
+ <leafNode name="ip">
+ <properties>
+ <help>IP address of the client</help>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>Client IPv4 address</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6</format>
+ <description>Client IPv6 address</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-address"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="push-route">
+ <properties>
+ <help>Route to be pushed to the client</help>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>IPv4 network and prefix length</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>IPv6 network and prefix length</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-prefix"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="subnet">
+ <properties>
+ <help>Subnet belonging to the client (iroute)</help>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>IPv4 network and prefix length belonging to the client</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>IPv6 network and prefix length belonging to the client</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-prefix"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ </children>
+ </tagNode>
+ <node name="client-ip-pool">
+ <properties>
+ <help>Pool of client IPv4 addresses</help>
+ </properties>
+ <children>
+ #include <include/generic-disable-node.xml.i>
+ <leafNode name="start">
+ <properties>
+ <help>First IP address in the pool</help>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IPv4 address</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="stop">
+ <properties>
+ <help>Last IP address in the pool</help>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IPv4 address</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="subnet-mask">
+ <properties>
+ <help>Subnet mask pushed to dynamic clients. If not set the server subnet mask will be used. Only used with topology subnet or device type tap. Not used with bridged interfaces.</help>
+ <constraint>
+ <validator name="ipv4-address"/>
+ </constraint>
+ <valueHelp>
+ <format>ipv4</format>
+ <description>IPv4 subnet mask</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <node name="client-ipv6-pool">
+ <properties>
+ <help>Pool of client IPv6 addresses</help>
+ </properties>
+ <children>
+ <leafNode name="base">
+ <properties>
+ <help>Client IPv6 pool base address with optional prefix length</help>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>Client IPv6 pool base address with optional prefix length (defaults: base = server subnet + 0x1000, prefix length = server prefix length)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ipv6"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ #include <include/generic-disable-node.xml.i>
+ </children>
+ </node>
+ <leafNode name="domain-name">
+ <properties>
+ <help>DNS suffix to be pushed to all clients</help>
+ <valueHelp>
+ <format>txt</format>
+ <description>Domain Name Server suffix</description>
+ </valueHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="max-connections">
+ <properties>
+ <help>Number of maximum client connections</help>
+ <valueHelp>
+ <format>u32:1-4096</format>
+ <description>Number of concurrent clients</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-4096"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ #include <include/name-server-ipv4-ipv6.xml.i>
+ <tagNode name="push-route">
+ <properties>
+ <help>Route to be pushed to all clients</help>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>IPv4 network and prefix length</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>IPv6 network and prefix length</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-prefix"/>
+ </constraint>
+ </properties>
+ <children>
+ <leafNode name="metric">
+ <properties>
+ <help>Set metric for this route</help>
+ <valueHelp>
+ <format>u32:0-4294967295</format>
+ <description>Metric for this route</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 0-4294967295"/>
+ </constraint>
+ </properties>
+ <defaultValue>0</defaultValue>
+ </leafNode>
+ </children>
+ </tagNode>
+ <leafNode name="reject-unconfigured-clients">
+ <properties>
+ <help>Reject connections from clients that are not explicitly configured</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ <leafNode name="subnet">
+ <properties>
+ <help>Server-mode subnet (from which client IPs are allocated)</help>
+ <valueHelp>
+ <format>ipv4net</format>
+ <description>IPv4 network and prefix length</description>
+ </valueHelp>
+ <valueHelp>
+ <format>ipv6net</format>
+ <description>IPv6 network and prefix length</description>
+ </valueHelp>
+ <constraint>
+ <validator name="ip-prefix"/>
+ </constraint>
+ <multi/>
+ </properties>
+ </leafNode>
+ <leafNode name="topology">
+ <properties>
+ <help>Topology for clients</help>
+ <completionHelp>
+ <list>net30 point-to-point subnet</list>
+ </completionHelp>
+ <valueHelp>
+ <format>net30</format>
+ <description>net30 topology</description>
+ </valueHelp>
+ <valueHelp>
+ <format>point-to-point</format>
+ <description>Point-to-point topology</description>
+ </valueHelp>
+ <valueHelp>
+ <format>subnet</format>
+ <description>Subnet topology</description>
+ </valueHelp>
+ <constraint>
+ <regex>(subnet|point-to-point|net30)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>net30</defaultValue>
+ </leafNode>
+ <node name="mfa">
+ <properties>
+ <help>multi-factor authentication</help>
+ </properties>
+ <children>
+ <node name="totp">
+ <properties>
+ <help>Time-based one-time passwords</help>
+ </properties>
+ <children>
+ <leafNode name="slop">
+ <properties>
+ <help>Maximum allowed clock slop in seconds</help>
+ <valueHelp>
+ <format>1-65535</format>
+ <description>Seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ <defaultValue>180</defaultValue>
+ </leafNode>
+ <leafNode name="drift">
+ <properties>
+ <help>Time drift in seconds</help>
+ <valueHelp>
+ <format>1-65535</format>
+ <description>Seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ <defaultValue>0</defaultValue>
+ </leafNode>
+ <leafNode name="step">
+ <properties>
+ <help>Step value for totp in seconds</help>
+ <valueHelp>
+ <format>1-65535</format>
+ <description>Seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ <defaultValue>30</defaultValue>
+ </leafNode>
+ <leafNode name="digits">
+ <properties>
+ <help>Number of digits to use for totp hash</help>
+ <valueHelp>
+ <format>1-65535</format>
+ <description>Seconds</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-65535"/>
+ </constraint>
+ </properties>
+ <defaultValue>6</defaultValue>
+ </leafNode>
+ <leafNode name="challenge">
+ <properties>
+ <help>Expect password as result of a challenge response protocol</help>
+ <completionHelp>
+ <list>disable enable</list>
+ </completionHelp>
+ <valueHelp>
+ <format>disable</format>
+ <description>Disable challenge-response</description>
+ </valueHelp>
+ <valueHelp>
+ <format>enable</format>
+ <description>Enable chalenge-response</description>
+ </valueHelp>
+ <constraint>
+ <regex>(disable|enable)</regex>
+ </constraint>
+ </properties>
+ <defaultValue>enable</defaultValue>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </node>
+ <leafNode name="shared-secret-key">
+ <properties>
+ <help>Secret key shared with remote end of tunnel</help>
+ <completionHelp>
+ <path>pki openvpn shared-secret</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <node name="tls">
+ <properties>
+ <help>Transport Layer Security (TLS) options</help>
+ </properties>
+ <children>
+ <leafNode name="auth-key">
+ <properties>
+ <help>TLS shared secret key for tls-auth</help>
+ <completionHelp>
+ <path>pki openvpn shared-secret</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ #include <include/pki/certificate.xml.i>
+ #include <include/pki/ca-certificate-multi.xml.i>
+ <leafNode name="dh-params">
+ <properties>
+ <help>Diffie Hellman parameters (server only)</help>
+ <completionHelp>
+ <path>pki dh</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="crypt-key">
+ <properties>
+ <help>Static key to use to authenticate control channel</help>
+ <completionHelp>
+ <path>pki openvpn shared-secret</path>
+ </completionHelp>
+ </properties>
+ </leafNode>
+ <leafNode name="peer-fingerprint">
+ <properties>
+ <multi/>
+ <help>Peer certificate SHA256 fingerprint</help>
+ <constraint>
+ <regex>[0-9a-fA-F]{2}:([0-9a-fA-F]{2}:){30}[0-9a-fA-F]{2}</regex>
+ </constraint>
+ <constraintErrorMessage>Peer certificate fingerprint must be a colon-separated SHA256 hex digest</constraintErrorMessage>
+ </properties>
+ </leafNode>
+ <leafNode name="tls-version-min">
+ <properties>
+ <help>Specify the minimum required TLS version</help>
+ <completionHelp>
+ <list>1.0 1.1 1.2 1.3</list>
+ </completionHelp>
+ <valueHelp>
+ <format>1.0</format>
+ <description>TLS v1.0</description>
+ </valueHelp>
+ <valueHelp>
+ <format>1.1</format>
+ <description>TLS v1.1</description>
+ </valueHelp>
+ <valueHelp>
+ <format>1.2</format>
+ <description>TLS v1.2</description>
+ </valueHelp>
+ <valueHelp>
+ <format>1.3</format>
+ <description>TLS v1.3</description>
+ </valueHelp>
+ <constraint>
+ <regex>(1.0|1.1|1.2|1.3)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="role">
+ <properties>
+ <help>TLS negotiation role</help>
+ <completionHelp>
+ <list>active passive</list>
+ </completionHelp>
+ <valueHelp>
+ <format>active</format>
+ <description>Initiate TLS negotiation actively</description>
+ </valueHelp>
+ <valueHelp>
+ <format>passive</format>
+ <description>Wait for incoming TLS connection</description>
+ </valueHelp>
+ <constraint>
+ <regex>(active|passive)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <leafNode name="use-lzo-compression">
+ <properties>
+ <help>Use fast LZO compression on this TUN/TAP interface</help>
+ <valueless/>
+ </properties>
+ </leafNode>
+ #include <include/interface/redirect.xml.i>
+ #include <include/interface/vrf.xml.i>
+ </children>
+ </tagNode>
+ </children>
+ </node>
+</interfaceDefinition>