diff options
| author | Christian Poessinger <christian@poessinger.com> | 2019-09-22 19:13:07 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2019-09-22 19:13:07 +0200 |
| commit | 79a655a12875f5f152abba2d17eb6a1033b59131 (patch) | |
| tree | 5a75960039a0dd81608b5a38351a8c8314cabccf /src/conf_mode/interface-openvpn.py | |
| parent | c4d0b9ed4736911d341efdebf34997e6cee8c5a8 (diff) | |
| parent | 2b9c84594a693c66b949183a25cc32dfcdee72e1 (diff) | |
| download | vyos-1x-79a655a12875f5f152abba2d17eb6a1033b59131.tar.gz vyos-1x-79a655a12875f5f152abba2d17eb6a1033b59131.zip | |
Merge branch 'current' of github.com:vyos/vyos-1x into equuleus
* 'current' of github.com:vyos/vyos-1x: (49 commits)
Jenkins: ease Pipeline
vxlan: T1636: simplyfy code (don't delete intf addresses)
ethernet: T1637: interfaces in a bond can be disabled
ethernet: T1637: fix calling arp_cache_tmo property
ethernet: T1637: do not overwrite interface description with interface name
ethernet: T1637: support offloading functions
Python/ifconfig: T1557: ethernet: add offloading interfaces
Python/ifconfig: T1557: update comments
Python/ifconfig: T1557: delete all assigned IP addresses on remove()
ethernet: T1637: call remove() on interface deletion
Python/ifconfig: T1557: use proper inheritance levels on remove()
ethernet: T1637: remove debug pprint
bridge: T1556: minor comment cleanup
bonding: T1614: minor comment cleanup
Python/ifconfig: T1557: unify '/sys/class/net/{}' path
Python/ifconfig: T1557: vmxnet3/virtio_net do not support changing speed/duplex control
Python/ifconfig: T1557: vmxnet3/virtio_net do not support changing flow control
Python/ifconfig: T1557: query driver if it supports auto negotiation
Python/ifconfig: T1557: call ethtool with full path
Python/ifconfig: T1557: return stdout string for _cmd()
...
Diffstat (limited to 'src/conf_mode/interface-openvpn.py')
| -rwxr-xr-x | src/conf_mode/interface-openvpn.py | 36 |
1 files changed, 31 insertions, 5 deletions
diff --git a/src/conf_mode/interface-openvpn.py b/src/conf_mode/interface-openvpn.py index 34c094862..35e7928c2 100755 --- a/src/conf_mode/interface-openvpn.py +++ b/src/conf_mode/interface-openvpn.py @@ -167,10 +167,18 @@ key {{ tls_key }} crl-verify {{ tls_crl }} {% endif %} +{%- if tls_version_min %} +tls-version-min {{tls_version_min}} +{% endif %} + {%- if tls_dh %} dh {{ tls_dh }} {% endif %} +{%- if tls_auth %} +tls-auth {{tls_auth}} +{% endif %} + {%- if 'active' in tls_role %} tls-client {%- elif 'passive' in tls_role %} @@ -277,12 +285,14 @@ default_config_data = { 'server_topology': '', 'shared_secret_file': '', 'tls': False, + 'tls_auth': '', 'tls_ca_cert': '', 'tls_cert': '', 'tls_crl': '', 'tls_dh': '', 'tls_key': '', 'tls_role': '', + 'tls_version_min': '', 'type': 'tun', 'uid': user, 'gid': group, @@ -532,6 +542,11 @@ def get_config(): if conf.exists('server reject-unconfigured-clients'): openvpn['server_reject_unconfigured'] = True + # File containing TLS auth static key + if conf.exists('tls auth-file'): + openvpn['tls_auth'] = conf.return_value('tls auth-file') + openvpn['tls'] = True + # File containing certificate for Certificate Authority (CA) if conf.exists('tls ca-cert-file'): openvpn['tls_ca_cert'] = conf.return_value('tls ca-cert-file') @@ -562,6 +577,10 @@ def get_config(): openvpn['tls_role'] = conf.return_value('tls role') openvpn['tls'] = True + # Minimum required TLS version + if conf.exists('tls tls-version-min'): + openvpn['tls_version_min'] = conf.return_value('tls tls-version-min') + if conf.exists('shared-secret-key-file'): openvpn['shared_secret_file'] = conf.return_value('shared-secret-key-file') @@ -714,11 +733,17 @@ def verify(openvpn): if not checkCertHeader('-----BEGIN CERTIFICATE-----', openvpn['tls_ca_cert']): raise ConfigError('Specified ca-cert-file "{}" is invalid'.format(openvpn['tls_ca_cert'])) - if not checkCertHeader('-----BEGIN CERTIFICATE-----', openvpn['tls_cert']): - raise ConfigError('Specified cert-file "{}" is invalid'.format(openvpn['tls_cert'])) + if openvpn['tls_auth']: + if not checkCertHeader('-----BEGIN OpenVPN Static key V1-----', openvpn['tls_auth']): + raise ConfigError('Specified auth-file "{}" is invalid'.format(openvpn['tls_auth'])) + + if openvpn['tls_cert']: + if not checkCertHeader('-----BEGIN CERTIFICATE-----', openvpn['tls_cert']): + raise ConfigError('Specified cert-file "{}" is invalid'.format(openvpn['tls_cert'])) - if not checkCertHeader('-----BEGIN (?:RSA )?PRIVATE KEY-----', openvpn['tls_key']): - raise ConfigError('Specified key-file "{}" is not valid'.format(openvpn['tls_key'])) + if openvpn['tls_key']: + if not checkCertHeader('-----BEGIN (?:RSA )?PRIVATE KEY-----', openvpn['tls_key']): + raise ConfigError('Specified key-file "{}" is not valid'.format(openvpn['tls_key'])) if openvpn['tls_crl']: if not checkCertHeader('-----BEGIN X509 CRL-----', openvpn['tls_crl']): @@ -730,7 +755,8 @@ def verify(openvpn): if openvpn['tls_role']: if openvpn['mode'] in ['client', 'server']: - raise ConfigError('Cannot specify "tls role" in client-server mode') + if not openvpn['tls_auth']: + raise ConfigError('Cannot specify "tls role" in client-server mode') if openvpn['tls_role'] == 'active': if openvpn['protocol'] == 'tcp-passive': |