summaryrefslogtreecommitdiff
path: root/data/templates/openvpn
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates/openvpn')
-rw-r--r--data/templates/openvpn/auth.pw.j2 (renamed from data/templates/openvpn/auth.pw.tmpl)0
-rw-r--r--data/templates/openvpn/client.conf.j2 (renamed from data/templates/openvpn/client.conf.tmpl)24
-rw-r--r--data/templates/openvpn/server.conf.j2 (renamed from data/templates/openvpn/server.conf.tmpl)186
-rw-r--r--data/templates/openvpn/service-override.conf.j221
-rw-r--r--data/templates/openvpn/service-override.conf.tmpl20
5 files changed, 126 insertions, 125 deletions
diff --git a/data/templates/openvpn/auth.pw.tmpl b/data/templates/openvpn/auth.pw.j2
index 218121062..218121062 100644
--- a/data/templates/openvpn/auth.pw.tmpl
+++ b/data/templates/openvpn/auth.pw.j2
diff --git a/data/templates/openvpn/client.conf.tmpl b/data/templates/openvpn/client.conf.j2
index 98c8b0273..2e327e4d3 100644
--- a/data/templates/openvpn/client.conf.tmpl
+++ b/data/templates/openvpn/client.conf.j2
@@ -1,30 +1,30 @@
### Autogenerated by interfaces-openvpn.py ###
-{% if ip %}
+{% if ip is vyos_defined %}
ifconfig-push {{ ip[0] }} {{ server_subnet[0] | netmask_from_cidr }}
{% endif %}
{% if push_route is vyos_defined %}
-{% for route in push_route %}
+{% for route in push_route %}
push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}"
-{% endfor %}
+{% endfor %}
{% endif %}
{% if subnet is vyos_defined %}
-{% for network in subnet %}
+{% for network in subnet %}
iroute {{ network | address_from_cidr }} {{ network | netmask_from_cidr }}
-{% endfor %}
+{% endfor %}
{% endif %}
{# ipv6_remote is only set when IPv6 server is enabled #}
-{% if ipv6_remote %}
+{% if ipv6_remote is vyos_defined %}
# IPv6
-{% if ipv6_ip %}
+{% if ipv6_ip is vyos_defined %}
ifconfig-ipv6-push {{ ipv6_ip[0] }} {{ ipv6_remote }}
-{% endif %}
-{% for route6 in ipv6_push_route %}
+{% endif %}
+{% for route6 in ipv6_push_route %}
push "route-ipv6 {{ route6 }}"
-{% endfor %}
-{% for net6 in ipv6_subnet %}
+{% endfor %}
+{% for net6 in ipv6_subnet %}
iroute-ipv6 {{ net6 }}
-{% endfor %}
+{% endfor %}
{% endif %}
{% if disable is vyos_defined %}
disable
diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.j2
index f26680fa3..6dd4ef88d 100644
--- a/data/templates/openvpn/server.conf.tmpl
+++ b/data/templates/openvpn/server.conf.j2
@@ -10,9 +10,9 @@ verb 3
dev-type {{ device_type }}
dev {{ ifname }}
persist-key
-{% if protocol == 'tcp-active' %}
+{% if protocol is vyos_defined('tcp-active') %}
proto tcp-client
-{% elif protocol == 'tcp-passive' %}
+{% elif protocol is vyos_defined('tcp-passive') %}
proto tcp-server
{% else %}
proto udp
@@ -30,9 +30,9 @@ lport {{ local_port }}
rport {{ remote_port }}
{% endif %}
{% if remote_host is vyos_defined %}
-{% for remote in remote_host %}
+{% for remote in remote_host %}
remote {{ remote }}
-{% endfor %}
+{% endfor %}
{% endif %}
{% if shared_secret_key is vyos_defined %}
secret /run/openvpn/{{ ifname }}_shared.key
@@ -49,88 +49,88 @@ push "redirect-gateway def1"
compress lzo
{% endif %}
-{% if mode == 'client' %}
+{% if mode is vyos_defined('client') %}
#
# OpenVPN Client mode
#
client
nobind
-{% elif mode == 'server' %}
+{% elif mode is vyos_defined('server') %}
#
# OpenVPN Server mode
#
mode server
tls-server
-{% if server is vyos_defined %}
-{% if server.subnet is vyos_defined %}
-{% if server.topology is vyos_defined('point-to-point') %}
+{% if server is vyos_defined %}
+{% if server.subnet is vyos_defined %}
+{% if server.topology is vyos_defined('point-to-point') %}
topology p2p
-{% elif server.topology is vyos_defined %}
+{% elif server.topology is vyos_defined %}
topology {{ server.topology }}
-{% endif %}
-{% for subnet in server.subnet %}
-{% if subnet | is_ipv4 %}
+{% endif %}
+{% for subnet in server.subnet %}
+{% if subnet | is_ipv4 %}
server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool
{# First ip address is used as gateway. It's allows to use metrics #}
-{% if server.push_route is vyos_defined %}
-{% for route, route_config in server.push_route.items() %}
-{% if route | is_ipv4 %}
-push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}{% if route_config.metric is vyos_defined %} {{ subnet | first_host_address }} {{ route_config.metric }}{% endif %}"
-{% elif route | is_ipv6 %}
+{% if server.push_route is vyos_defined %}
+{% for route, route_config in server.push_route.items() %}
+{% if route | is_ipv4 %}
+push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ subnet | first_host_address ~ ' ' ~ route_config.metric if route_config.metric is vyos_defined }}"
+{% elif route | is_ipv6 %}
push "route-ipv6 {{ route }}"
-{% endif %}
-{% endfor %}
-{% endif %}
+{% endif %}
+{% endfor %}
+{% endif %}
{# OpenVPN assigns the first IP address to its local interface so the pool used #}
{# in net30 topology - where each client receives a /30 must start from the second subnet #}
-{% if server.topology is vyos_defined('net30') %}
+{% if server.topology is vyos_defined('net30') %}
ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }}
-{% else %}
+{% else %}
{# OpenVPN assigns the first IP address to its local interface so the pool must #}
{# start from the second address and end on the last address #}
ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }}
-{% endif %}
-{% elif subnet | is_ipv6 %}
+{% endif %}
+{% elif subnet | is_ipv6 %}
server-ipv6 {{ subnet }}
+{% endif %}
+{% endfor %}
{% endif %}
-{% endfor %}
-{% endif %}
-{% if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined %}
+{% if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined %}
ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is vyos_defined }}
-{% endif %}
-{% if server.max_connections is vyos_defined %}
+{% endif %}
+{% if server.max_connections is vyos_defined %}
max-clients {{ server.max_connections }}
-{% endif %}
-{% if server.client is vyos_defined %}
+{% endif %}
+{% if server.client is vyos_defined %}
client-config-dir /run/openvpn/ccd/{{ ifname }}
+{% endif %}
{% endif %}
-{% endif %}
-keepalive {{ keep_alive.interval }} {{ keep_alive.interval|int * keep_alive.failure_count|int }}
+keepalive {{ keep_alive.interval }} {{ keep_alive.interval | int * keep_alive.failure_count | int }}
management /run/openvpn/openvpn-mgmt-intf unix
-{% if server is vyos_defined %}
-{% if server.reject_unconfigured_clients is vyos_defined %}
+{% if server is vyos_defined %}
+{% if server.reject_unconfigured_clients is vyos_defined %}
ccd-exclusive
-{% endif %}
+{% endif %}
-{% if server.name_server is vyos_defined %}
-{% for nameserver in server.name_server %}
-{% if nameserver | is_ipv4 %}
+{% if server.name_server is vyos_defined %}
+{% for nameserver in server.name_server %}
+{% if nameserver | is_ipv4 %}
push "dhcp-option DNS {{ nameserver }}"
-{% elif nameserver | is_ipv6 %}
+{% elif nameserver | is_ipv6 %}
push "dhcp-option DNS6 {{ nameserver }}"
+{% endif %}
+{% endfor %}
{% endif %}
-{% endfor %}
-{% endif %}
-{% if server.domain_name is vyos_defined %}
+{% if server.domain_name is vyos_defined %}
push "dhcp-option DOMAIN {{ server.domain_name }}"
+{% endif %}
+{% if server.mfa.totp is vyos_defined %}
+{% set totp_config = server.mfa.totp %}
+plugin "{{ plugin_dir }}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets otp_slop={{ totp_config.slop }} totp_t0={{ totp_config.drift }} totp_step={{ totp_config.step }} totp_digits={{ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}"
+{% endif %}
{% endif %}
-{% if server.mfa.totp is vyos_defined %}
-{% set totp_config = server.mfa.totp %}
-plugin "{{ plugin_dir}}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets {{ 'otp_slop=' ~ totp_config.slop }} {{ 'totp_t0=' ~ totp_config.drift }} {{ 'totp_step=' ~ totp_config.step }} {{ 'totp_digits=' ~ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}"
-{% endif %}
-{% endif %}
{% else %}
#
# OpenVPN site-2-site mode
@@ -138,80 +138,80 @@ plugin "{{ plugin_dir}}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifn
ping {{ keep_alive.interval }}
ping-restart {{ keep_alive.failure_count }}
-{% if device_type == 'tap' %}
-{% if local_address is vyos_defined %}
-{% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %}
-{% if laddr_conf.subnet_mask is vyos_defined %}
+{% if device_type == 'tap' %}
+{% if local_address is vyos_defined %}
+{% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %}
+{% if laddr_conf.subnet_mask is vyos_defined %}
ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }}
+{% endif %}
+{% endfor %}
{% endif %}
-{% endfor %}
-{% endif %}
-{% else %}
-{% for laddr in local_address if laddr | is_ipv4 %}
-{% for raddr in remote_address if raddr | is_ipv4 %}
+{% else %}
+{% for laddr in local_address if laddr | is_ipv4 %}
+{% for raddr in remote_address if raddr | is_ipv4 %}
ifconfig {{ laddr }} {{ raddr }}
-{% endfor %}
-{% endfor %}
-{% for laddr in local_address if laddr | is_ipv6 %}
-{% for raddr in remote_address if raddr | is_ipv6 %}
+{% endfor %}
+{% endfor %}
+{% for laddr in local_address if laddr | is_ipv6 %}
+{% for raddr in remote_address if raddr | is_ipv6 %}
ifconfig-ipv6 {{ laddr }} {{ raddr }}
-{% endfor %}
-{% endfor %}
-{% endif %}
+{% endfor %}
+{% endfor %}
+{% endif %}
{% endif %}
{% if tls is vyos_defined %}
# TLS options
-{% if tls.ca_certificate is vyos_defined %}
+{% if tls.ca_certificate is vyos_defined %}
ca /run/openvpn/{{ ifname }}_ca.pem
-{% endif %}
-{% if tls.certificate is vyos_defined %}
+{% endif %}
+{% if tls.certificate is vyos_defined %}
cert /run/openvpn/{{ ifname }}_cert.pem
-{% endif %}
-{% if tls.private_key is vyos_defined %}
+{% endif %}
+{% if tls.private_key is vyos_defined %}
key /run/openvpn/{{ ifname }}_cert.key
-{% endif %}
-{% if tls.crypt_key is vyos_defined %}
+{% endif %}
+{% if tls.crypt_key is vyos_defined %}
tls-crypt /run/openvpn/{{ ifname }}_crypt.key
-{% endif %}
-{% if tls.crl is vyos_defined %}
+{% endif %}
+{% if tls.crl is vyos_defined %}
crl-verify /run/openvpn/{{ ifname }}_crl.pem
-{% endif %}
-{% if tls.tls_version_min is vyos_defined %}
+{% endif %}
+{% if tls.tls_version_min is vyos_defined %}
tls-version-min {{ tls.tls_version_min }}
-{% endif %}
-{% if tls.dh_params is vyos_defined %}
+{% endif %}
+{% if tls.dh_params is vyos_defined %}
dh /run/openvpn/{{ ifname }}_dh.pem
-{% elif mode is vyos_defined('server') and tls.private_key is vyos_defined %}
+{% elif mode is vyos_defined('server') and tls.private_key is vyos_defined %}
dh none
-{% endif %}
-{% if tls.auth_key is vyos_defined %}
-{% if mode == 'client' %}
+{% endif %}
+{% if tls.auth_key is vyos_defined %}
+{% if mode == 'client' %}
tls-auth /run/openvpn/{{ ifname }}_auth.key 1
-{% elif mode == 'server' %}
+{% elif mode == 'server' %}
tls-auth /run/openvpn/{{ ifname }}_auth.key 0
+{% endif %}
{% endif %}
-{% endif %}
-{% if tls.role is vyos_defined('active') %}
+{% if tls.role is vyos_defined('active') %}
tls-client
-{% elif tls.role is vyos_defined('passive') %}
+{% elif tls.role is vyos_defined('passive') %}
tls-server
-{% endif %}
+{% endif %}
{% endif %}
# Encryption options
{% if encryption is vyos_defined %}
-{% if encryption.cipher is vyos_defined %}
+{% if encryption.cipher is vyos_defined %}
cipher {{ encryption.cipher | openvpn_cipher }}
-{% if encryption.cipher is vyos_defined('bf128') %}
+{% if encryption.cipher is vyos_defined('bf128') %}
keysize 128
-{% elif encryption.cipher is vyos_defined('bf256') %}
+{% elif encryption.cipher is vyos_defined('bf256') %}
keysize 256
+{% endif %}
{% endif %}
-{% endif %}
-{% if encryption.ncp_ciphers is vyos_defined %}
+{% if encryption.ncp_ciphers is vyos_defined %}
data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }}
-{% endif %}
+{% endif %}
{% endif %}
{% if hash is vyos_defined %}
diff --git a/data/templates/openvpn/service-override.conf.j2 b/data/templates/openvpn/service-override.conf.j2
new file mode 100644
index 000000000..616ba3bfc
--- /dev/null
+++ b/data/templates/openvpn/service-override.conf.j2
@@ -0,0 +1,21 @@
+{% set options = namespace(value='') %}
+{% if openvpn_option is vyos_defined %}
+{% for option in openvpn_option %}
+{# Remove the '--' prefix from variable if it is presented #}
+{% if option.startswith('--') %}
+{% set option = option.split('--', maxsplit=1)[1] %}
+{% endif %}
+{# Workaround to pass '--push' options properly. Previously openvpn accepted this option without values in double-quotes #}
+{# But now it stopped doing this, so we need to add them for compatibility #}
+{# HOWEVER! This is a raw option and we do not promise that this or any other trick will work for all the cases. #}
+{# Using 'openvpn-option' you take all responsibility for compatibility for yourself. #}
+{% if option.startswith('push') and not (option.startswith('push "') and option.endswith('"')) %}
+{% set option = 'push \"%s\"' | format(option.split('push ', maxsplit=1)[1]) %}
+{% endif %}
+{% set options.value = options.value ~ ' --' ~ option %}
+{% endfor %}
+{% endif %}
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/openvpn --daemon openvpn-%i --config %i.conf --status %i.status 30 --writepid %i.pid {{ options.value }}
+
diff --git a/data/templates/openvpn/service-override.conf.tmpl b/data/templates/openvpn/service-override.conf.tmpl
deleted file mode 100644
index cba652223..000000000
--- a/data/templates/openvpn/service-override.conf.tmpl
+++ /dev/null
@@ -1,20 +0,0 @@
-[Service]
-ExecStart=
-ExecStart=/usr/sbin/openvpn --daemon openvpn-%i --config %i.conf --status %i.status 30 --writepid %i.pid
-{%- if openvpn_option is vyos_defined %}
-{% for option in openvpn_option %}
-{# Remove the '--' prefix from variable if it is presented #}
-{% if option.startswith('--') %}
-{% set option = option.split('--', maxsplit=1)[1] %}
-{% endif %}
-{# Workaround to pass '--push' options properly. Previously openvpn accepted this option without values in double-quotes #}
-{# But now it stopped doing this, so we need to add them for compatibility #}
-{# HOWEVER! This is a raw option and we do not promise that this or any other trick will work for all the cases. #}
-{# Using 'openvpn-option' you take all responsibility for compatibility for yourself. #}
-{% if option.startswith('push') and not (option.startswith('push "') and option.endswith('"')) %}
-{% set option = 'push \"%s\"'|format(option.split('push ', maxsplit=1)[1]) %}
-{% endif %}
- --{{ option }}
-{%- endfor %}
-{% endif %}
-