diff options
Diffstat (limited to 'data/templates/openvpn')
-rw-r--r-- | data/templates/openvpn/auth.pw.j2 (renamed from data/templates/openvpn/auth.pw.tmpl) | 0 | ||||
-rw-r--r-- | data/templates/openvpn/client.conf.j2 (renamed from data/templates/openvpn/client.conf.tmpl) | 24 | ||||
-rw-r--r-- | data/templates/openvpn/server.conf.j2 (renamed from data/templates/openvpn/server.conf.tmpl) | 186 | ||||
-rw-r--r-- | data/templates/openvpn/service-override.conf.j2 | 21 | ||||
-rw-r--r-- | data/templates/openvpn/service-override.conf.tmpl | 20 |
5 files changed, 126 insertions, 125 deletions
diff --git a/data/templates/openvpn/auth.pw.tmpl b/data/templates/openvpn/auth.pw.j2 index 218121062..218121062 100644 --- a/data/templates/openvpn/auth.pw.tmpl +++ b/data/templates/openvpn/auth.pw.j2 diff --git a/data/templates/openvpn/client.conf.tmpl b/data/templates/openvpn/client.conf.j2 index 98c8b0273..2e327e4d3 100644 --- a/data/templates/openvpn/client.conf.tmpl +++ b/data/templates/openvpn/client.conf.j2 @@ -1,30 +1,30 @@ ### Autogenerated by interfaces-openvpn.py ### -{% if ip %} +{% if ip is vyos_defined %} ifconfig-push {{ ip[0] }} {{ server_subnet[0] | netmask_from_cidr }} {% endif %} {% if push_route is vyos_defined %} -{% for route in push_route %} +{% for route in push_route %} push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}" -{% endfor %} +{% endfor %} {% endif %} {% if subnet is vyos_defined %} -{% for network in subnet %} +{% for network in subnet %} iroute {{ network | address_from_cidr }} {{ network | netmask_from_cidr }} -{% endfor %} +{% endfor %} {% endif %} {# ipv6_remote is only set when IPv6 server is enabled #} -{% if ipv6_remote %} +{% if ipv6_remote is vyos_defined %} # IPv6 -{% if ipv6_ip %} +{% if ipv6_ip is vyos_defined %} ifconfig-ipv6-push {{ ipv6_ip[0] }} {{ ipv6_remote }} -{% endif %} -{% for route6 in ipv6_push_route %} +{% endif %} +{% for route6 in ipv6_push_route %} push "route-ipv6 {{ route6 }}" -{% endfor %} -{% for net6 in ipv6_subnet %} +{% endfor %} +{% for net6 in ipv6_subnet %} iroute-ipv6 {{ net6 }} -{% endfor %} +{% endfor %} {% endif %} {% if disable is vyos_defined %} disable diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.j2 index f26680fa3..6dd4ef88d 100644 --- a/data/templates/openvpn/server.conf.tmpl +++ b/data/templates/openvpn/server.conf.j2 @@ -10,9 +10,9 @@ verb 3 dev-type {{ device_type }} dev {{ ifname }} persist-key -{% if protocol == 'tcp-active' %} +{% if protocol is vyos_defined('tcp-active') %} proto tcp-client -{% elif protocol == 'tcp-passive' %} +{% elif protocol is vyos_defined('tcp-passive') %} proto tcp-server {% else %} proto udp @@ -30,9 +30,9 @@ lport {{ local_port }} rport {{ remote_port }} {% endif %} {% if remote_host is vyos_defined %} -{% for remote in remote_host %} +{% for remote in remote_host %} remote {{ remote }} -{% endfor %} +{% endfor %} {% endif %} {% if shared_secret_key is vyos_defined %} secret /run/openvpn/{{ ifname }}_shared.key @@ -49,88 +49,88 @@ push "redirect-gateway def1" compress lzo {% endif %} -{% if mode == 'client' %} +{% if mode is vyos_defined('client') %} # # OpenVPN Client mode # client nobind -{% elif mode == 'server' %} +{% elif mode is vyos_defined('server') %} # # OpenVPN Server mode # mode server tls-server -{% if server is vyos_defined %} -{% if server.subnet is vyos_defined %} -{% if server.topology is vyos_defined('point-to-point') %} +{% if server is vyos_defined %} +{% if server.subnet is vyos_defined %} +{% if server.topology is vyos_defined('point-to-point') %} topology p2p -{% elif server.topology is vyos_defined %} +{% elif server.topology is vyos_defined %} topology {{ server.topology }} -{% endif %} -{% for subnet in server.subnet %} -{% if subnet | is_ipv4 %} +{% endif %} +{% for subnet in server.subnet %} +{% if subnet | is_ipv4 %} server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool {# First ip address is used as gateway. It's allows to use metrics #} -{% if server.push_route is vyos_defined %} -{% for route, route_config in server.push_route.items() %} -{% if route | is_ipv4 %} -push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}{% if route_config.metric is vyos_defined %} {{ subnet | first_host_address }} {{ route_config.metric }}{% endif %}" -{% elif route | is_ipv6 %} +{% if server.push_route is vyos_defined %} +{% for route, route_config in server.push_route.items() %} +{% if route | is_ipv4 %} +push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ subnet | first_host_address ~ ' ' ~ route_config.metric if route_config.metric is vyos_defined }}" +{% elif route | is_ipv6 %} push "route-ipv6 {{ route }}" -{% endif %} -{% endfor %} -{% endif %} +{% endif %} +{% endfor %} +{% endif %} {# OpenVPN assigns the first IP address to its local interface so the pool used #} {# in net30 topology - where each client receives a /30 must start from the second subnet #} -{% if server.topology is vyos_defined('net30') %} +{% if server.topology is vyos_defined('net30') %} ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }} -{% else %} +{% else %} {# OpenVPN assigns the first IP address to its local interface so the pool must #} {# start from the second address and end on the last address #} ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }} -{% endif %} -{% elif subnet | is_ipv6 %} +{% endif %} +{% elif subnet | is_ipv6 %} server-ipv6 {{ subnet }} +{% endif %} +{% endfor %} {% endif %} -{% endfor %} -{% endif %} -{% if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined %} +{% if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined %} ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is vyos_defined }} -{% endif %} -{% if server.max_connections is vyos_defined %} +{% endif %} +{% if server.max_connections is vyos_defined %} max-clients {{ server.max_connections }} -{% endif %} -{% if server.client is vyos_defined %} +{% endif %} +{% if server.client is vyos_defined %} client-config-dir /run/openvpn/ccd/{{ ifname }} +{% endif %} {% endif %} -{% endif %} -keepalive {{ keep_alive.interval }} {{ keep_alive.interval|int * keep_alive.failure_count|int }} +keepalive {{ keep_alive.interval }} {{ keep_alive.interval | int * keep_alive.failure_count | int }} management /run/openvpn/openvpn-mgmt-intf unix -{% if server is vyos_defined %} -{% if server.reject_unconfigured_clients is vyos_defined %} +{% if server is vyos_defined %} +{% if server.reject_unconfigured_clients is vyos_defined %} ccd-exclusive -{% endif %} +{% endif %} -{% if server.name_server is vyos_defined %} -{% for nameserver in server.name_server %} -{% if nameserver | is_ipv4 %} +{% if server.name_server is vyos_defined %} +{% for nameserver in server.name_server %} +{% if nameserver | is_ipv4 %} push "dhcp-option DNS {{ nameserver }}" -{% elif nameserver | is_ipv6 %} +{% elif nameserver | is_ipv6 %} push "dhcp-option DNS6 {{ nameserver }}" +{% endif %} +{% endfor %} {% endif %} -{% endfor %} -{% endif %} -{% if server.domain_name is vyos_defined %} +{% if server.domain_name is vyos_defined %} push "dhcp-option DOMAIN {{ server.domain_name }}" +{% endif %} +{% if server.mfa.totp is vyos_defined %} +{% set totp_config = server.mfa.totp %} +plugin "{{ plugin_dir }}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets otp_slop={{ totp_config.slop }} totp_t0={{ totp_config.drift }} totp_step={{ totp_config.step }} totp_digits={{ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}" +{% endif %} {% endif %} -{% if server.mfa.totp is vyos_defined %} -{% set totp_config = server.mfa.totp %} -plugin "{{ plugin_dir}}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets {{ 'otp_slop=' ~ totp_config.slop }} {{ 'totp_t0=' ~ totp_config.drift }} {{ 'totp_step=' ~ totp_config.step }} {{ 'totp_digits=' ~ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}" -{% endif %} -{% endif %} {% else %} # # OpenVPN site-2-site mode @@ -138,80 +138,80 @@ plugin "{{ plugin_dir}}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifn ping {{ keep_alive.interval }} ping-restart {{ keep_alive.failure_count }} -{% if device_type == 'tap' %} -{% if local_address is vyos_defined %} -{% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %} -{% if laddr_conf.subnet_mask is vyos_defined %} +{% if device_type == 'tap' %} +{% if local_address is vyos_defined %} +{% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %} +{% if laddr_conf.subnet_mask is vyos_defined %} ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }} +{% endif %} +{% endfor %} {% endif %} -{% endfor %} -{% endif %} -{% else %} -{% for laddr in local_address if laddr | is_ipv4 %} -{% for raddr in remote_address if raddr | is_ipv4 %} +{% else %} +{% for laddr in local_address if laddr | is_ipv4 %} +{% for raddr in remote_address if raddr | is_ipv4 %} ifconfig {{ laddr }} {{ raddr }} -{% endfor %} -{% endfor %} -{% for laddr in local_address if laddr | is_ipv6 %} -{% for raddr in remote_address if raddr | is_ipv6 %} +{% endfor %} +{% endfor %} +{% for laddr in local_address if laddr | is_ipv6 %} +{% for raddr in remote_address if raddr | is_ipv6 %} ifconfig-ipv6 {{ laddr }} {{ raddr }} -{% endfor %} -{% endfor %} -{% endif %} +{% endfor %} +{% endfor %} +{% endif %} {% endif %} {% if tls is vyos_defined %} # TLS options -{% if tls.ca_certificate is vyos_defined %} +{% if tls.ca_certificate is vyos_defined %} ca /run/openvpn/{{ ifname }}_ca.pem -{% endif %} -{% if tls.certificate is vyos_defined %} +{% endif %} +{% if tls.certificate is vyos_defined %} cert /run/openvpn/{{ ifname }}_cert.pem -{% endif %} -{% if tls.private_key is vyos_defined %} +{% endif %} +{% if tls.private_key is vyos_defined %} key /run/openvpn/{{ ifname }}_cert.key -{% endif %} -{% if tls.crypt_key is vyos_defined %} +{% endif %} +{% if tls.crypt_key is vyos_defined %} tls-crypt /run/openvpn/{{ ifname }}_crypt.key -{% endif %} -{% if tls.crl is vyos_defined %} +{% endif %} +{% if tls.crl is vyos_defined %} crl-verify /run/openvpn/{{ ifname }}_crl.pem -{% endif %} -{% if tls.tls_version_min is vyos_defined %} +{% endif %} +{% if tls.tls_version_min is vyos_defined %} tls-version-min {{ tls.tls_version_min }} -{% endif %} -{% if tls.dh_params is vyos_defined %} +{% endif %} +{% if tls.dh_params is vyos_defined %} dh /run/openvpn/{{ ifname }}_dh.pem -{% elif mode is vyos_defined('server') and tls.private_key is vyos_defined %} +{% elif mode is vyos_defined('server') and tls.private_key is vyos_defined %} dh none -{% endif %} -{% if tls.auth_key is vyos_defined %} -{% if mode == 'client' %} +{% endif %} +{% if tls.auth_key is vyos_defined %} +{% if mode == 'client' %} tls-auth /run/openvpn/{{ ifname }}_auth.key 1 -{% elif mode == 'server' %} +{% elif mode == 'server' %} tls-auth /run/openvpn/{{ ifname }}_auth.key 0 +{% endif %} {% endif %} -{% endif %} -{% if tls.role is vyos_defined('active') %} +{% if tls.role is vyos_defined('active') %} tls-client -{% elif tls.role is vyos_defined('passive') %} +{% elif tls.role is vyos_defined('passive') %} tls-server -{% endif %} +{% endif %} {% endif %} # Encryption options {% if encryption is vyos_defined %} -{% if encryption.cipher is vyos_defined %} +{% if encryption.cipher is vyos_defined %} cipher {{ encryption.cipher | openvpn_cipher }} -{% if encryption.cipher is vyos_defined('bf128') %} +{% if encryption.cipher is vyos_defined('bf128') %} keysize 128 -{% elif encryption.cipher is vyos_defined('bf256') %} +{% elif encryption.cipher is vyos_defined('bf256') %} keysize 256 +{% endif %} {% endif %} -{% endif %} -{% if encryption.ncp_ciphers is vyos_defined %} +{% if encryption.ncp_ciphers is vyos_defined %} data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }} -{% endif %} +{% endif %} {% endif %} {% if hash is vyos_defined %} diff --git a/data/templates/openvpn/service-override.conf.j2 b/data/templates/openvpn/service-override.conf.j2 new file mode 100644 index 000000000..616ba3bfc --- /dev/null +++ b/data/templates/openvpn/service-override.conf.j2 @@ -0,0 +1,21 @@ +{% set options = namespace(value='') %} +{% if openvpn_option is vyos_defined %} +{% for option in openvpn_option %} +{# Remove the '--' prefix from variable if it is presented #} +{% if option.startswith('--') %} +{% set option = option.split('--', maxsplit=1)[1] %} +{% endif %} +{# Workaround to pass '--push' options properly. Previously openvpn accepted this option without values in double-quotes #} +{# But now it stopped doing this, so we need to add them for compatibility #} +{# HOWEVER! This is a raw option and we do not promise that this or any other trick will work for all the cases. #} +{# Using 'openvpn-option' you take all responsibility for compatibility for yourself. #} +{% if option.startswith('push') and not (option.startswith('push "') and option.endswith('"')) %} +{% set option = 'push \"%s\"' | format(option.split('push ', maxsplit=1)[1]) %} +{% endif %} +{% set options.value = options.value ~ ' --' ~ option %} +{% endfor %} +{% endif %} +[Service] +ExecStart= +ExecStart=/usr/sbin/openvpn --daemon openvpn-%i --config %i.conf --status %i.status 30 --writepid %i.pid {{ options.value }} + diff --git a/data/templates/openvpn/service-override.conf.tmpl b/data/templates/openvpn/service-override.conf.tmpl deleted file mode 100644 index cba652223..000000000 --- a/data/templates/openvpn/service-override.conf.tmpl +++ /dev/null @@ -1,20 +0,0 @@ -[Service] -ExecStart= -ExecStart=/usr/sbin/openvpn --daemon openvpn-%i --config %i.conf --status %i.status 30 --writepid %i.pid -{%- if openvpn_option is vyos_defined %} -{% for option in openvpn_option %} -{# Remove the '--' prefix from variable if it is presented #} -{% if option.startswith('--') %} -{% set option = option.split('--', maxsplit=1)[1] %} -{% endif %} -{# Workaround to pass '--push' options properly. Previously openvpn accepted this option without values in double-quotes #} -{# But now it stopped doing this, so we need to add them for compatibility #} -{# HOWEVER! This is a raw option and we do not promise that this or any other trick will work for all the cases. #} -{# Using 'openvpn-option' you take all responsibility for compatibility for yourself. #} -{% if option.startswith('push') and not (option.startswith('push "') and option.endswith('"')) %} -{% set option = 'push \"%s\"'|format(option.split('push ', maxsplit=1)[1]) %} -{% endif %} - --{{ option }} -{%- endfor %} -{% endif %} - |