summaryrefslogtreecommitdiff
path: root/data/templates/openvpn
diff options
context:
space:
mode:
Diffstat (limited to 'data/templates/openvpn')
-rw-r--r--data/templates/openvpn/client.conf.tmpl35
-rw-r--r--data/templates/openvpn/server.conf.tmpl262
2 files changed, 297 insertions, 0 deletions
diff --git a/data/templates/openvpn/client.conf.tmpl b/data/templates/openvpn/client.conf.tmpl
new file mode 100644
index 000000000..508d8da94
--- /dev/null
+++ b/data/templates/openvpn/client.conf.tmpl
@@ -0,0 +1,35 @@
+### Autogenerated by interfaces-openvpn.py ###
+
+{% if ip -%}
+ifconfig-push {{ ip[0] }} {{ remote_netmask }}
+{% endif -%}
+
+{% for route in push_route -%}
+push "route {{ route }}"
+{% endfor -%}
+
+{% for net in subnet -%}
+iroute {{ net }}
+{% endfor -%}
+
+{# ipv6_remote is only set when IPv6 server is enabled #}
+{% if ipv6_remote -%}
+# IPv6
+
+{%- if ipv6_ip %}
+ifconfig-ipv6-push {{ ipv6_ip[0] }} {{ ipv6_remote }}
+{%- endif %}
+
+{%- for route6 in ipv6_push_route %}
+push "route-ipv6 {{ route6 }}"
+{%- endfor %}
+
+{%- for net6 in ipv6_subnet %}
+iroute {{ net6 }}
+{%- endfor %}
+
+{% endif -%}
+
+{% if disable -%}
+disable
+{% endif -%}
diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl
new file mode 100644
index 000000000..401f8e04b
--- /dev/null
+++ b/data/templates/openvpn/server.conf.tmpl
@@ -0,0 +1,262 @@
+### Autogenerated by interfaces-openvpn.py ###
+#
+# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+# for individual keyword definition
+
+{% if description -%}
+# {{ description }}
+
+{% endif -%}
+
+verb 3
+
+user {{ uid }}
+group {{ gid }}
+
+dev-type {{ type }}
+dev {{ intf }}
+persist-key
+iproute /usr/libexec/vyos/system/unpriv-ip
+
+proto {{ protocol_real }}
+
+{%- if local_host %}
+local {{ local_host }}
+{%- endif %}
+
+{%- if mode == 'server' and protocol == 'udp' and not local_host %}
+multihome
+{%- endif %}
+
+{%- if local_port %}
+lport {{ local_port }}
+{%- endif %}
+
+{% if remote_port -%}
+rport {{ remote_port }}
+{% endif %}
+
+{%- if remote_host %}
+{%- for remote in remote_host -%}
+remote {{ remote }}
+{% endfor -%}
+{% endif -%}
+
+{% if shared_secret_file %}
+secret {{ shared_secret_file }}
+{%- endif %}
+
+{%- if persistent_tunnel %}
+persist-tun
+{%- endif %}
+
+{%- if redirect_gateway %}
+push "redirect-gateway {{ redirect_gateway }}"
+{%- endif %}
+
+{%- if compress_lzo %}
+compress lzo
+{%- endif %}
+
+{% if 'client' in mode -%}
+#
+# OpenVPN Client mode
+#
+client
+nobind
+
+{% elif 'server' in mode -%}
+#
+# OpenVPN Server mode
+#
+
+{%- if server_topology %}
+topology {% if server_topology == 'point-to-point' %}p2p{% else %}{{ server_topology }}{% endif %}
+{%- endif %}
+
+{%- if is_bridge_member %}
+mode server
+tls-server
+{%- else %}
+server {{ server_subnet[0] }} nopool
+{%- endif %}
+
+{%- if server_pool %}
+ifconfig-pool {{ server_pool_start }} {{ server_pool_stop }}{% if server_pool_netmask %} {{ server_pool_netmask }}{% endif %}
+{%- endif %}
+
+{%- if server_max_conn %}
+max-clients {{ server_max_conn }}
+{%- endif %}
+
+{%- if client %}
+client-config-dir /run/openvpn/ccd/{{ intf }}
+{%- endif %}
+
+{%- if server_reject_unconfigured %}
+ccd-exclusive
+{%- endif %}
+
+keepalive {{ ping_interval }} {{ ping_restart }}
+management /run/openvpn/openvpn-mgmt-intf unix
+
+{% for route in server_push_route -%}
+push "route {{ route }}"
+{% endfor -%}
+
+{% for ns in server_dns_nameserver -%}
+push "dhcp-option DNS {{ ns }}"
+{% endfor -%}
+
+{%- if server_domain -%}
+push "dhcp-option DOMAIN {{ server_domain }}"
+{% endif -%}
+
+{%- if server_ipv6_local %}
+# IPv6
+push "tun-ipv6"
+ifconfig-ipv6 {{ server_ipv6_local }}/{{ server_ipv6_prefixlen }} {{ server_ipv6_remote }}
+
+{%- if server_ipv6_pool %}
+ifconfig-ipv6-pool {{ server_ipv6_pool_base }}/{{ server_ipv6_pool_prefixlen }}
+{%- endif %}
+
+{%- for route6 in server_ipv6_push_route %}
+push "route-ipv6 {{ route6 }}"
+{%- endfor %}
+
+{%- for ns6 in server_ipv6_dns_nameserver %}
+push "dhcp-option DNS6 {{ ns6 }}"
+{%- endfor %}
+
+{%- endif %}
+
+{% else -%}
+#
+# OpenVPN site-2-site mode
+#
+ping {{ ping_interval }}
+ping-restart {{ ping_restart }}
+
+{% if local_address_subnet -%}
+ifconfig {{ local_address[0] }} {{ local_address_subnet }}
+{%- elif remote_address -%}
+ifconfig {{ local_address[0] }} {{ remote_address[0] }}
+{%- endif %}
+
+{% if ipv6_local_address -%}
+ifconfig-ipv6 {{ ipv6_local_address[0] }} {{ ipv6_remote_address[0] }}
+{%- endif %}
+
+{% endif -%}
+
+{% if tls -%}
+# TLS options
+{%- if tls_ca_cert %}
+ca {{ tls_ca_cert }}
+{%- endif %}
+
+{%- if tls_cert %}
+cert {{ tls_cert }}
+{%- endif %}
+
+{%- if tls_key %}
+key {{ tls_key }}
+{%- endif %}
+
+{%- if tls_crypt %}
+tls-crypt {{ tls_crypt }}
+{%- endif %}
+
+{%- if tls_crl %}
+crl-verify {{ tls_crl }}
+{%- endif %}
+
+{%- if tls_version_min %}
+tls-version-min {{tls_version_min}}
+{%- endif %}
+
+{%- if tls_dh %}
+dh {{ tls_dh }}
+{%- endif %}
+
+{%- if tls_auth %}
+tls-auth {{tls_auth}}
+{%- endif %}
+
+{%- if tls_role %}
+{%- if 'active' in tls_role %}
+tls-client
+{%- elif 'passive' in tls_role %}
+tls-server
+{%- endif %}
+{%- endif %}
+
+{%- endif %}
+
+# Encryption options
+{%- if encryption %}
+{% if encryption == 'des' -%}
+cipher des-cbc
+{%- elif encryption == '3des' -%}
+cipher des-ede3-cbc
+{%- elif encryption == 'bf128' -%}
+cipher bf-cbc
+keysize 128
+{%- elif encryption == 'bf256' -%}
+cipher bf-cbc
+keysize 25
+{%- elif encryption == 'aes128gcm' -%}
+cipher aes-128-gcm
+{%- elif encryption == 'aes128' -%}
+cipher aes-128-cbc
+{%- elif encryption == 'aes192gcm' -%}
+cipher aes-192-gcm
+{%- elif encryption == 'aes192' -%}
+cipher aes-192-cbc
+{%- elif encryption == 'aes256gcm' -%}
+cipher aes-256-gcm
+{%- elif encryption == 'aes256' -%}
+cipher aes-256-cbc
+{%- endif -%}
+{%- endif %}
+
+{%- if ncp_ciphers %}
+ncp-ciphers {{ncp_ciphers}}
+{%- endif %}
+{%- if disable_ncp %}
+ncp-disable
+{%- endif %}
+
+{% if hash -%}
+auth {{ hash }}
+{%- endif -%}
+
+{%- if auth %}
+auth-user-pass {{ auth_user_pass_file }}
+auth-retry nointeract
+{%- endif %}
+
+# DEPRECATED This option will be removed in OpenVPN 2.5
+# Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted like this:
+# /C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com In addition the old
+# behaviour was to remap any character other than alphanumeric, underscore ('_'),
+# dash ('-'), dot ('.'), and slash ('/') to underscore ('_'). The X.509 Subject
+# string as returned by the tls_id environmental variable, could additionally
+# contain colon (':') or equal ('='). When using the --compat-names option, this
+# old formatting and remapping will be re-enabled again. This is purely implemented
+# for compatibility reasons when using older plug-ins or scripts which does not
+# handle the new formatting or UTF-8 characters.
+#
+# See https://phabricator.vyos.net/T1512
+compat-names
+
+{% if options -%}
+#
+# Custom options added by user (not validated)
+#
+
+{% for option in options -%}
+{{ option }}
+{% endfor -%}
+{%- endif %}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-30 04:15:25 +0000