1 files changed, 12 insertions, 18 deletions
diff --git a/src/conf_mode/interfaces-openvpn.py b/src/conf_mode/interfaces-openvpn.py
index c23e79948..25920f893 100755
--- a/src/conf_mode/interfaces-openvpn.py
+++ b/src/conf_mode/interfaces-openvpn.py
@@ -120,7 +120,7 @@ def verify(openvpn):
     # OpenVPN site-to-site - VERIFY
     #
     elif openvpn['mode'] == 'site-to-site':
-        if not 'local_address' in openvpn:
+        if 'local_address' not in openvpn and 'is_bridge_member' not in openvpn:
             raise ConfigError('Must specify "local-address" or add interface to bridge')
 
         if len([addr for addr in openvpn['local_address'] if is_ipv4(addr)]) > 1:
@@ -166,15 +166,16 @@ def verify(openvpn):
             if dict_search('remote_host', openvpn) in dict_search('remote_address', openvpn):
                 raise ConfigError('"remote-address" and "remote-host" can not be the same')
 
-
-        if 'local_address' in openvpn:
+        if openvpn['device_type'] == 'tap':
             # we can only have one local_address, this is ensured above
             v4addr = None
             for laddr in openvpn['local_address']:
-                if is_ipv4(laddr): v4addr = laddr
+                if is_ipv4(laddr):
+                    v4addr = laddr
+                    break
 
-            if 'remote_address' not in openvpn and (v4addr not in openvpn['local_address'] or 'subnet_mask' not in openvpn['local_address'][v4addr]):
-                raise ConfigError('IPv4 "local-address" requires IPv4 "remote-address" or IPv4 "local-address subnet"')
+            if v4addr in openvpn['local_address'] and 'subnet_mask' not in openvpn['local_address'][v4addr]:
+                raise ConfigError('Must specify IPv4 "subnet-mask" for local-address')
 
         if dict_search('encryption.ncp_ciphers', openvpn):
             raise ConfigError('NCP ciphers can only be used in client or server mode')
@@ -464,12 +465,9 @@ def generate(openvpn):
     if tmp: fix_permissions.append(tmp)
 
     # Generate User/Password authentication file
-    if 'auth' in openvpn:
-        with open(openvpn['auth_user_pass_file'], 'w') as f:
-            f.write('{}\n{}'.format(openvpn['auth_user'], openvpn['auth_pass']))
-        # also change permission on auth file
-        fix_permissions.append(openvpn['auth_user_pass_file'])
-
+    if 'authentication' in openvpn:
+        render(openvpn['auth_user_pass_file'], 'openvpn/auth.pw.tmpl', openvpn,
+               user=user, group=group, permission=0o600)
     else:
         # delete old auth file if present
         if os.path.isfile(openvpn['auth_user_pass_file']):
@@ -483,17 +481,13 @@ def generate(openvpn):
             # Our client need's to know its subnet mask ...
             client_config['server_subnet'] = dict_search('server.subnet', openvpn)
 
-            import pprint
-            pprint.pprint(client_config)
-
             render(client_file, 'openvpn/client.conf.tmpl', client_config,
-                   trim_blocks=True, user=user, group=group)
+                   user=user, group=group)
 
     # we need to support quoting of raw parameters from OpenVPN CLI
     # see https://phabricator.vyos.net/T1632
     render(cfg_file.format(**openvpn), 'openvpn/server.conf.tmpl', openvpn,
-           trim_blocks=True, formater=lambda _: _.replace("&quot;", '"'),
-           user=user, group=group)
+           formater=lambda _: _.replace("&quot;", '"'), user=user, group=group)
 
     # Fixup file permissions
     for file in fix_permissions: