summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/interface-bonding.py5
-rwxr-xr-xsrc/conf_mode/interface-openvpn.py27
-rwxr-xr-xsrc/conf_mode/interface-wireguard.py26
3 files changed, 44 insertions, 14 deletions
diff --git a/src/conf_mode/interface-bonding.py b/src/conf_mode/interface-bonding.py
index f0a33beff..ac3e1b867 100755
--- a/src/conf_mode/interface-bonding.py
+++ b/src/conf_mode/interface-bonding.py
@@ -279,11 +279,6 @@ def verify(bond):
raise ConfigError('can not enslave interface {} which already ' \
'belongs to {}'.format(intf, tmp))
- # we can not add disabled slave interfaces to our bond
- if conf.exists('interfaces ethernet ' + intf + ' disable'):
- raise ConfigError('can not enslave disabled interface {}' \
- .format(intf))
-
# can not add interfaces with an assigned address to a bond
if conf.exists('interfaces ethernet ' + intf + ' address'):
raise ConfigError('can not enslave interface {} which has an address ' \
diff --git a/src/conf_mode/interface-openvpn.py b/src/conf_mode/interface-openvpn.py
index 984410eb1..35e7928c2 100755
--- a/src/conf_mode/interface-openvpn.py
+++ b/src/conf_mode/interface-openvpn.py
@@ -175,6 +175,10 @@ tls-version-min {{tls_version_min}}
dh {{ tls_dh }}
{% endif %}
+{%- if tls_auth %}
+tls-auth {{tls_auth}}
+{% endif %}
+
{%- if 'active' in tls_role %}
tls-client
{%- elif 'passive' in tls_role %}
@@ -281,6 +285,7 @@ default_config_data = {
'server_topology': '',
'shared_secret_file': '',
'tls': False,
+ 'tls_auth': '',
'tls_ca_cert': '',
'tls_cert': '',
'tls_crl': '',
@@ -537,6 +542,11 @@ def get_config():
if conf.exists('server reject-unconfigured-clients'):
openvpn['server_reject_unconfigured'] = True
+ # File containing TLS auth static key
+ if conf.exists('tls auth-file'):
+ openvpn['tls_auth'] = conf.return_value('tls auth-file')
+ openvpn['tls'] = True
+
# File containing certificate for Certificate Authority (CA)
if conf.exists('tls ca-cert-file'):
openvpn['tls_ca_cert'] = conf.return_value('tls ca-cert-file')
@@ -723,11 +733,17 @@ def verify(openvpn):
if not checkCertHeader('-----BEGIN CERTIFICATE-----', openvpn['tls_ca_cert']):
raise ConfigError('Specified ca-cert-file "{}" is invalid'.format(openvpn['tls_ca_cert']))
- if not checkCertHeader('-----BEGIN CERTIFICATE-----', openvpn['tls_cert']):
- raise ConfigError('Specified cert-file "{}" is invalid'.format(openvpn['tls_cert']))
+ if openvpn['tls_auth']:
+ if not checkCertHeader('-----BEGIN OpenVPN Static key V1-----', openvpn['tls_auth']):
+ raise ConfigError('Specified auth-file "{}" is invalid'.format(openvpn['tls_auth']))
+
+ if openvpn['tls_cert']:
+ if not checkCertHeader('-----BEGIN CERTIFICATE-----', openvpn['tls_cert']):
+ raise ConfigError('Specified cert-file "{}" is invalid'.format(openvpn['tls_cert']))
- if not checkCertHeader('-----BEGIN (?:RSA )?PRIVATE KEY-----', openvpn['tls_key']):
- raise ConfigError('Specified key-file "{}" is not valid'.format(openvpn['tls_key']))
+ if openvpn['tls_key']:
+ if not checkCertHeader('-----BEGIN (?:RSA )?PRIVATE KEY-----', openvpn['tls_key']):
+ raise ConfigError('Specified key-file "{}" is not valid'.format(openvpn['tls_key']))
if openvpn['tls_crl']:
if not checkCertHeader('-----BEGIN X509 CRL-----', openvpn['tls_crl']):
@@ -739,7 +755,8 @@ def verify(openvpn):
if openvpn['tls_role']:
if openvpn['mode'] in ['client', 'server']:
- raise ConfigError('Cannot specify "tls role" in client-server mode')
+ if not openvpn['tls_auth']:
+ raise ConfigError('Cannot specify "tls role" in client-server mode')
if openvpn['tls_role'] == 'active':
if openvpn['protocol'] == 'tcp-passive':
diff --git a/src/conf_mode/interface-wireguard.py b/src/conf_mode/interface-wireguard.py
index d51a7a08d..4ae3251fe 100755
--- a/src/conf_mode/interface-wireguard.py
+++ b/src/conf_mode/interface-wireguard.py
@@ -26,12 +26,16 @@ from vyos.config import Config
from vyos import ConfigError
from vyos.ifconfig import WireGuardIf
-ifname = str(os.environ['VYOS_TAGNODE_VALUE'])
-intfc = WireGuardIf(ifname)
+try:
+ ifname = str(os.environ['VYOS_TAGNODE_VALUE'])
+ intfc = WireGuardIf(ifname)
+except KeyError:
+ print("Interface not specified")
+ sys.exit(1)
kdir = r'/config/auth/wireguard'
-def check_kmod():
+def _check_kmod():
if not os.path.exists('/sys/module/wireguard'):
sl.syslog(sl.LOG_NOTICE, "loading wirguard kmod")
if os.system('sudo modprobe wireguard') != 0:
@@ -39,6 +43,19 @@ def check_kmod():
raise ConfigError("modprobe wireguard failed")
+def _migrate_default_keys():
+ if os.path.exists('{}/private.key'.format(kdir)) and not os.path.exists('{}/default/private.key'.format(kdir)):
+ sl.syslog(sl.LOG_NOTICE, "migrate keypair to default")
+ old_umask = os.umask(0o027)
+ location = '{}/default'.format(kdir)
+ subprocess.call(['sudo mkdir -p ' + location], shell=True)
+ subprocess.call(['sudo chgrp vyattacfg ' + location], shell=True)
+ subprocess.call(['sudo chmod 750 ' + location], shell=True)
+ os.rename('{}/private.key'.format(kdir),'{}/private.key'.format(location))
+ os.rename('{}/public.key'.format(kdir),'{}/public.key'.format(location))
+ os.umask(old_umask)
+
+
def get_config():
c = Config()
if not c.exists('interfaces wireguard'):
@@ -257,7 +274,8 @@ def apply(c):
if __name__ == '__main__':
try:
- check_kmod()
+ _check_kmod()
+ _migrate_default_keys()
c = get_config()
verify(c)
apply(c)