Age | Commit message (Collapse) | Author |
|
Custom OpenVPN options moved back to the command line from a
configuration file. This should keep full compatibility with the
`crux` branch, and allows to avoid mistakes with parsing options
that contain `--` in the middle.
The only smart part of this - handling a `push` option. Because
of internal changes in OpenVPN, previously it did not require an
argument in the double-quotes, but after version update in
`equuleus` and `sagitta` old syntax became invalid. So, all the
`push` options are processed to add quotes. The solution is still
not complete, because if a single config line contains `push` with
other options, it will not work, but it is better than nothing.
(cherry picked from commit 3fd2ff423b6c6e992b2ed531c7ba99fb9e1a2123)
|
|
Some OpenVPN clients doesnt support option gateway and metric.
Set metric option only when 'metric' was added in config
explicity.
|
|
(cherry picked from commit 2647edc30f1e02840cae62fde8b44345d35ac720)
|
|
|
|
(cherry picked from commit c8ef5e8bdce01bbf05297df39e6c6223d0b2a2ea)
|
|
Executing iproute2 commands as unprivileged member of the openvpn group is now
handled via a sudoers file.
(cherry picked from commit 9c8facc69c09163b74bc428f1dbf8be030766758)
|
|
(cherry picked from commit 6b7b19c93f90839549dd668116c4da2f38cfdc66)
VyOS 1.3 will ship OpenVPN 2.5.1 and thus it is the perfect timing to still
remove this option before introducing it in a new LTS release.
|
|
The CLI statement "set interfaces openvpn vtun10 openvpn-option '--tun-mtu 1500
--fragment 1300 --mssfix'" will render in vtun10.conf to:
--tun-mtu 1500 --fragment 1300 --mssfix
On startup OpenVPN complains about:
openvpn-vtun10: Options error: Unrecognized option or missing or extra
parameter(s) in vtun10.conf:76: tun-mtu (2.4.7)
The options must be split on -- to a new configuration line.
(cherry picked from commit f8a8ee02d0ede240f555ffa558665df686df24a8)
|
|
|
|
|
|
|
|
When rendering the configs "ifconfig" statement wrong IP addresses have been
used for the "tun" operating mode. This has been corrected.
|
|
|
|
|
|
setting this to udp will allow both IPv4 and IPv6 connections. According to the
MAN page: proto indicates the protocol to use when connecting with the remote,
and may be "tcp" or "udp". For forcing IPv4 or IPv6 connection suffix tcp or
udp with 4/6 like udp4/udp6/tcp4/tcp6.
|
|
|
|
We had two places were the is_ip, is_ipv4 and is_ipv6 helpers had been defined.
All places now have been converged into vyos.template as they are used both
in the Jinja2 templates and also in our scripts.
|
|
|
|
Re-organize the template code and add addtitional Jinja2 filters for processing
the ifconfig-pool statement. This reverts the changes from commit 7e546be9
("openvpn: T2994: temporary revert to 1.2 crux behavior for client pools").
|
|
Remove workaround which split (local|remote)_address and also subnet keys into
individual keys for the assigned IP address family (4/6).
During template rendering check IP version by introducing new ipv4 and ipv6
Jinja2 filters {% if foo | ipv4 %} or {% if bar | ipv6 %} options.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Commit bb9f998 introduced a bug where openvpn fails to start if
'local-host' is an IPv4 address due to 'proto' wanting a IPv6 socket.
This adds a conditional check and uses normal proto if it's IPv4.
|
|
Bug introduced in commit b36e6e6 ("openvpn: T2273: migrate from SysVinit to
systemd") as not all relevant configuration files have been re-rendered
into /run/openvpn.
|
|
Bug introduced in commit b36e6e6 ("openvpn: T2273: migrate from SysVinit to
systemd") as not all relevant configuration files have been re-rendered
into /run/openvpn
|
|
- allow configuring IPv6 server addresses and push options
- add IPv6 server client IP pool
- add IPv6 push dhcp-option DNS6
- allow configuring IPv6 server client addresses
- allow configuring IPv6 site-to-site addresses
- validate all IPv6 options and addresses
- use protos that explicitely open an IPv6 listening socket
(tcp6-server, tcp6-client, udp6) as the default on Linux listens on
IPv4 only (https://community.openvpn.net/openvpn/ticket/360)
- add validator for any IPv6 address, host or network (used by pool)
|
|
|
|
openvpn: T2235: add custom server pool handling
|
|
- add config options and logic for server client-ip-pool
- add function for determining default IPs for the server in different
configurations
- verify for pool IPs and maximum subnet prefix length
- move remote netmask logic for client ifconfig-push to use new function
- add topology 'net30' , set it as default (as it already was)
- replace generic ip_* with IPv4* where necessary
- print warning to console when server client IP is in server pool
- fix server subnet help field
|
|
Commit a457c9d2 moved the config directory to /run/openvpn but didn't move
the client-config-dir in the template.
|
|
|
|
|
|
Commit ef27cef0 mistakenly removed client-config-dir from the
server template.
|
|
- rearranged options to put them in logical groups separated by blank
lines
- removed unnecessary blank lines (whitespace)
- fixed encryption if-else comparison logic that caused 3des to be
ignored
- set tls if tls-version-min is set
|
|
|