summaryrefslogtreecommitdiff
path: root/src/conf_mode/interfaces-openvpn.py
AgeCommit message (Collapse)Author
2021-09-01more 2fa changesKim Hagen
2021-08-17add part 2faKim Hagen
2021-08-13openvpn: T3738: Disable authentication option for server modeViacheslav
2021-07-21pki: openvpn: T3642: Migrate OpenVPN to PKI and refactorsarthurdev
2021-07-17Revert "openvpn: T56: remove strict checks for tls cert-file and key-file"Christian Poessinger
This reverts commit c414479fdf1d5ad77170f977481fb9197c9559ae. This commit broke the smoketests and also OpenVPN complains: Options error: You must define certificate file (--cert) or PKCS#12 file (--pkcs12)
2021-07-13openvpn: T56: remove strict checks for tls cert-file and key-fileYun Zheng Hu
This makes the tls cert-file and key-file optional and allows for more advanced configurations via "openvpn-option", such as pkcs11 or pkcs12 options.
2021-06-25openvpn: T1704: drop deprecated disable-ncp optionChristian Poessinger
2021-02-28vyos.ifconfig: T1579: remove calls to vyos.ifconfig.Interface.get_config()Christian Poessinger
Interface.get_config() was always a pure helper which exposed a "per interface type" dictionary which was then fed by the caller to create interfaces by iproute2 which required additional options during creation time. Such interfaces had been: * tunnel * vxlan * geneve * macsec * wifi * macvlan / pseudo-ethernet The code was always duplicated to convert from the VyOS CLI based get_config_dict() to a dict which can be used to feed iproute2. This path has been removed and we now always feed in the entire dictionary retrieved by get_config_dict() or in the interfaces case, it's high-level wrapper get_interface_dict() to the interface we wan't to create. This also adds the - personally long awaited - possibility to get rid of the derived tunnel classes for e.g. GRE, IPIP, IPIP6 and so on.
2021-01-17openvpn: T2994: proper cleanup all files on interface deletionChristian Poessinger
2020-12-31openvpn: T2994: fix ipv6 server modeChristian Poessinger
2020-11-27vyos.template: T2720: always enable Jinja2 trim_blocks featureChristian Poessinger
2020-11-23openvpn: T3074: fix site-2-site operation modeChristian Poessinger
When rendering the configs "ifconfig" statement wrong IP addresses have been used for the "tun" operating mode. This has been corrected.
2020-11-21openvpn: T3060: fix client authentication username and password fileChristian Poessinger
2020-11-13openvpn: T3060: Remote-host is a required param for clientsever-sever
2020-11-13vyos.template: provide general is_ip(v4|v6) helpersChristian Poessinger
We had two places were the is_ip, is_ipv4 and is_ipv6 helpers had been defined. All places now have been converged into vyos.template as they are used both in the Jinja2 templates and also in our scripts.
2020-11-06openvpn: T3051: fix multiple pushed routes to preconfigured clientsChristian Poessinger
2020-11-04openvpn: T3046: create client config dir on-demandChristian Poessinger
This commit partially reverts commit eb1ed5e518 ("openvpn: T2994: re-add ifconfig-pool statement in server config").
2020-11-01openvpn: T2994: re-add ifconfig-pool statement in server configChristian Poessinger
Re-organize the template code and add addtitional Jinja2 filters for processing the ifconfig-pool statement. This reverts the changes from commit 7e546be9 ("openvpn: T2994: temporary revert to 1.2 crux behavior for client pools").
2020-11-01openvpn: T2994: remove workarounds for individual ipv4 and ipv6 keysChristian Poessinger
Remove workaround which split (local|remote)_address and also subnet keys into individual keys for the assigned IP address family (4/6). During template rendering check IP version by introducing new ipv4 and ipv6 Jinja2 filters {% if foo | ipv4 %} or {% if bar | ipv6 %} options.
2020-10-30openvpn: T2994: verify DH key lengthChristian Poessinger
2020-10-30openvpn: T2994: migrate to get_config_dict()Christian Poessinger
2020-10-18openvpn: T2969: ensure interface is always removedChristian Poessinger
2020-10-18openvpn: T2969: force creation of tunnel interfacesChristian Poessinger
A lot of VyOS code requires the Kernel interface to be present in order to properly work and adjust the interface to the users CLI intends (alias, ipv6, vrf - just to name a few). OpenVPN - when run in client mode - only creates the interface (e.g. vtun1) when the connection to the OpenVPN server was successful. This can't be always the case due to e.g. software-updates or routing issues to the remote side. This will in the end result in a zombie OpenVPN client interface where some config items might not have been set when the interface finally comes up - imagine a wrong assigned VRF instance. By always creating the OpenVPN interface manuall we ensure that all the CLI settings are properly configured in the OS kernel.
2020-10-17ifconfig: T2985: support on demand bridge creationChristian Poessinger
The current implementation for bridge based interfaces has an issue which is caused by priority inheritance. We always assumed that the bridge interface will be created last, but this may not be true in all cases, where some interfaces will be created "on demand" - e.g. OpenVPN or late (VXLAN, GENEVE). As we already have a bunch of verify steps in place we should not see a bridge interface leak to the underlaying infrastructure code. This means, whenever an interface will be member of a bridge, and the bridge does yet not exist, we will create it in advance in the interface context, as the bridge code will be run in the same commit but maybe sooner or later. This will also be the solution for T2924.
2020-09-22openvpn: T2907: add 'none' encryption option to not encrypt any dataMarcus Hoff
2020-09-22ifconfig: T2653: move is_member() from vyos.vylidate to vyos.configdictChristian Poessinger
2020-08-31configd: T2582: add scripts to include list for daemonJohn Estabrook
2020-06-04openvpn: T2550: fix for IPv4 remote-host addressesMikhail Rozentsvayg
Commit bb9f998 added IPv6 support for OpenVPN, but IPv4 only configurations stopped working (Address family for hostname not supported) Commit fc467519 fixed some scenarios by using IPv4 protocols if 'local-host' is IPv4 address, but the client mode is using 'remote-host' instead and was still broken. This commit in addition to 'local-host' also checks all the 'remote-host' addresses.
2020-05-31openvpn: T2532: add VRF supportChristian Poessinger
2020-05-29airbag: T2088: explicit enabling of the featureThomas Mangin
airbag must now be explicitly installed. the patch also allow to fully disables the installation of the logging code at setup (and not just installing and doing nothing)
2020-05-11openvpn: T2449: set accept_ra=2 if ipv6 address autoconf or dhcpv6 is setJernej Jakob
To make SLAAC and DHCPv6 work when forwarding=1, accept_ra must be 2 (default for accept_ra is 1).
2020-05-07openvpn: T2241: fix wrong indent caused by 66e15005Jernej Jakob
2020-05-04openvpn: T2241: remove redundant bridge_member variableJernej Jakob
2020-05-04validate: T2241: rewrite is_bridge_member to generic is_memberJernej Jakob
- rewrite the function to support both bridge and bonding interface types, if the type is passed it searches only that type, otherwise it searches both - move is_member check out of the deleted condition - move is_member check to intf_from_dict for interfaces that use it
2020-04-23interfaces: T2362: add node to delete the default IPv6 link-local addressJernej Jakob
2020-04-23interfaces: T2362: allow setting multiple 'ipv6 address eui64'Jernej Jakob
2020-04-23interfaces: T2362: add default IPv6 link-local address to make IPv6 workJernej Jakob
2020-04-23interfaces: T2362: split set_ipv6_eui64_address into add and del functionsJernej Jakob
2020-04-20openvpn: T2339: fix for IPv4 local-host addressesJernej Jakob
Commit bb9f998 introduced a bug where openvpn fails to start if 'local-host' is an IPv4 address due to 'proto' wanting a IPv6 socket. This adds a conditional check and uses normal proto if it's IPv4.
2020-04-19openvpn: T2336: delete auth-user-pass file when interface is unused #2Christian Poessinger
2020-04-19Revert "openvpn: T2336: delete auth-user-pass file when interface is unused"Christian Poessinger
This reverts commit 26adfd6d0d03af44a03f327478199f3009f2ad3c.
2020-04-19openvpn: T2336: delete auth-user-pass file when interface is unusedChristian Poessinger
Unused means disabled or even deleted - there should be no secrets left-over.
2020-04-19openvpn: T2336: fix auth-user-pass file generationChristian Poessinger
Bug introduced in commit b36e6e6 ("openvpn: T2273: migrate from SysVinit to systemd") as not all relevant configuration files have been re-rendered into /run/openvpn
2020-04-19bridge: T2232: move helper to vyos.validateChristian Poessinger
2020-04-16openvpn: T149: IPv6 supportJernej Jakob
- allow configuring IPv6 server addresses and push options - add IPv6 server client IP pool - add IPv6 push dhcp-option DNS6 - allow configuring IPv6 server client addresses - allow configuring IPv6 site-to-site addresses - validate all IPv6 options and addresses - use protos that explicitely open an IPv6 listening socket (tcp6-server, tcp6-client, udp6) as the default on Linux listens on IPv4 only (https://community.openvpn.net/openvpn/ticket/360) - add validator for any IPv6 address, host or network (used by pool)
2020-04-15openvpn: T2335: allow disabling client-ip-poolJernej Jakob
2020-04-15openvpn: T2293: fix UnboundLocalError if server subnet is unsetJernej Jakob
2nd part of this fix, first commit 9b6a369 didn't fix it.
2020-04-14openvpn: T2293: fix UnboundLocalError if server subnet is unsetJernej Jakob
Commit bb36bde introduced a bug when server subnet is unset, this fixes it.
2020-04-13Merge pull request #325 from jjakob/openvpn-poolChristian Poessinger
openvpn: T2235: add custom server pool handling
2020-04-13openvpn: T2235: add custom server pool handlingjjakob
- add config options and logic for server client-ip-pool - add function for determining default IPs for the server in different configurations - verify for pool IPs and maximum subnet prefix length - move remote netmask logic for client ifconfig-push to use new function - add topology 'net30' , set it as default (as it already was) - replace generic ip_* with IPv4* where necessary - print warning to console when server client IP is in server pool - fix server subnet help field