summaryrefslogtreecommitdiff
path: root/src/conf_mode/interfaces-openvpn.py
AgeCommit message (Collapse)Author
2022-09-14openvpn: T4679: Fix incorrect verify local and remote addressViacheslav Hletenko
In the OpenVPN site-to-site config we can use IPv6 peers without IPv4 configurations but "verify()" checks also local and remote IPv4 addresses that in this case will be empty lists For example: set interfaces openvpn vtun2 local-address 2001:db8::1 set interfaces openvpn vtun2 remote-address 2001:db8::2 Check in the commit (v4loAddr == v4remAddr) <= both empty lists commit DEBUG: [] == [] or ['2001:db8::2'] == [] So we should also check v4loAddr, v4remAddr, v6loAddr, v6remAddr are not empty
2022-07-18interfaces: T4525: interfaces can not be member of a bridge/bond and a VRFChristian Poessinger
(cherry picked from commit 81e0f4a8dece85da7169ba05448e870206aaf57b)
2022-04-29openvpn: T4369: enforce daemon-restart on openvpn-option CLI changeChristian Poessinger
(cherry picked from commit e36efa6b5df764982678a470b7aa82a33c1c369c)
2022-03-24Merge pull request #1210 from sever-sever/T4230-equChristian Poessinger
openvpn: T4230: Delete checks if local-host address assigned
2022-03-24openvpn: T4294: force service restart on openvpn-option node changeChristian Poessinger
(cherry picked from commit 999b1e50dfdea8694174e82d22b2438cb1bf5e28)
2022-02-15openvpn: T3686: Fix for check local-address in script and tmplViacheslav Hletenko
Local-address should be checked/executed only if it exists in the openvpn configuration, dictionary, jinja2 template (cherry picked from commit 230ac0a202acd7ae9ad9bccb9e777ee5a0e0b7b7)
2022-02-09openvpn: T4230: Delete checks if local-host address assignedViacheslav Hletenko
OpenVPN can't start if it depends on VRRP virtual-address as virtual-address is not yet assigned by HA (openvpn and ha in one commit) as we have checks "if address assigned" It depends on commit priorities: 460 interfaces/openvpn 800 high-availability Replace check if local-host address assigned from raise ConfigError to print (just notification) Allow to bind OpenVPN service to nonlocal address
2021-11-17openvpn: T3995: implement systemd reload supportChristian Poessinger
(cherry picked from commit eceaa3a787929f5a514b9c45da52936c0d4d4a54)
2021-11-17OpenVPN: T3350: Changed custom options for OpenVPN processingzsdc
Custom OpenVPN options moved back to the command line from a configuration file. This should keep full compatibility with the `crux` branch, and allows to avoid mistakes with parsing options that contain `--` in the middle. The only smart part of this - handling a `push` option. Because of internal changes in OpenVPN, previously it did not require an argument in the double-quotes, but after version update in `equuleus` and `sagitta` old syntax became invalid. So, all the `push` options are processed to add quotes. The solution is still not complete, because if a single config line contains `push` with other options, it will not work, but it is better than nothing. (cherry picked from commit 3fd2ff423b6c6e992b2ed531c7ba99fb9e1a2123)
2021-09-14openvpn: T3822: fix certificate permissionsChristian Poessinger
Commit b8bb9f586 ("T3822: set the OpenVPN key file owner to openvpn:openvpn") changed the permissions only for file present in the "fix_permissions" list. The list did not contain all required certificates - this has been fixed.
2021-09-12T3822: set the OpenVPN key file owner to openvpn:openvpnDaniil Baturin
2021-09-09openvpn: T3805: drop privileges using systemd - required for rtnetlinkChristian Poessinger
(cherry picked from commit 2647edc30f1e02840cae62fde8b44345d35ac720)
2021-09-09openvpn: T3805: use vyos.util.makedir() to create system directoriesChristian Poessinger
(cherry picked from commit 84e912ab2f583864e637c2df137f62f3d4cbeb14)
2021-08-14openvpn: T3738: Disable authentication option for server modeViacheslav
(cherry picked from commit 655876f4c22c0f4ea839a81f4af09d6016e19197)
2021-07-24openvpn: T65: Fix auth-user-pass authentication onlyYun Zheng Hu
2021-06-25openvpn: T1704: drop deprecated disable-ncp optionChristian Poessinger
(cherry picked from commit 6b7b19c93f90839549dd668116c4da2f38cfdc66) VyOS 1.3 will ship OpenVPN 2.5.1 and thus it is the perfect timing to still remove this option before introducing it in a new LTS release.
2021-01-17openvpn: T2994: proper cleanup all files on interface deletionChristian Poessinger
(cherry picked from commit c0aaa0b8707c17fe86e6483b3f5caecaa3f7fd72)
2020-12-31openvpn: T2994: fix ipv6 server modeChristian Poessinger
2020-11-27vyos.template: T2720: always enable Jinja2 trim_blocks featureChristian Poessinger
2020-11-23openvpn: T3074: fix site-2-site operation modeChristian Poessinger
When rendering the configs "ifconfig" statement wrong IP addresses have been used for the "tun" operating mode. This has been corrected.
2020-11-21openvpn: T3060: fix client authentication username and password fileChristian Poessinger
2020-11-13openvpn: T3060: Remote-host is a required param for clientsever-sever
2020-11-13vyos.template: provide general is_ip(v4|v6) helpersChristian Poessinger
We had two places were the is_ip, is_ipv4 and is_ipv6 helpers had been defined. All places now have been converged into vyos.template as they are used both in the Jinja2 templates and also in our scripts.
2020-11-06openvpn: T3051: fix multiple pushed routes to preconfigured clientsChristian Poessinger
2020-11-04openvpn: T3046: create client config dir on-demandChristian Poessinger
This commit partially reverts commit eb1ed5e518 ("openvpn: T2994: re-add ifconfig-pool statement in server config").
2020-11-01openvpn: T2994: re-add ifconfig-pool statement in server configChristian Poessinger
Re-organize the template code and add addtitional Jinja2 filters for processing the ifconfig-pool statement. This reverts the changes from commit 7e546be9 ("openvpn: T2994: temporary revert to 1.2 crux behavior for client pools").
2020-11-01openvpn: T2994: remove workarounds for individual ipv4 and ipv6 keysChristian Poessinger
Remove workaround which split (local|remote)_address and also subnet keys into individual keys for the assigned IP address family (4/6). During template rendering check IP version by introducing new ipv4 and ipv6 Jinja2 filters {% if foo | ipv4 %} or {% if bar | ipv6 %} options.
2020-10-30openvpn: T2994: verify DH key lengthChristian Poessinger
2020-10-30openvpn: T2994: migrate to get_config_dict()Christian Poessinger
2020-10-18openvpn: T2969: ensure interface is always removedChristian Poessinger
2020-10-18openvpn: T2969: force creation of tunnel interfacesChristian Poessinger
A lot of VyOS code requires the Kernel interface to be present in order to properly work and adjust the interface to the users CLI intends (alias, ipv6, vrf - just to name a few). OpenVPN - when run in client mode - only creates the interface (e.g. vtun1) when the connection to the OpenVPN server was successful. This can't be always the case due to e.g. software-updates or routing issues to the remote side. This will in the end result in a zombie OpenVPN client interface where some config items might not have been set when the interface finally comes up - imagine a wrong assigned VRF instance. By always creating the OpenVPN interface manuall we ensure that all the CLI settings are properly configured in the OS kernel.
2020-10-17ifconfig: T2985: support on demand bridge creationChristian Poessinger
The current implementation for bridge based interfaces has an issue which is caused by priority inheritance. We always assumed that the bridge interface will be created last, but this may not be true in all cases, where some interfaces will be created "on demand" - e.g. OpenVPN or late (VXLAN, GENEVE). As we already have a bunch of verify steps in place we should not see a bridge interface leak to the underlaying infrastructure code. This means, whenever an interface will be member of a bridge, and the bridge does yet not exist, we will create it in advance in the interface context, as the bridge code will be run in the same commit but maybe sooner or later. This will also be the solution for T2924.
2020-09-22openvpn: T2907: add 'none' encryption option to not encrypt any dataMarcus Hoff
2020-09-22ifconfig: T2653: move is_member() from vyos.vylidate to vyos.configdictChristian Poessinger
2020-08-31configd: T2582: add scripts to include list for daemonJohn Estabrook
2020-06-04openvpn: T2550: fix for IPv4 remote-host addressesMikhail Rozentsvayg
Commit bb9f998 added IPv6 support for OpenVPN, but IPv4 only configurations stopped working (Address family for hostname not supported) Commit fc467519 fixed some scenarios by using IPv4 protocols if 'local-host' is IPv4 address, but the client mode is using 'remote-host' instead and was still broken. This commit in addition to 'local-host' also checks all the 'remote-host' addresses.
2020-05-31openvpn: T2532: add VRF supportChristian Poessinger
2020-05-29airbag: T2088: explicit enabling of the featureThomas Mangin
airbag must now be explicitly installed. the patch also allow to fully disables the installation of the logging code at setup (and not just installing and doing nothing)
2020-05-11openvpn: T2449: set accept_ra=2 if ipv6 address autoconf or dhcpv6 is setJernej Jakob
To make SLAAC and DHCPv6 work when forwarding=1, accept_ra must be 2 (default for accept_ra is 1).
2020-05-07openvpn: T2241: fix wrong indent caused by 66e15005Jernej Jakob
2020-05-04openvpn: T2241: remove redundant bridge_member variableJernej Jakob
2020-05-04validate: T2241: rewrite is_bridge_member to generic is_memberJernej Jakob
- rewrite the function to support both bridge and bonding interface types, if the type is passed it searches only that type, otherwise it searches both - move is_member check out of the deleted condition - move is_member check to intf_from_dict for interfaces that use it
2020-04-23interfaces: T2362: add node to delete the default IPv6 link-local addressJernej Jakob
2020-04-23interfaces: T2362: allow setting multiple 'ipv6 address eui64'Jernej Jakob
2020-04-23interfaces: T2362: add default IPv6 link-local address to make IPv6 workJernej Jakob
2020-04-23interfaces: T2362: split set_ipv6_eui64_address into add and del functionsJernej Jakob
2020-04-20openvpn: T2339: fix for IPv4 local-host addressesJernej Jakob
Commit bb9f998 introduced a bug where openvpn fails to start if 'local-host' is an IPv4 address due to 'proto' wanting a IPv6 socket. This adds a conditional check and uses normal proto if it's IPv4.
2020-04-19openvpn: T2336: delete auth-user-pass file when interface is unused #2Christian Poessinger
2020-04-19Revert "openvpn: T2336: delete auth-user-pass file when interface is unused"Christian Poessinger
This reverts commit 26adfd6d0d03af44a03f327478199f3009f2ad3c.
2020-04-19openvpn: T2336: delete auth-user-pass file when interface is unusedChristian Poessinger
Unused means disabled or even deleted - there should be no secrets left-over.