Age | Commit message (Collapse) | Author |
|
In the OpenVPN site-to-site config we can use IPv6 peers
without IPv4 configurations but "verify()" checks also local and
remote IPv4 addresses that in this case will be empty lists
For example:
set interfaces openvpn vtun2 local-address 2001:db8::1
set interfaces openvpn vtun2 remote-address 2001:db8::2
Check in the commit (v4loAddr == v4remAddr) <= both empty lists
commit
DEBUG: [] == [] or ['2001:db8::2'] == []
So we should also check v4loAddr, v4remAddr, v6loAddr, v6remAddr
are not empty
|
|
(cherry picked from commit 81e0f4a8dece85da7169ba05448e870206aaf57b)
|
|
(cherry picked from commit e36efa6b5df764982678a470b7aa82a33c1c369c)
|
|
openvpn: T4230: Delete checks if local-host address assigned
|
|
(cherry picked from commit 999b1e50dfdea8694174e82d22b2438cb1bf5e28)
|
|
Local-address should be checked/executed only if it exists in the
openvpn configuration, dictionary, jinja2 template
(cherry picked from commit 230ac0a202acd7ae9ad9bccb9e777ee5a0e0b7b7)
|
|
OpenVPN can't start if it depends on VRRP virtual-address as
virtual-address is not yet assigned by HA (openvpn and ha
in one commit) as we have checks "if address assigned"
It depends on commit priorities:
460 interfaces/openvpn
800 high-availability
Replace check if local-host address assigned from raise ConfigError
to print (just notification)
Allow to bind OpenVPN service to nonlocal address
|
|
(cherry picked from commit eceaa3a787929f5a514b9c45da52936c0d4d4a54)
|
|
Custom OpenVPN options moved back to the command line from a
configuration file. This should keep full compatibility with the
`crux` branch, and allows to avoid mistakes with parsing options
that contain `--` in the middle.
The only smart part of this - handling a `push` option. Because
of internal changes in OpenVPN, previously it did not require an
argument in the double-quotes, but after version update in
`equuleus` and `sagitta` old syntax became invalid. So, all the
`push` options are processed to add quotes. The solution is still
not complete, because if a single config line contains `push` with
other options, it will not work, but it is better than nothing.
(cherry picked from commit 3fd2ff423b6c6e992b2ed531c7ba99fb9e1a2123)
|
|
Commit b8bb9f586 ("T3822: set the OpenVPN key file owner to openvpn:openvpn")
changed the permissions only for file present in the "fix_permissions" list.
The list did not contain all required certificates - this has been fixed.
|
|
|
|
(cherry picked from commit 2647edc30f1e02840cae62fde8b44345d35ac720)
|
|
(cherry picked from commit 84e912ab2f583864e637c2df137f62f3d4cbeb14)
|
|
(cherry picked from commit 655876f4c22c0f4ea839a81f4af09d6016e19197)
|
|
|
|
(cherry picked from commit 6b7b19c93f90839549dd668116c4da2f38cfdc66)
VyOS 1.3 will ship OpenVPN 2.5.1 and thus it is the perfect timing to still
remove this option before introducing it in a new LTS release.
|
|
(cherry picked from commit c0aaa0b8707c17fe86e6483b3f5caecaa3f7fd72)
|
|
|
|
|
|
When rendering the configs "ifconfig" statement wrong IP addresses have been
used for the "tun" operating mode. This has been corrected.
|
|
|
|
|
|
We had two places were the is_ip, is_ipv4 and is_ipv6 helpers had been defined.
All places now have been converged into vyos.template as they are used both
in the Jinja2 templates and also in our scripts.
|
|
|
|
This commit partially reverts commit eb1ed5e518 ("openvpn: T2994: re-add
ifconfig-pool statement in server config").
|
|
Re-organize the template code and add addtitional Jinja2 filters for processing
the ifconfig-pool statement. This reverts the changes from commit 7e546be9
("openvpn: T2994: temporary revert to 1.2 crux behavior for client pools").
|
|
Remove workaround which split (local|remote)_address and also subnet keys into
individual keys for the assigned IP address family (4/6).
During template rendering check IP version by introducing new ipv4 and ipv6
Jinja2 filters {% if foo | ipv4 %} or {% if bar | ipv6 %} options.
|
|
|
|
|
|
|
|
A lot of VyOS code requires the Kernel interface to be present in order to
properly work and adjust the interface to the users CLI intends (alias, ipv6,
vrf - just to name a few).
OpenVPN - when run in client mode - only creates the interface (e.g. vtun1) when
the connection to the OpenVPN server was successful. This can't be always the
case due to e.g. software-updates or routing issues to the remote side. This
will in the end result in a zombie OpenVPN client interface where some config
items might not have been set when the interface finally comes up - imagine a
wrong assigned VRF instance.
By always creating the OpenVPN interface manuall we ensure that all the CLI
settings are properly configured in the OS kernel.
|
|
The current implementation for bridge based interfaces has an issue which is
caused by priority inheritance. We always assumed that the bridge interface will
be created last, but this may not be true in all cases, where some interfaces
will be created "on demand" - e.g. OpenVPN or late (VXLAN, GENEVE).
As we already have a bunch of verify steps in place we should not see a bridge
interface leak to the underlaying infrastructure code. This means, whenever an
interface will be member of a bridge, and the bridge does yet not exist, we will
create it in advance in the interface context, as the bridge code will be run
in the same commit but maybe sooner or later.
This will also be the solution for T2924.
|
|
|
|
|
|
|
|
Commit bb9f998 added IPv6 support for OpenVPN, but IPv4 only
configurations stopped working (Address family for hostname not supported)
Commit fc467519 fixed some scenarios by using IPv4 protocols
if 'local-host' is IPv4 address, but the client mode is using
'remote-host' instead and was still broken.
This commit in addition to 'local-host' also checks all the
'remote-host' addresses.
|
|
|
|
airbag must now be explicitly installed.
the patch also allow to fully disables the installation of the logging
code at setup (and not just installing and doing nothing)
|
|
To make SLAAC and DHCPv6 work when forwarding=1, accept_ra must be 2
(default for accept_ra is 1).
|
|
|
|
|
|
- rewrite the function to support both bridge and bonding interface types,
if the type is passed it searches only that type, otherwise it searches
both
- move is_member check out of the deleted condition
- move is_member check to intf_from_dict for interfaces that use it
|
|
|
|
|
|
|
|
|
|
Commit bb9f998 introduced a bug where openvpn fails to start if
'local-host' is an IPv4 address due to 'proto' wanting a IPv6 socket.
This adds a conditional check and uses normal proto if it's IPv4.
|
|
|
|
This reverts commit 26adfd6d0d03af44a03f327478199f3009f2ad3c.
|
|
Unused means disabled or even deleted - there should be no secrets left-over.
|