From 66e150056ad2cfecb302ab7f42d06096395b7517 Mon Sep 17 00:00:00 2001 From: Jernej Jakob Date: Fri, 1 May 2020 13:38:51 +0200 Subject: openvpn: T2241: remove redundant bridge_member variable --- data/templates/openvpn/server.conf.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'data') diff --git a/data/templates/openvpn/server.conf.tmpl b/data/templates/openvpn/server.conf.tmpl index 75ab602f8..401f8e04b 100644 --- a/data/templates/openvpn/server.conf.tmpl +++ b/data/templates/openvpn/server.conf.tmpl @@ -74,7 +74,7 @@ nobind topology {% if server_topology == 'point-to-point' %}p2p{% else %}{{ server_topology }}{% endif %} {%- endif %} -{%- if bridge_member %} +{%- if is_bridge_member %} mode server tls-server {%- else %} -- cgit v1.2.3 From d55050dcb8806a982b0394dcde00c1814499d9f3 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Wed, 6 May 2020 21:41:15 +0200 Subject: sstp: T2392: add initial IPv6 support New commands added: * set vpn sstp network-settings client-ipv6-pool prefix 2001:db8::/64 mask 112 * set vpn sstp network-settings client-ipv6-pool delegate 2001:db8:100::/48 delegation-prefix 64 --- data/templates/accel-ppp/sstp.config.tmpl | 21 +++++++++++++++ interface-definitions/vpn_sstp.xml.in | 1 + src/conf_mode/vpn_sstp.py | 43 ++++++++++++++++++++++++++++--- 3 files changed, 62 insertions(+), 3 deletions(-) (limited to 'data') diff --git a/data/templates/accel-ppp/sstp.config.tmpl b/data/templates/accel-ppp/sstp.config.tmpl index c3dc83429..e0a48a44e 100644 --- a/data/templates/accel-ppp/sstp.config.tmpl +++ b/data/templates/accel-ppp/sstp.config.tmpl @@ -9,6 +9,9 @@ chap-secrets radius {% endif -%} ippool +ipv6pool +ipv6_nd +ipv6_dhcp {% for proto in auth_proto %} {{proto}} @@ -87,6 +90,9 @@ check-ip=1 {% if mtu %} mtu={{ mtu }} {% endif -%} +{% if client_ipv6_pool %} +ipv6=allow +{% endif %} {% if ppp_mppe %} mppe={{ ppp_mppe }} @@ -101,6 +107,21 @@ lcp-echo-failure={{ ppp_echo_failure }} lcp-echo-timeout={{ ppp_echo_timeout }} {% endif %} +{% if client_ipv6_pool %} +[ipv6-pool] +{% for p in client_ipv6_pool %} +{{ p.prefix }},{{ p.mask }} +{% endfor %} +{% for p in client_ipv6_delegate_prefix %} +delegate={{ p.prefix }},{{ p.mask }} +{% endfor %} +{% endif %} + +{% if client_ipv6_delegate_prefix %} +[ipv6-dhcp] +verbose=1 +{% endif %} + {% if radius_shaper_attr %} [shaper] verbose=1 diff --git a/interface-definitions/vpn_sstp.xml.in b/interface-definitions/vpn_sstp.xml.in index 7e4471015..4ce231e0f 100644 --- a/interface-definitions/vpn_sstp.xml.in +++ b/interface-definitions/vpn_sstp.xml.in @@ -220,6 +220,7 @@ + #include #include diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py index d250cd3b0..6d9496012 100755 --- a/src/conf_mode/vpn_sstp.py +++ b/src/conf_mode/vpn_sstp.py @@ -35,7 +35,11 @@ default_config_data = { 'auth_mode' : 'local', 'auth_proto' : ['auth_mschap_v2'], 'chap_secrets_file': sstp_chap_secrets, # used in Jinja2 template + 'client_ip_pool' : [], + 'client_ipv6_pool': [], + 'client_ipv6_delegate_prefix': [], 'client_gateway': '', + 'dnsv4' : [], 'radius_server' : [], 'radius_acct_tmo' : '3', 'radius_max_try' : '3', @@ -49,8 +53,6 @@ default_config_data = { 'ssl_ca' : '', 'ssl_cert' : '', 'ssl_key' : '', - 'client_ip_pool' : [], - 'dnsv4' : [], 'mtu' : '', 'ppp_mppe' : 'prefer', 'ppp_echo_failure' : '', @@ -210,7 +212,7 @@ def get_config(): # - # read in client ip pool settings + # read in client IPv4 pool conf.set_level(base_path + ['network-settings', 'client-ip-settings']) if conf.exists(['subnet']): sstp['client_ip_pool'] = conf.return_values(['subnet']) @@ -218,6 +220,33 @@ def get_config(): if conf.exists(['gateway-address']): sstp['client_gateway'] = conf.return_value(['gateway-address']) + # + # read in client IPv6 pool + conf.set_level(base_path + ['network-settings', 'client-ipv6-pool']) + if conf.exists(['prefix']): + for prefix in conf.list_nodes(['prefix']): + tmp = { + 'prefix': prefix, + 'mask': '64' + } + + if conf.exists(['prefix', prefix, 'mask']): + tmp['mask'] = conf.return_value(['prefix', prefix, 'mask']) + + sstp['client_ipv6_pool'].append(tmp) + + if conf.exists(['delegate']): + for prefix in conf.list_nodes(['delegate']): + tmp = { + 'prefix': prefix, + 'mask': '' + } + + if conf.exists(['delegate', prefix, 'delegation-prefix']): + tmp['mask'] = conf.return_value(['delegate', prefix, 'delegation-prefix']) + + sstp['client_ipv6_delegate_prefix'].append(tmp) + # # read in network settings conf.set_level(base_path + ['network-settings']) @@ -275,6 +304,14 @@ def verify(sstp): if len(sstp['dnsv4']) > 2: raise ConfigError('Not more then two IPv4 DNS name-servers can be configured') + # check ipv6 + if sstp['client_ipv6_delegate_prefix'] and not sstp['client_ipv6_pool']: + raise ConfigError('IPv6 prefix delegation requires client-ipv6-pool prefix') + + for prefix in sstp['client_ipv6_delegate_prefix']: + if not prefix['mask']: + raise ConfigError('Delegation-prefix required for individual delegated networks') + if not sstp['ssl_ca'] or not sstp['ssl_cert'] or not sstp['ssl_key']: raise ConfigError('One or more SSL certificates missing') -- cgit v1.2.3 From ed22334321d3b6f27b5d695a4f984257b909f78b Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Wed, 6 May 2020 21:44:07 +0200 Subject: sstp: T2392: add IPv6 DNS support New command added: * set vpn sstp network-settings name-server 2001:db8::1111 --- data/templates/accel-ppp/sstp.config.tmpl | 8 ++++++++ interface-definitions/vpn_sstp.xml.in | 14 +------------- src/conf_mode/vpn_sstp.py | 13 +++++++++---- 3 files changed, 18 insertions(+), 17 deletions(-) (limited to 'data') diff --git a/data/templates/accel-ppp/sstp.config.tmpl b/data/templates/accel-ppp/sstp.config.tmpl index e0a48a44e..411fca489 100644 --- a/data/templates/accel-ppp/sstp.config.tmpl +++ b/data/templates/accel-ppp/sstp.config.tmpl @@ -54,6 +54,14 @@ dns{{ loop.index }}={{ dns }} {% endfor -%} {% endif %} +{% if dnsv6 %} +[ipv6-dns] +{% for dns in dnsv6 -%} +{{ dns }} +{% endfor -%} +{% endif %} + + {% if auth_mode == 'local' %} [chap-secrets] chap-secrets={{ chap_secrets_file }} diff --git a/interface-definitions/vpn_sstp.xml.in b/interface-definitions/vpn_sstp.xml.in index 4ce231e0f..f0c93b882 100644 --- a/interface-definitions/vpn_sstp.xml.in +++ b/interface-definitions/vpn_sstp.xml.in @@ -207,20 +207,8 @@ - - - DNS servers propagated to clients - - ipv4 - IPv4 address - - - - - - - #include + #include #include diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py index 6d9496012..7c3e3f515 100755 --- a/src/conf_mode/vpn_sstp.py +++ b/src/conf_mode/vpn_sstp.py @@ -22,10 +22,10 @@ from copy import deepcopy from stat import S_IRUSR, S_IWUSR, S_IRGRP from vyos.config import Config -from vyos import ConfigError -from vyos.util import call, run, get_half_cpus from vyos.template import render - +from vyos.util import call, run, get_half_cpus +from vyos.validate import is_ipv4 +from vyos import ConfigError sstp_conf = '/run/accel-pppd/sstp.conf' sstp_chap_secrets = '/run/accel-pppd/sstp.chap-secrets' @@ -40,6 +40,7 @@ default_config_data = { 'client_ipv6_delegate_prefix': [], 'client_gateway': '', 'dnsv4' : [], + 'dnsv6' : [], 'radius_server' : [], 'radius_acct_tmo' : '3', 'radius_max_try' : '3', @@ -251,7 +252,11 @@ def get_config(): # read in network settings conf.set_level(base_path + ['network-settings']) if conf.exists(['name-server']): - sstp['dnsv4'] = conf.return_values(['name-server']) + for name_server in conf.return_values(['name-server']): + if is_ipv4(name_server): + sstp['dnsv4'].append(name_server) + else: + sstp['dnsv6'].append(name_server) if conf.exists(['mtu']): sstp['mtu'] = conf.return_value(['mtu']) -- cgit v1.2.3