From c9eaafd9f808aba8d29be73054e11d37577e539a Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Sat, 30 Dec 2023 23:25:20 +0100 Subject: T5474: establish common file name pattern for XML conf mode commands We will use _ as CLI level divider. The XML definition filename and also the Python helper should match the CLI node. Example: set interfaces ethernet -> interfaces_ethernet.xml.in set interfaces bond -> interfaces_bond.xml.in set service dhcp-server -> service_dhcp-server-xml.in (cherry picked from commit 4ef110fd2c501b718344c72d495ad7e16d2bd465) --- interface-definitions/interfaces_openvpn.xml.in | 825 ++++++++++++++++++++++++ 1 file changed, 825 insertions(+) create mode 100644 interface-definitions/interfaces_openvpn.xml.in (limited to 'interface-definitions/interfaces_openvpn.xml.in') diff --git a/interface-definitions/interfaces_openvpn.xml.in b/interface-definitions/interfaces_openvpn.xml.in new file mode 100644 index 000000000..dadf5cb48 --- /dev/null +++ b/interface-definitions/interfaces_openvpn.xml.in @@ -0,0 +1,825 @@ + + + + + + + OpenVPN Tunnel Interface + 460 + + vtun[0-9]+ + + OpenVPN tunnel interface must be named vtunN + + vtunN + OpenVPN interface name + + + + #include + #include + + + OpenVPN interface device-type + + tun tap + + + tun + TUN device, required for OSI layer 3 + + + tap + TAP device, required for OSI layer 2 + + + (tun|tap) + + + tun + + #include + + + Data Encryption settings + + + + + Standard Data Encryption Algorithm + + none des 3des bf128 bf256 aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm + + + none + Disable encryption + + + des + DES algorithm + + + 3des + DES algorithm with triple encryption + + + bf128 + Blowfish algorithm with 128-bit key + + + bf256 + Blowfish algorithm with 256-bit key + + + aes128 + AES algorithm with 128-bit key CBC + + + aes128gcm + AES algorithm with 128-bit key GCM + + + aes192 + AES algorithm with 192-bit key CBC + + + aes192gcm + AES algorithm with 192-bit key GCM + + + aes256 + AES algorithm with 256-bit key CBC + + + aes256gcm + AES algorithm with 256-bit key GCM + + + (none|des|3des|bf128|bf256|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm) + + + + + + Cipher negotiation list for use in server or client mode + + none des 3des aes128 aes128gcm aes192 aes192gcm aes256 aes256gcm + + + none + Disable encryption + + + des + DES algorithm + + + 3des + DES algorithm with triple encryption + + + aes128 + AES algorithm with 128-bit key CBC + + + aes128gcm + AES algorithm with 128-bit key GCM + + + aes192 + AES algorithm with 192-bit key CBC + + + aes192gcm + AES algorithm with 192-bit key GCM + + + aes256 + AES algorithm with 256-bit key CBC + + + aes256gcm + AES algorithm with 256-bit key GCM + + + (none|des|3des|aes128|aes128gcm|aes192|aes192gcm|aes256|aes256gcm) + + + + + + + #include + #include + #include + + + Hashing Algorithm + + md5 sha1 sha256 sha384 sha512 + + + md5 + MD5 algorithm + + + sha1 + SHA-1 algorithm + + + sha256 + SHA-256 algorithm + + + sha384 + SHA-384 algorithm + + + sha512 + SHA-512 algorithm + + + (md5|sha1|sha256|sha384|sha512) + + + + + + Keepalive helper options + + + + + Maximum number of keepalive packet failures + + u32:0-1000 + Maximum number of keepalive packet failures + + + + + + 60 + + + + Keepalive packet interval in seconds + + u32:0-600 + Keepalive packet interval (seconds) + + + + + + 10 + + + + + + Local IP address of tunnel (IPv4 or IPv6) + + + + + + + + Subnet-mask for local IP address of tunnel (IPv4 only) + + + + + + + + + + Local IP address to accept connections (all if not set) + + ipv4 + Local IPv4 address + + + ipv6 + Local IPv6 address + + + + + + + + + Local port number to accept connections + + u32:1-65535 + Numeric IP port + + + + + + + + + OpenVPN mode of operation + + site-to-site client server + + + site-to-site + Site-to-site mode + + + client + Client in client-server mode + + + server + Server in client-server mode + + + (site-to-site|client|server) + + + + + + Configurable offload options + + + + + Enable data channel offload on this interface + + + + + + + + Additional OpenVPN options. You must use the syntax of openvpn.conf in this text-field. Using this without proper knowledge may result in a crashed OpenVPN server. Check system log to look for errors. + + + + + + Do not close and reopen interface (TUN/TAP device) on client restarts + + + + + + OpenVPN communication protocol + + udp tcp-passive tcp-active + + + udp + UDP + + + tcp-passive + TCP and accepts connections passively + + + tcp-active + TCP and initiates connections actively + + + (udp|tcp-passive|tcp-active) + + + udp + + + + IP address of remote end of tunnel + + ipv4 + Remote end IPv4 address + + + ipv6 + Remote end IPv6 address + + + + + + + + + + Remote host to connect to (dynamic if not set) + + ipv4 + IPv4 address of remote host + + + ipv6 + IPv6 address of remote host + + + txt + Hostname of remote host + + + + + + + Remote port number to connect to + + u32:1-65535 + Numeric IP port + + + + + + + + + OpenVPN tunnel to be used as the default route + + + + + Tunnel endpoints are on the same subnet + + + + + + + Server-mode options + + + + + Client-specific settings + + name + Client common-name in the certificate + + + + #include + + + IP address of the client + + ipv4 + Client IPv4 address + + + ipv6 + Client IPv6 address + + + + + + + + + + Route to be pushed to the client + + ipv4net + IPv4 network and prefix length + + + ipv6net + IPv6 network and prefix length + + + + + + + + + + Subnet belonging to the client (iroute) + + ipv4net + IPv4 network and prefix length belonging to the client + + + ipv6net + IPv6 network and prefix length belonging to the client + + + + + + + + + + + + Pool of client IPv4 addresses + + + #include + + + First IP address in the pool + + + + + ipv4 + IPv4 address + + + + + + Last IP address in the pool + + + + + ipv4 + IPv4 address + + + + + + Subnet mask pushed to dynamic clients. If not set the server subnet mask will be used. Only used with topology subnet or device type tap. Not used with bridged interfaces. + + + + + ipv4 + IPv4 subnet mask + + + + + + + + Pool of client IPv6 addresses + + + + + Client IPv6 pool base address with optional prefix length + + ipv6net + Client IPv6 pool base address with optional prefix length (defaults: base = server subnet + 0x1000, prefix length = server prefix length) + + + + + + + #include + + + + + DNS suffix to be pushed to all clients + + txt + Domain Name Server suffix + + + + + + Number of maximum client connections + + u32:1-4096 + Number of concurrent clients + + + + + + + #include + + + Route to be pushed to all clients + + ipv4net + IPv4 network and prefix length + + + ipv6net + IPv6 network and prefix length + + + + + + + + + Set metric for this route + + u32:0-4294967295 + Metric for this route + + + + + + 0 + + + + + + Reject connections from clients that are not explicitly configured + + + + + + Server-mode subnet (from which client IPs are allocated) + + ipv4net + IPv4 network and prefix length + + + ipv6net + IPv6 network and prefix length + + + + + + + + + + Topology for clients + + net30 point-to-point subnet + + + net30 + net30 topology + + + point-to-point + Point-to-point topology + + + subnet + Subnet topology + + + (subnet|point-to-point|net30) + + + net30 + + + + multi-factor authentication + + + + + Time-based one-time passwords + + + + + Maximum allowed clock slop in seconds + + 1-65535 + Seconds + + + + + + 180 + + + + Time drift in seconds + + 1-65535 + Seconds + + + + + + 0 + + + + Step value for totp in seconds + + 1-65535 + Seconds + + + + + + 30 + + + + Number of digits to use for totp hash + + 1-65535 + Seconds + + + + + + 6 + + + + Expect password as result of a challenge response protocol + + disable enable + + + disable + Disable challenge-response + + + enable + Enable chalenge-response + + + (disable|enable) + + + enable + + + + + + + + + + Secret key shared with remote end of tunnel + + pki openvpn shared-secret + + + + + + Transport Layer Security (TLS) options + + + + + TLS shared secret key for tls-auth + + pki openvpn shared-secret + + + + #include + #include + + + Diffie Hellman parameters (server only) + + pki dh + + + + + + Static key to use to authenticate control channel + + pki openvpn shared-secret + + + + + + + Peer certificate SHA256 fingerprint + + [0-9a-fA-F]{2}:([0-9a-fA-F]{2}:){30}[0-9a-fA-F]{2} + + Peer certificate fingerprint must be a colon-separated SHA256 hex digest + + + + + Specify the minimum required TLS version + + 1.0 1.1 1.2 1.3 + + + 1.0 + TLS v1.0 + + + 1.1 + TLS v1.1 + + + 1.2 + TLS v1.2 + + + 1.3 + TLS v1.3 + + + (1.0|1.1|1.2|1.3) + + + + + + TLS negotiation role + + active passive + + + active + Initiate TLS negotiation actively + + + passive + Wait for incoming TLS connection + + + (active|passive) + + + + + + + + Use fast LZO compression on this TUN/TAP interface + + + + #include + #include + + + + + -- cgit v1.2.3