### Autogenerated by interfaces-openvpn.py ###
#
# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
# for individual keyword definition
#
# {{ description if description is vyos_defined }}
#

verb 3
dev-type {{ device_type }}
dev {{ ifname }}
persist-key
{% if protocol is vyos_defined('tcp-active') %}
proto tcp-client
{% elif protocol is vyos_defined('tcp-passive') %}
proto tcp-server
{% else %}
proto udp
{% endif %}
{% if local_host is vyos_defined %}
local {{ local_host }}
{% endif %}
{% if mode is vyos_defined('server') and protocol is vyos_defined('udp') and local_host is not vyos_defined %}
multihome
{% endif %}
{% if local_port is vyos_defined %}
lport {{ local_port }}
{% endif %}
{% if remote_port is vyos_defined %}
rport {{ remote_port }}
{% endif %}
{% if remote_host is vyos_defined %}
{%     for remote in remote_host %}
remote {{ remote }}
{%     endfor %}
{% endif %}
{% if shared_secret_key is vyos_defined %}
secret /run/openvpn/{{ ifname }}_shared.key
{% endif %}
{% if persistent_tunnel is vyos_defined %}
persist-tun
{% endif %}
{% if replace_default_route.local is vyos_defined %}
push "redirect-gateway local def1"
{% elif replace_default_route is vyos_defined %}
push "redirect-gateway def1"
{% endif %}
{% if use_lzo_compression is vyos_defined %}
compress lzo
{% endif %}

{% if mode is vyos_defined('client') %}
#
# OpenVPN Client mode
#
client
nobind

{% elif mode is vyos_defined('server') %}
#
# OpenVPN Server mode
#
mode server
tls-server
{%     if server is vyos_defined %}
{%         if server.subnet is vyos_defined %}
{%             if server.topology is vyos_defined('point-to-point') %}
topology p2p
{%             elif server.topology is vyos_defined %}
topology {{ server.topology }}
{%             endif %}
{%             for subnet in server.subnet %}
{%                 if subnet | is_ipv4 %}
server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool
{# First ip address is used as gateway. It's allows to use metrics #}
{%                     if server.push_route is vyos_defined %}
{%                         for route, route_config in server.push_route.items() %}
{%                             if route | is_ipv4 %}
push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }} {{ subnet | first_host_address ~ ' ' ~ route_config.metric if route_config.metric is vyos_defined }}"
{%                             elif route | is_ipv6 %}
push "route-ipv6 {{ route }}"
{%                             endif %}
{%                         endfor %}
{%                     endif %}
{# OpenVPN assigns the first IP address to its local interface so the pool used #}
{# in net30 topology - where each client receives a /30 must start from the second subnet #}
{%                     if server.topology is vyos_defined('net30') %}
ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }}
{%                     else %}
{# OpenVPN assigns the first IP address to its local interface so the pool must #}
{# start from the second address and end on the last address #}
ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }}
{%                     endif %}
{%                 elif subnet | is_ipv6 %}
server-ipv6 {{ subnet }}
{%                 endif %}
{%             endfor %}
{%         endif %}

{%         if server.client_ip_pool is vyos_defined and server.client_ip_pool.disable is not vyos_defined %}
ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is vyos_defined }}
{%         endif %}
{%         if server.max_connections is vyos_defined %}
max-clients {{ server.max_connections }}
{%         endif %}
{%         if server.client is vyos_defined %}
client-config-dir /run/openvpn/ccd/{{ ifname }}
{%         endif %}
{%     endif %}
keepalive {{ keep_alive.interval }} {{ keep_alive.interval | int * keep_alive.failure_count | int }}
management /run/openvpn/openvpn-mgmt-intf unix
{%     if server is vyos_defined %}
{%         if server.reject_unconfigured_clients is vyos_defined %}
ccd-exclusive
{%         endif %}

{%         if server.name_server is vyos_defined %}
{%             for nameserver in server.name_server %}
{%                 if nameserver | is_ipv4 %}
push "dhcp-option DNS {{ nameserver }}"
{%                 elif nameserver | is_ipv6 %}
push "dhcp-option DNS6 {{ nameserver }}"
{%                 endif %}
{%             endfor %}
{%         endif %}
{%         if server.domain_name is vyos_defined %}
push "dhcp-option DOMAIN {{ server.domain_name }}"
{%         endif %}
{%         if server.mfa.totp is vyos_defined %}
{%             set totp_config = server.mfa.totp %}
plugin "{{ plugin_dir }}/openvpn-otp.so" "otp_secrets=/config/auth/openvpn/{{ ifname }}-otp-secrets otp_slop={{ totp_config.slop }} totp_t0={{ totp_config.drift }} totp_step={{ totp_config.step }} totp_digits={{ totp_config.digits }} password_is_cr={{ '1' if totp_config.challenge == 'enable' else '0' }}"
{%         endif %}
{%     endif %}
{% else %}
#
# OpenVPN site-2-site mode
#
ping {{ keep_alive.interval }}
ping-restart {{ keep_alive.failure_count }}

{%     if device_type == 'tap' %}
{%         if local_address is vyos_defined %}
{%             for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %}
{%                 if laddr_conf.subnet_mask is vyos_defined %}
ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }}
{%                 endif %}
{%             endfor %}
{%         endif %}
{%     else %}
{%         for laddr in local_address if laddr | is_ipv4 %}
{%             for raddr in remote_address if raddr | is_ipv4 %}
ifconfig {{ laddr }} {{ raddr }}
{%             endfor %}
{%         endfor %}
{%         for laddr in local_address if laddr | is_ipv6 %}
{%             for raddr in remote_address if raddr | is_ipv6 %}
ifconfig-ipv6 {{ laddr }} {{ raddr }}
{%             endfor %}
{%         endfor %}
{%     endif %}
{% endif %}

{% if tls is vyos_defined %}
# TLS options
{%     if tls.ca_certificate is vyos_defined %}
ca /run/openvpn/{{ ifname }}_ca.pem
{%     endif %}
{%     if tls.certificate is vyos_defined %}
cert /run/openvpn/{{ ifname }}_cert.pem
{%     endif %}
{%     if tls.private_key is vyos_defined %}
key /run/openvpn/{{ ifname }}_cert.key
{%     endif %}
{%     if tls.crypt_key is vyos_defined %}
tls-crypt /run/openvpn/{{ ifname }}_crypt.key
{%     endif %}
{%     if tls.crl is vyos_defined %}
crl-verify /run/openvpn/{{ ifname }}_crl.pem
{%     endif %}
{%     if tls.tls_version_min is vyos_defined %}
tls-version-min {{ tls.tls_version_min }}
{%     endif %}
{%     if tls.dh_params is vyos_defined %}
dh /run/openvpn/{{ ifname }}_dh.pem
{%     elif mode is vyos_defined('server') and tls.private_key is vyos_defined %}
dh none
{%     endif %}
{%     if tls.auth_key is vyos_defined %}
{%         if mode == 'client' %}
tls-auth /run/openvpn/{{ ifname }}_auth.key 1
{%         elif mode == 'server' %}
tls-auth /run/openvpn/{{ ifname }}_auth.key 0
{%         endif %}
{%     endif %}
{%     if tls.role is vyos_defined('active') %}
tls-client
{%     elif tls.role is vyos_defined('passive') %}
tls-server
{%     endif %}
{% endif %}

# Encryption options
{% if encryption is vyos_defined %}
{%     if encryption.cipher is vyos_defined %}
cipher {{ encryption.cipher | openvpn_cipher }}
{%         if encryption.cipher is vyos_defined('bf128') %}
keysize 128
{%         elif encryption.cipher is vyos_defined('bf256') %}
keysize 256
{%         endif %}
{%     endif %}
{%     if encryption.ncp_ciphers is vyos_defined %}
data-ciphers {{ encryption.ncp_ciphers | openvpn_ncp_ciphers }}
{%     endif %}
{% endif %}
# https://vyos.dev/T5027
# Required to support BF-CBC (default ciphername when none given)
providers legacy default

{% if hash is vyos_defined %}
auth {{ hash }}
{% endif %}

{% if authentication is vyos_defined %}
auth-user-pass {{ auth_user_pass_file }}
auth-retry nointeract
{% endif %}