### Autogenerated by interfaces-openvpn.py ###
#
# See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
# for individual keyword definition

{% if description -%}
# {{ description }}

{% endif -%}

verb 3

user {{ uid }}
group {{ gid }}

dev-type {{ type }}
dev {{ intf }}
persist-key
iproute /usr/libexec/vyos/system/unpriv-ip

proto {{ protocol_real }}

{%- if local_host %}
local {{ local_host }}
{%- endif %}

{%- if mode == 'server' and protocol == 'udp' and not local_host %}
multihome
{%- endif %}

{%- if local_port %}
lport {{ local_port }}
{%- endif %}

{% if remote_port -%}
rport {{ remote_port }}
{% endif %}

{%- if remote_host %}
{%- for remote in remote_host -%}
remote {{ remote }}
{% endfor -%}
{% endif -%}

{% if shared_secret_file %}
secret {{ shared_secret_file }}
{%- endif %}

{%- if persistent_tunnel %}
persist-tun
{%- endif %}

{%- if redirect_gateway %}
push "redirect-gateway {{ redirect_gateway }}"
{%- endif %}

{%- if compress_lzo %}
compress lzo
{%- endif %}

{% if 'client' in mode -%}
#
# OpenVPN Client mode
#
client
nobind

{% elif 'server' in mode -%}
#
# OpenVPN Server mode
#

{%- if server_topology %}
topology {% if server_topology == 'point-to-point' %}p2p{% else %}{{ server_topology }}{% endif %}
{%- endif %}

{%- if is_bridge_member %}
mode server
tls-server
{%- else %}
server {{ server_subnet[0] }} nopool
{%- endif %}

{%- if server_pool %}
ifconfig-pool {{ server_pool_start }} {{ server_pool_stop }}{% if server_pool_netmask %} {{ server_pool_netmask }}{% endif %}
{%- endif %}

{%- if server_max_conn %}
max-clients {{ server_max_conn }}
{%- endif %}

{%- if client %}
client-config-dir /run/openvpn/ccd/{{ intf }}
{%- endif %}

{%- if server_reject_unconfigured %}
ccd-exclusive
{%- endif %}

keepalive {{ ping_interval }} {{ ping_restart }}
management /run/openvpn/openvpn-mgmt-intf unix

{% for route in server_push_route -%}
push "route {{ route }}"
{% endfor -%}

{% for ns in server_dns_nameserver -%}
push "dhcp-option DNS {{ ns }}"
{% endfor -%}

{%- if server_domain -%}
push "dhcp-option DOMAIN {{ server_domain }}"
{% endif -%}

{%- if server_ipv6_local %}
# IPv6
push "tun-ipv6"
ifconfig-ipv6 {{ server_ipv6_local }}/{{ server_ipv6_prefixlen }} {{ server_ipv6_remote }}

{%- if server_ipv6_pool %}
ifconfig-ipv6-pool {{ server_ipv6_pool_base }}/{{ server_ipv6_pool_prefixlen }}
{%- endif %}

{%- for route6 in server_ipv6_push_route %}
push "route-ipv6 {{ route6 }}"
{%- endfor %}

{%- for ns6 in server_ipv6_dns_nameserver %}
push "dhcp-option DNS6 {{ ns6 }}"
{%- endfor %}

{%- endif %}

{% else -%}
#
# OpenVPN site-2-site mode
#
ping {{ ping_interval }}
ping-restart {{ ping_restart }}

{% if local_address_subnet -%}
ifconfig {{ local_address[0] }} {{ local_address_subnet }}
{%- elif remote_address -%}
ifconfig {{ local_address[0] }} {{ remote_address[0] }}
{%- endif %}

{% if ipv6_local_address -%}
ifconfig-ipv6 {{ ipv6_local_address[0] }} {{ ipv6_remote_address[0] }}
{%- endif %}

{% endif -%}

{% if tls -%}
# TLS options
{%- if tls_ca_cert %}
ca {{ tls_ca_cert }}
{%- endif %}

{%- if tls_cert %}
cert {{ tls_cert }}
{%- endif %}

{%- if tls_key %}
key {{ tls_key }}
{%- endif %}

{%- if tls_crypt %}
tls-crypt {{ tls_crypt }}
{%- endif %}

{%- if tls_crl %}
crl-verify {{ tls_crl }}
{%- endif %}

{%- if tls_version_min %}
tls-version-min {{tls_version_min}}
{%- endif %}

{%- if tls_dh %}
dh {{ tls_dh }}
{%- endif %}

{%- if tls_auth %}
tls-auth {{tls_auth}}
{%- endif %}

{%- if tls_role %}
{%- if 'active' in tls_role %}
tls-client
{%- elif 'passive' in tls_role %}
tls-server
{%- endif %}
{%- endif %}

{%- endif %}

# Encryption options
{%- if encryption %}
{% if encryption == 'des' -%}
cipher des-cbc
{%- elif encryption == '3des' -%}
cipher des-ede3-cbc
{%- elif encryption == 'bf128' -%}
cipher bf-cbc
keysize 128
{%- elif encryption == 'bf256' -%}
cipher bf-cbc
keysize 25
{%- elif encryption == 'aes128gcm' -%}
cipher aes-128-gcm
{%- elif encryption == 'aes128' -%}
cipher aes-128-cbc
{%- elif encryption == 'aes192gcm' -%}
cipher aes-192-gcm
{%- elif encryption == 'aes192' -%}
cipher aes-192-cbc
{%- elif encryption == 'aes256gcm' -%}
cipher aes-256-gcm
{%- elif encryption == 'aes256' -%}
cipher aes-256-cbc
{%- endif -%}
{%- endif %}

{%- if ncp_ciphers %}
ncp-ciphers {{ncp_ciphers}}
{%- endif %}
{%- if disable_ncp %}
ncp-disable
{%- endif %}

{% if hash -%}
auth {{ hash }}
{%- endif -%}

{%- if auth %}
auth-user-pass {{ auth_user_pass_file }}
auth-retry nointeract
{%- endif %}

# DEPRECATED This option will be removed in OpenVPN 2.5
# Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted like this:
# /C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com In addition the old
# behaviour was to remap any character other than alphanumeric, underscore ('_'),
# dash ('-'), dot ('.'), and slash ('/') to underscore ('_'). The X.509 Subject
# string as returned by the tls_id environmental variable, could additionally
# contain colon (':') or equal ('='). When using the --compat-names option, this
# old formatting and remapping will be re-enabled again. This is purely implemented
# for compatibility reasons when using older plug-ins or scripts which does not
# handle the new formatting or UTF-8 characters.
#
# See https://phabricator.vyos.net/T1512
compat-names

{% if options -%}
#
# Custom options added by user (not validated)
#

{% for option in options -%}
{{ option }}
{% endfor -%}
{%- endif %}