### Autogenerated by interfaces-openvpn.py ### # # See https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage # for individual keyword definition # # {{ description if description is defined and description is not none }} # verb 3 user {{ daemon_user }} group {{ daemon_group }} dev-type {{ device_type }} dev {{ ifname }} persist-key iproute /usr/libexec/vyos/system/unpriv-ip {% if protocol == 'tcp-active' %} proto tcp-client {% elif protocol == 'tcp-passive' %} proto tcp-server {% else %} proto udp {% endif %} {% if local_host is defined and local_host is not none %} local {{ local_host }} {% endif %} {% if mode is defined and mode == 'server' and protocol == 'udp' and local_host is not defined %} multihome {% endif %} {% if local_port is defined and local_port is not none %} lport {{ local_port }} {% endif %} {% if remote_port is defined and remote_port is not none %} rport {{ remote_port }} {% endif %} {% if remote_host is defined and remote_host is not none %} {% for remote in remote_host %} remote {{ remote }} {% endfor %} {% endif %} {% if shared_secret_key_file is defined and shared_secret_key_file is not none %} secret {{ shared_secret_key_file }} {% endif %} {% if persistent_tunnel is defined %} persist-tun {% endif %} {% if replace_default_route is defined and replace_default_route.local is defined %} push "redirect-gateway local def1" {% elif replace_default_route is defined %} push "redirect-gateway def1" {% endif %} {% if use_lzo_compression is defined %} compress lzo {% endif %} {% if mode == 'client' %} # # OpenVPN Client mode # client nobind {% elif mode == 'server' %} # # OpenVPN Server mode # mode server tls-server {% if server is defined and server is not none %} {% if server.subnet is defined and server.subnet is not none %} {% if server.topology is defined and server.topology == 'point-to-point' %} topology p2p {% elif server.topology is defined and server.topology is not none %} topology {{ server.topology }} {% endif %} {% for subnet in server.subnet %} {% if subnet | is_ipv4 %} server {{ subnet | address_from_cidr }} {{ subnet | netmask_from_cidr }} nopool {# OpenVPN assigns the first IP address to its local interface so the pool used #} {# in net30 topology - where each client receives a /30 must start from the second subnet #} {% if server.topology is defined and server.topology == 'net30' %} ifconfig-pool {{ subnet | inc_ip('4') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tap' else '' }} {% else %} {# OpenVPN assigns the first IP address to its local interface so the pool must #} {# start from the second address and end on the last address #} ifconfig-pool {{ subnet | first_host_address | inc_ip('1') }} {{ subnet | last_host_address | dec_ip('1') }} {{ subnet | netmask_from_cidr if device_type == 'tun' else '' }} {% endif %} {% elif subnet | is_ipv6 %} server-ipv6 {{ subnet }} {% endif %} {% endfor %} {% endif %} {% if server.client_ip_pool is defined and server.client_ip_pool is not none and server.client_ip_pool.disable is not defined %} ifconfig-pool {{ server.client_ip_pool.start }} {{ server.client_ip_pool.stop }}{{ server.client_ip_pool.subnet_mask if server.client_ip_pool.subnet_mask is defined and server.client_ip_pool.subnet_mask is not none }} {% endif %} {% if server.max_connections is defined and server.max_connections is not none %} max-clients {{ server.max_connections }} {% endif %} {% if server.client is defined and server.client is not none %} client-config-dir /run/openvpn/ccd/{{ ifname }} {% endif %} {% endif %} keepalive {{ keep_alive.interval }} {{ keep_alive.interval|int * keep_alive.failure_count|int }} management /run/openvpn/openvpn-mgmt-intf unix {% if server is defined and server is not none %} {% if server.reject_unconfigured_clients is defined %} ccd-exclusive {% endif %} {% if server.push_route is defined and server.push_route is not none %} {% for route in server.push_route %} {% if route | is_ipv4 %} push "route {{ route | address_from_cidr }} {{ route | netmask_from_cidr }}" {% elif route | is_ipv6 %} push "route-ipv6 {{ route }}" {% endif %} {% endfor %} {% endif %} {% if server.name_server is defined and server.name_server is not none %} {% for nameserver in server.name_server %} {% if nameserver | is_ipv4 %} push "dhcp-option DNS {{ nameserver }}" {% elif nameserver | is_ipv6 %} push "dhcp-option DNS6 {{ nameserver }}" {% endif %} {% endfor %} {% endif %} {% if server.domain_name is defined and server.domain_name is not none %} push "dhcp-option DOMAIN {{ server.domain_name }}" {% endif %} {% endif %} {% else %} # # OpenVPN site-2-site mode # ping {{ keep_alive.interval }} ping-restart {{ keep_alive.failure_count }} {% if device_type == 'tap' %} {% for laddr, laddr_conf in local_address.items() if laddr | is_ipv4 %} {% if laddr_conf is defined and laddr_conf.subnet_mask is defined and laddr_conf.subnet_mask is not none %} ifconfig {{ laddr }} {{ laddr_conf.subnet_mask }} {% endif %} {% endfor %} {% else %} {% for laddr in local_address if laddr | is_ipv4 %} {% for raddr in remote_address if raddr | is_ipv4 %} ifconfig {{ laddr }} {{ raddr }} {% endfor %} {% endfor %} {% for laddr in local_address if laddr | is_ipv6 %} {% for raddr in remote_address if raddr | is_ipv6 %} ifconfig-ipv6 {{ laddr }} {{ raddr }} {% endfor %} {% endfor %} {% endif %} {% endif %} {% if tls is defined and tls is not none %} # TLS options {% if tls.ca_cert_file is defined and tls.ca_cert_file is not none %} ca {{ tls.ca_cert_file }} {% endif %} {% if tls.cert_file is defined and tls.cert_file is not none %} cert {{ tls.cert_file }} {% endif %} {% if tls.key_file is defined and tls.key_file is not none %} key {{ tls.key_file }} {% endif %} {% if tls.crypt_file is defined and tls.crypt_file is not none %} tls-crypt {{ tls.crypt_file }} {% endif %} {% if tls.crl_file is defined and tls.crl_file is not none %} crl-verify {{ tls.crl_file }} {% endif %} {% if tls.tls_version_min is defined and tls.tls_version_min is not none %} tls-version-min {{ tls.tls_version_min }} {% endif %} {% if tls.dh_file is defined and tls.dh_file is not none %} dh {{ tls.dh_file }} {% endif %} {% if tls.auth_file is defined and tls.auth_file is not none %} {% if mode == 'client' %} tls-auth {{ tls.auth_file }} 1 {% elif mode == 'server' %} tls-auth {{ tls.auth_file }} 0 {% endif %} {% endif %} {% if tls.role is defined and tls.role is not none %} {% if tls.role == 'active' %} tls-client {% elif tls.role == 'passive' %} tls-server {% endif %} {% endif %} {% endif %} # Encryption options {% if encryption is defined and encryption is not none %} {% if encryption.cipher is defined and encryption.cipher is not none %} {% if encryption.cipher == 'none' %} cipher none {% elif encryption.cipher == 'des' %} cipher des-cbc {% elif encryption.cipher == '3des' %} cipher des-ede3-cbc {% elif encryption.cipher == 'bf128' %} cipher bf-cbc keysize 128 {% elif encryption.cipher == 'bf256' %} cipher bf-cbc keysize 25 {% elif encryption.cipher == 'aes128gcm' %} cipher aes-128-gcm {% elif encryption.cipher == 'aes128' %} cipher aes-128-cbc {% elif encryption.cipher == 'aes192gcm' %} cipher aes-192-gcm {% elif encryption.cipher == 'aes192' %} cipher aes-192-cbc {% elif encryption.cipher == 'aes256gcm' %} cipher aes-256-gcm {% elif encryption.cipher == 'aes256' %} cipher aes-256-cbc {% endif %} {% endif %} {% if encryption.ncp_ciphers is defined and encryption.ncp_ciphers is not none %} {% set cipher_list = [] %} {% for cipher in encryption.ncp_ciphers %} {% if cipher == 'none' %} {% set cipher_list = cipher_list.append('none') %} {% elif cipher == 'des' %} {% set cipher_list = cipher_list.append('des-cbc') %} {% elif cipher == '3des' %} {% set cipher_list = cipher_list.append('des-ede3-cbc') %} {% elif cipher == 'aes128' %} {% set cipher_list = cipher_list.append('aes-128-cbc') %} {% elif cipher == 'aes128gcm' %} {% set cipher_list = cipher_list.append('aes-128-gcm') %} {% elif cipher == 'aes192' %} {% set cipher_list = cipher_list.append('aes-192-cbc') %} {% elif cipher == 'aes192gcm' %} {% set cipher_list = cipher_list.append('aes-192-gcm') %} {% elif cipher == 'aes256' %} {% set cipher_list = cipher_list.append('aes-256-cbc') %} {% elif cipher == 'aes256gcm' %} {% set cipher_list = cipher_list.append('aes-256-gcm') %} {% endif %} {% endfor %} ncp-ciphers {{ cipher_list | join(':') }}:{{ cipher_list | join(':') | upper }} {% endif %} {% endif %} {% if hash is defined and hash is not none %} auth {{ hash }} {% endif %} {% if authentication is defined and authentication is not none %} auth-user-pass {{ auth_user_pass_file }} auth-retry nointeract {% endif %} # DEPRECATED This option will be removed in OpenVPN 2.5 # Until OpenVPN v2.3 the format of the X.509 Subject fields was formatted like this: # /C=US/L=Somewhere/CN=John Doe/emailAddress=john@example.com In addition the old # behaviour was to remap any character other than alphanumeric, underscore ('_'), # dash ('-'), dot ('.'), and slash ('/') to underscore ('_'). The X.509 Subject # string as returned by the tls_id environmental variable, could additionally # contain colon (':') or equal ('='). When using the --compat-names option, this # old formatting and remapping will be re-enabled again. This is purely implemented # for compatibility reasons when using older plug-ins or scripts which does not # handle the new formatting or UTF-8 characters. # # See https://phabricator.vyos.net/T1512 compat-names {% if openvpn_option is defined and openvpn_option is not none %} # # Custom options added by user (not validated) # {% for option in openvpn_option %} {% for argument in option.split('--') %} {% if argument is defined and argument != '' %} --{{ argument }} {% endif %} {% endfor %} {% endfor %} {% endif %}